How to bypass SSL authentication in if_http_client ABAP consumer?

Question

TLDR: Basically, my question would be if there is any method on class if_http_client or any ABAP class that can turn off SSL verification? Because it seems that it only works when it is disabled. If not then how do I bypass this error?

Long description:

I am able to receive response using Postman but when trying to code it on ABAP, I cannot get response. I want to receive token from api-eu.ariba.com. Here's my inputs on Postman:

URL: https://api-eu.ariba.com/v2/oauth/token
Method: POST
Headers:
- Content-Type: application/x-www-form-urlencoded
- Authorization: Basic + API key
Body:
- grant_type: openapi_2lo

When I try these inputs on Postman, I am able to get response only when SSL verification is disabled. I have tested this also in Python as there is a parameter in requests to disable SSL verification and able to get the same response. But when I try this on ABAP (using if_http_client), this is where I get HTTP communication error upon receiving response.

Direct connect to api-eu.ariba.com:443 failed: NIECONN_REFUSED(-10)

So far, I've tried the following:

Install public cert for SAP Ariba EU (RSA) into STRUST
Tried to add OAUTH profile from OA2C_CONFIG (I'm not sure if I did the config correctly). Tried to set token but get error:

HTTP failure, processing failed, invalid state, invalid timeout or others Error calling EXECUTE_CC_FLOW.

I have very little Basis knowledge so I'm not sure if I did the OA2C_CONFIG correctly and not knowledgeable with ABAP REST API related classes.

OA2C_CONFIG

ABAP code snippet:


*Creation of New IF_HTTP_Client Object
  CALL METHOD cl_http_client=>create_by_url
    EXPORTING
      url                = lv_endpoint
      ssl_id             = 'ANONYM'
    IMPORTING
      client             = lo_client
    EXCEPTIONS
      argument_not_found = 1
      plugin_not_active  = 2
      internal_error     = 3
      OTHERS             = 4.

IF sy-subrc IS NOT INITIAL.
* Handle errors
ENDIF.

lo_client->propertytype_logon_popup = 0.
*lo_client->request->set_method( if_http_request=>co_request_method_post ).

CALL METHOD lo_client->request->set_method( 'POST' ).
lo_client->request->set_header_field( name = 'Authorization' value =  lv_auth ).
lo_client->request->set_header_field( name = 'Content-Type' value = lv_contyp ).
lo_client->request->set_form_field( name  = 'grant_type' value = lv_grantype ).

lo_client->send( ).
IF sy-subrc IS NOT INITIAL.
* Handle errors
ENDIF.

CALL METHOD lo_client->receive
  EXCEPTIONS
    http_communication_failure = 1
    http_invalid_state         = 2
    http_processing_failed     = 3
    OTHERS                     = 4.
IF sy-subrc IS NOT INITIAL.
  lo_client->get_last_error(
    IMPORTING
    message = lv_response  ).
  WRITE: / lv_response.
  IF sy-subrc = 0.

  ENDIF.

ENDIF.

Edit: Able to found a parameter on class:

CL_HTTP_CLIENT->CREATE_BY_URL

called DO_NOT_USE_CLIENT_CERT, that is abap_false by default. Changed the value to abap_true but this didn't work.

1) For information, your ABAP code doesn't refer to the profile and configuration that you defined in `OA2C_CONFIG` (missing `CL_OAUTH2_CLIENT`...), you seem to do OAuth2 full custom which is not recommended. 2) If you use `ANONYM`, make sure that you have defined your certificate in the Client Anonymous PSE of `STRUST`. 3) I don't see any reason why your code wouldn't work except if the rest of the code you didn't share is wrong like values of variables (please post a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)). — Sandra Rossi, Mar 30 '23 at 19:25
To answer some points:1) I did try OA2C_CONFIG when connecting via url cl_http_client=>create_by_url didn't work. 2) I did try to comment out using ssl_id and still didnt work. In STRUST I asked basis to install the CRT file in SAP Ariba public repo [link](https://support.ariba.com/item/view/192337) but didnt work still. 4) All the params in the code were copied from Postman (where I got response). In postman, I am able to get response only when SSL verification is disabled so I was thinking of ways in ABAP side how to do that. — user21525821, Mar 31 '23 at 09:13
@SandraRossi as for the code, that is the full code. I didnt show the values for the header and body variables. I was thinking maybe SAP is not allowing HTTPS connection unless SSL Certificates are added? — user21525821, Mar 31 '23 at 09:32
1) You say "did try OA2C_CONFIG" and "`cl_http_client`" but again you MUST also use `cl_oauth2_client`. 2) Why commenting out ssl_id? (FYI `create_by_url` without `ssl_id` means the PSE Client Anonymous/ANONYM). How did you make sure that the certificate is installed in the PSE of STRUST used by your program (`ssl_id` = PSE ID). 3) Don't omit what is "obvious", just post a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example) with all values. 5) SAP allows HTTPS connection only if you install the Web site/CA certificate in `STRUST`. — Sandra Rossi, Mar 31 '23 at 11:56
I just realize that you got the certificate from the "[link](https://support.ariba.com/item/view/192337)" you have indicated above, but usually we simply take the certificate from the Web site via the Web browser, download and install it in `STRUST`. — Sandra Rossi, Mar 31 '23 at 13:27

score 2 · Answer 1 · answered Mar 31 '23 at 11:05

2

Both errors NIECONN_REFUSED and NIEHOST_UNKNOWN have nothing to do with SSL.

For NIECONN_REFUSED ask the basis to check if api-eu.ariba.com on port 443 is accessible from the SAP server. Probably they have to open ports in the Firewall or you have to use proxy.

NIEHOST_UNKNOWN is because of wrong SM59 settings. It should look like this

https://api-eu.ariba.com is wrong

and you get

A certificate issue is SSSLERR_PEER_CERT_UNTRUSTED

answered Mar 31 '23 at 11:05

Robert Stefanov

56
5

I have tried removing https and I have the same exact config but I get the same error message. I also tried setting up OAuth Profile and link it to my SM59 destination but I get (Create Fail) upon testing. – user21525821 Mar 31 '23 at 13:39
@user21525821 First try to get successful connection test from SM59, then use the connection in your code. And if you with _I get the same error message_ mean NIECONN_REFUSED then ask your Basis/Network fix the connection issue. – Robert Stefanov Apr 01 '23 at 12:17

score 1 · Answer 2 · answered Apr 03 '23 at 18:20

looks like you are most of the way there.

a) TRUST ariba.com in STRUST.

use a web browser to go to the site , click on the padlock and down load their cert.

T-Code STRUST Import the cert. Apply it to CLIENT SSL Anon and Standard PSE sections.

BUT NIEHOST errors are different to SSL areas. So you should also check the DNS and if the SAP system can even reach that url.

Sometimes you need to configure a CLIENT proxy in TCode SICF. If you organization uses a proxy for external HTTP connections, then that must be configured in SICF client proxy settings.

Hi we are able to connect to host: 'api-eu.ariba.com' from SM59 after Basis added proxy host and service. thanks! The problem now would be connecting to 'https://api-eu.ariba.com/v2/oauth/token' from ABAP side which we wanted to connect retrieve the token — user21525821, Apr 04 '23 at 06:09

user21525821 · Answer 3 · 2023-04-04T07:29:00.883

1

We are now able connect via SM59.

Basis added proxy host and service.
Added path prefix: '/v2/oauth/token'
Used the destination and connected to Ariba using cl_http_client=>create_by_destination from ABAP side and passed the parameters.
OAUTH Profile is not needed for this case.

Thanks for the suggestions! Test Connection OK

edited Apr 04 '23 at 07:29

answered Apr 04 '23 at 05:39

user21525821

19
4

score 0 · Answer 4 · answered Mar 30 '23 at 18:31

0

I checked api-eu.ariba.com SSL and it looks valid. Maybe you date/time didn't correct or root certificate is missing.

You can enable ICM trace at t-code SMICM. Create a test connection at SM59 then click test connection button. Then check the ICM log. You will get more details in the log.

You need to configure TLS version and handshake methods for SAP. Maybe your SAP only accept TLS 1.3 because of security reason but the endpoint not supporting it.

answered Mar 30 '23 at 18:31

mkysoft

5,392
1
21
30

Not sure if this is correct but I asked basis to install CRT file in STRUST from public repo [link](https://support.ariba.com/item/view/192337) but this didn't work. I tried to do ICM trace but I only get this response: `Direct connect to https://api-eu.ariba.com/:443 failed: NIEHOST_UNKNOWN(-2) {00c7c7a4} {root-id=42010A062D121EEDB3F37AAD1639E8F1} [icxxconn.c 4216]` Is there any options how to disable SSL verification from abap side? – user21525821 Mar 31 '23 at 09:27
In SM59; these are my parameters: `host: https://api-eu.ariba.com/` `port=443`. Under security, SSL is active, SSL Certificate is Default SSL client (also changed to Anonymous) but connection error is the same – user21525821 Mar 31 '23 at 10:17
@user21525821 host should not contain the scheme identifier "`https://`". What you indicate in "SSL Certificate" must be the same PSE where you have loaded the ariba certificate in STRUST. If you use `SM59`, you must use `cl_http_client=>create_by_destination` instead of `cl_http_client=>create_by_url`. – Sandra Rossi Mar 31 '23 at 11:39
@SandraRossi sorry for the confusion. there is part of a code where I used `cl_http_client=>create_by_destination` with SM59 destination to test for workaround. SM59 connection fails issuing the same error. https has been removed from the host but outputs the same error. I use `cl_http_client=>create_by_url` to connect directly to URL but it fails so I tried using the SM59 approach (setting up SM59 and use `cl_http_client=>create_by_destination` ; with and without OAuth profiles which yields to same errors). – user21525821 Mar 31 '23 at 13:09
NIEHOST_UNKNOWN is meaning that, SAP cannot resolve given domain name. You can try it with report RSBDCOS0. Use "ping api-eu.ariba.com" command and press enter in the input. – mkysoft Mar 31 '23 at 17:54
@mkysoft I am trying to ping to api ariba but it is taking too long. While waiting for response, I tried to perform trace in SMICM but I do not know how to make of it. Please see trace. Thanks – user21525821 Apr 03 '23 at 05:48
IcmIConnConnect: direct connect to api-eu.ariba.com:443 NiHLGetNodeAddr: get addr for hostname 'api-eu.ariba.com' (mode=0) NiHLGetNodeAddr: found hostname 'api-eu.ariba.com' in cache (valid-name) NiIGetNodeAddr: hostname 'api-eu.ariba.com' = addr 34.159.251.130 NiIGetServNo: servicename '443' = port 443 NiICreateHandle: hdl 204 state NI_INITIAL_CON NiIBindLocalCheck: 34.159.251.130 -> not a local address (rc 7/99) -> Cannot assign requested address NiIInitSocket: set default settings for new hdl 204/sock 43 (I4; ST) – user21525821 Apr 03 '23 at 05:49
@mkysoft i tried to ping to ariba on RSBDCOS0 but it says "error; Maximum runtime exceeded" – user21525821 Apr 03 '23 at 06:02
It looks network issue. I think you need request a help from basis team. You can request a working SM59 connection from them. – mkysoft Apr 04 '23 at 08:43

How to bypass SSL authentication in if_http_client ABAP consumer?

4 Answers4