SAP Knowledge Base Article

2902687 - How to configure Client Authentication for the REST Adapter Sender channel
Component: BC-XI-CON-RST (Rest Adapter), Version: 1, Released On: 19.03.2020

Symptom
You want to configure Client Certificate authentication for the REST Adapter Sender channel

Environment
SAP enhancement package 1 for SAP NetWeaver 7.3
SAP NetWeaver 7.4
SAP NetWeaver 7.5

Resolution
To enable the Client Certificate authentication for REST Adapter sender channel, you need to configure this at application
level, and not at channel level.
The configuration is the same one described in SAP Blog Sender SOAP Adapter: HTTPS with Client Authentication
The only difference is that:
If you your system is on a lower release than 7.50 SP17, then there is no settings to be checked at the REST Adapter
Sender Channel. It will accept all the requests and will pass it through the Application Security level, if it is accepted, the
request will be forwarded to the channel.
Otherwise, you can select the HTTP Security Level at channel level as well, as this was introduced in SAP Note 2833869 -
New Feature: Inbound HTTP security checks for REST Sender channel
Instead of setting the authentication stack to XISOAPAdapter, you will need to set it to RESTAdapter
After that, all the requests in for REST Adapter Sender channels are using that authentication stack.
If after setting the above, the requests fail with HTTP 401, then it means that probably the configuration above is not correctly
done, or that the certificate is not being forwarded from the ICM to the Application.
Please check if the following ICM parameters are correctly configured:
1. Check the value of ume.logon.allow_cert
Go to <host>:<port>/nwa -> Identity Management -> Click on “Configuration” -> in the right corner click on “Open
Expert Mode” -> and search for ume.logon.allow_cert
The value should be true
2. Check the value of icm/ssl_config_# = VCLIENT=?
To check this parameter, go to …/sap/SID/SYS/profile/SID_J##_*
Open the file and search for the VCLIENT value. It should be 1 or 2.
More details on this in SAP Help icm/server_port_<xx>
3. In the same file check the value of icm/HTTPS/forward_ccert_as_header
It should be set to true
In case you have any Load Balancer between Sender system and PI, you also need to ensure that the certificate is forwarded by
the Load Balancer.
If the Load Balancer is a Web Dispatcher, then you can find the documentation on how to set up SSL when you have Web
Dispatcher as Intermediary Server:
Using SSL With an Intermediary Server -> Follow the instructions how to Tunnel the SSL Connection.

Keywords
X509, Client, Certificate, Rest, Adapter, Sender, Authentication, Stack, 401, 200, 403, Process Integration, 7.31, 7.40, 7.4,
7.50, 7.5, Process Orchestration, PI, PO
 Attributes
Key Value

Other Components BC-JAS-SEC-LGN (Logon, SSO)

Products
Products

SAP NetWeaver 7.4

SAP NetWeaver 7.5

SAP enhancement package 1 for SAP NetWeaver 7.3

This document refers to

SAP Component Title
Note/KBA

2833869 BC-XI-CON- New Feature: Inbound HTTP security checks for REST Sender channel
RST

https://help.sap.com/doc/saphelp_nw73/7.3.16/en-
US/23/871e3e3986f701e10000000a114084/frameset.htm

https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm

Sender SOAP Adapter: HTTPS with Client Authentication