Share via

3     Demonstration Scenario Installation and Set up

3.1    Installation and Technical Configuration

3.1.1      SAP

The system landscape on the SAP side consists of an ES Repository connected to an AS ABAP.

Information about how to install AS ABAP 7.0, including enhancement package 2, is provided in SAP Service Marketplace: Installation Guides(login required).

To use Web services with Web Services Reliable Messaging, configure the Web service runtime. The configuration is client-specific and you must perform it in each production client and in client 000.

More information: Configuring the Web Services Runtime

The ES Repository is part of SAP NetWeaver Composition Environment (CE). There is an installation option available for the ES Repository.

Note   To configure scenarios used in this guide the ES Repository is not required. Service design has already taken place. However, to develop new services or adjust already existing services, the ES Repository is the starting point and must be part of your service development.

Information about how to install SAP NetWeaver CE is provided on the SAP Service Marketplace: Installation Guides (login required)

After installation, you must perform several steps to set up the ES Repository and connect it to AS ABAP.

More information: Configuring Enterprise Services Repository, Connecting ABAP Backend System to ES Repository

3.1.2      Microsoft

This section details how to obtain the necessary software to run the .NET Framework 4 test suites for SAP/WCF interoperability and the files necessary to set up and configure the WCF environment in Visual Studio 2010 and Microsoft Internet Information Services (IIS) 7.0 or IIS 7.5.

Unless otherwise specified all of the following steps are necessary for the PO/Confirmation scenario as well as the Ping/Echo scenarios.

3.1.2.1     Assumptions

The scenarios in this document assume that you have the following software installed on your computer:

  • Microsoft Visual Studio 2010
  • .NET Framework 4
  • Windows 7 or Windows Server 2008 R2
  • Windows 7 SDK
  • IIS 7.5

3.1.2.2     Minimum Requirements

  • Microsoft Visual Studio 2008
  • .NET Framework 3.5

Note   While .NET Framework 3.5 supports all the standards and techniques discussed in this document, .NET Framework 4 includes implementation enhancements for all scenarios. This guide assumes that you are using .NET Framework 4.

  • Windows XP Service Pack 3 or Windows Server 2003 SP 2
  • Windows Server 2008 SDK
  • IIS 5.1

3.1.2.3     Install and Configure the .NET Framework 4 Test Suite and Certificates

The following sections include seven procedures that describe how to install the WCF test suite and how to install and configure your IIS 7.5 server to serve the WCF services:

  1. Place the TestFiles
  2. Create folders to contain test output
  3. Install IIS and enable WCF HTTP Activation
  4. Configure IIS to use  .NET Framework 4 and install the Ping/Echo test suite
  5. Configure the IIS Default Application Pool to use the Network Service identity
  6. Enable other computers to communicate with IIS
  7. Reconfigure the Security.SecureExchange (WS-SX) feature in the test suite

3.1.2.4    Place the TestFiles

Places the PO/Confirmation scenario files and the Ping/Echo test case sources and binaries.  This procedure also places the required certificate files.

  1. Copy SAPBusinessScenario.zip and InteropSourcesAndBinaries_SecurityPolicy12.zip (see section2.4.2) to your local computer.
  2. Unzip the contents of SAPBusinessScenario.zip into the%My Documents%\Visual Studio 2010\Projects folder.
  3. Unzip the contents of InteropSourcesAndBinaries_SecurityPolicy12.zip to the C:\ root folder.

3.1.2.5     Create folders to contain test output

Creates the folders to contain test output and sets the appropriate permissions on each.  The c:\OasisLogs folder is used only for a subset of the Ping/Echo scenarios while the c:\bin folder is used only for the PO/Confirmation scenario.

  1. Click Start, click All Programs, click Accessories, and then click Windows Explorer.
  2. In Windows Explorer, browse to the C:\ root folder, and then click New Folder.
  3. In the New folder box, type OasisLogs, and then press ENTER.
  4. Right-click the OasisLogs folder and then click Properties.
  5. On the OasisLogs Properties box, click Security, and then click Edit.
  6. On the Permissions for OasisLogs property sheet, click Add.
  7. In the Enter the object names to select box, type Network Service, click Check Names, and then click OK.
  8. In the Permissions for NETWORK SERVICE box, select the Allow box for the Write permission, click OK, and then click OK again.
  9. In Windows Explorer, browse to the C:\ root folder, and then click New Folder.
  10. In the New folder box, type bin, and then press ENTER.
  11. Repeat steps 4 through 7 for the bin folder.
  12. In the Permissions for NETWORK SERVICE box, confirm that the Allow box for the Read permission is selected, click OK, and then click OK again.
  13. Close Windows Explorer.

Note   You must create the OasisLogs folder to allow the Security.SecureExchange (WS-SX) feature in the test suite to work. This feature writes additional log files to the OasisLogs folder and if the folder does not exist, those tests fail. The bin folder is used by the SAP Business Service deployment.

3.1.2.6    Install IIS and enable WCF HTTP Activation

Installs the required IIS 7.5 features and enables the WCF HTTP Activation service.

  1. Click Start, click Control Panel, click Programs, and under Programs and Features click Turn Windows features on or off.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. In the Windows Features dialog box, confirm that Internet Information Services is enabled along with the following features of IIS:
    1. In the Web Management Tools node, confirm that IIS Management Console is selected.
    2. In the World Wide Web Services, CommonHTTP Features node, confirm that Default Document is selected.
    3. In the World Wide Web Services, Application Development Features node, confirm that .NET Extensibility and ASP.NET are selected.
  4. In the Windows Features dialog box, confirm that the Windows Communication Foundation HTTP Activation feature of Microsoft .NET Framework 3.5.1 is selected.

3.1.2.7      Configure IIS to use  .NET Framework 4 and install the Ping/Echo test suite

Configures IIS 7.5 to use the version of ASP.NET that is included with .NET Framework 4 and installs the Ping/Echo test suite on IIS.

The script executed in step 6 installs a number of certificates used in Ping/Echo scenarios for message-level security protection. Technical committees at OASIS created these certificates and distributed them for interoperability testing and demonstration purposes.  Do not use these certificates in production. For production use, follow the alternate approaches described at https://msdn.microsoft.com/en-us/library/ms731899(VS.100).aspx.

The script executed in step 6 (listed below) is part of the Ping/Echo scenarios implementation but creates a c:\WCFLogs folder also used in the PO/Confirmation scenario.  Create this directory using the steps described in section 3.1.2.5, Create folders to contain test output, if testing only the PO/Confirmation scenario.

  1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. On the command prompt, navigate toC:\Windows\Microsoft.NET\Framework\v4.0.30319\ folder.
    Note       If you have installed the 64-bit version of .NET Framework 4 on a compatible Windows operating system, the path in this step is C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
  4. Type aspnet_regiis –i –enable, and then press ENTER.
  5. On the command prompt, navigate to the C:\binaries.x86chk\CDF\Test\wcf\Suite\XwsInterop\scripts\deploy folder.
  6. On the command prompt, type DeployIndigoEndpoints.cmd \binaries.x86chk\CDF\Test\wcf and then press ENTER.
  7. On the command prompt, type iisreset /restart, and then press ENTER.

After the server restarts, the endpoint browser is available to view at http://NETServer/endpoints.

3.1.2.8      Configure the IIS Default Application Pool to use the Network Service identity

Configures the IIS default application pool to use the NetworkService account as its process identity. This procedure avoids potential problems in private key installation performed when you execute step 6 in section 3.1.2.7.

  1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. In the Connections pane, expand the local server name, and then click Application Pools.
  4. In the Application Pools pane, right-click DefaultAppPool, and then click Advanced Settings.
  5. In the Advanced Settings dialog box, expand Process Model, click Identity, and then click beside to the current value.
  6. In the Application Pool Identity dialog box, select Built-in account, select NetworkService from the drop-down list, click OK, and then click OK again.
  7. Close IIS Manager.

3.1.2.9      Enable other computers to communicate with IIS

Configures Windows Firewall so that SAP installations on other computers can communicate with WCF services.

  1. Click Start and then click Control Panel.
  2. In Control Panel, click System and Security, and in the Windows Firewall section, click Allow a program though Windows Firewall, and then click Change Settings.
  3. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  4. In the Allowed programs and features box, select Secure World Wide Web Services (HTTPS) and World Wide Web Services (HTTP) for the type of network you use.
  5. Click OK and then close Control Panel.

3.1.2.10    Reconfigure the Security.SecureExchange (WS-SX) feature in the test suite

Reconfigures the Security.SecureExchange (WS-SX) feature in the test suite to allow it to pass messages through firewalls. This reconfiguration is required because the WS-SX feature uses a Security Token Service (STS) hosted on http://131.107.153.205, which is an Internet-facing server.

Do not perform these steps if testing only the PO/Confirmation scenario.

  1. Click Start, click All Programs, click Microsoft Visual Studio 2010, and then click Microsoft Visual Studio 2010.
  2. Click File, click Open, and then click File.
  3. In the Open File dialog box, navigate to C:\binaries.x86chk\CDF\Test\wcf\Suite\XwsInterop\Security\SecureExchange\SXClient\Indigo, click web.config, and then click Open.
  4. In the Visual Studio code pane, find the <defaultProxy> element in the <system.net> element and then change the enabled attribute to true.
  5. In the <proxy> element, change the proxyaddress attribute to contain the URI for the proxy server that your organization uses. You may need to consult a system administrator to obtain this information.
  6. In the <bypasslist> element, use <add> elements with address attributes to add all servers inside your firewall that you use for testing. For example, you can add the SAPServer URI to the bypass list if necessary.
    Note  SAPServer is a placeholder for the hostname of the SAP server in your environment. You must obtain the correct hostname for this server and use that value in the step above.
  7. Close Visual Studio.

Note   For more information about configuration proxy servers, see Proxy Configuration. For more information about the <defaultProxy> element, see the <defaultProxy> Element (Network Settings).

3.2    Setting up Security and Trust

The PO/Confirmation scenario uses SSL for secure message exchange and requires a user ID and password for user authentication.  Some of the Ping/Echo scenarios have similar confidentiality and authentication requirements.

3.2.1      SAP

In AS ABAP, the following preliminary steps are necessary to enable SSL for communication.

  1. Install The SAP Cryptographic Library of version 1.555.28 or higher.
  2. Set profile parameters in AS ABAP instance profile.
  3. In Trust Manager (transaction STRUST) create the SSL server PSE:
    1. Generate a certificate request for the SSL server PSE.
    2. Send the certificate request to a CA to be signed.
      Use for example the SAP Trust Center Services at service.sap.com/TCS.
    3. Import the certificate request response.
  4. In Trust Manager (transaction STRUST) create the anonymous SSL client PSE:
    1. In case you are using a self-signed certificate for the NETServer, import the NETServer SSL certificate using the NETServer.cer file exported in steps 5 through 12 of section 3.2.2.1.
    2. In case your NETServer certificate is signed by a Certification Authority (CA), import the root certificate(s) of the CA that issued the certificate to the NETServer that the AS ABAP accesses using the anonymous SSL client PSE.
  5. To test the SSL set up, go to transaction SM59, create a connection and specify that it should use SSL.
  6. Test the connection.

More information: Configuring the AS ABAP for Using SSL

Troubleshooting information is found in SAP note 1318906 (login required).

Note   For Web services communication, you do not need to maintain destinations in transaction SM59; the destinations are automatically created when you create endpoints for your Web services.

3.2.2      Microsoft

To set up security and trust for providers and consumers of WCF services for the end-to-end business scenario, you must perform three procedures:

  1. Configure SSL on the Web server
  2. Create the certificate snap-in and confirm the scenario certificates
  3. Test that Internet Explorer trusts site certificates for the WCF server and the SAP server

3.2.2.1      Configure SSL on the Web server

Uses the Microsoft Internet Information Services Web server to create a self-signed certificate, a file containing the certificate, and an HTTPS binding that uses that certificate.

Internet Information Services (IIS) Manager can import, request, or create certificates appropriate for an HTTPS Web site.  This procedure creates a self-signed certificate for this demonstration.  Do not use such a certificate in production.  For production use, follow the alternative approaches described at https://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx.

  1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. In the Connections pane of IIS Manager, click the local server name.
  4. In the server Home pane, double-click Server Certificates.
  5. In the Actions pane, click Create Self-Signed Certificate….
  6. On the Specify Friendly Name page of the Create Self-Signed Certificate wizard, in the Specify a friendly name for the certificate box type in a name for the certificate, and then click OK.
  7. In the Server Certificates pane, double-click the certificate you just created.
  8. Click the Details tab of the Certificate dialog, and then click Copy to File…
  9. In the Certificate Export Wizard, click Next, confirm No, do not export the private key is selected, click Next, confirm DER encoded binary X.509 (.CER) is selected, click Next, and then click Browse...
  10. In the Save As dialog, navigate to a memorable location, enter a filename such as NETServer.cer in the File name field, and click Save.
  11. In the Certificate Export Wizard, click Next, confirm the values you have entered, and then click Finish.
  12. Click OK twice to confirm and return to IIS Manager.
  13. In the Connections pane, expand Sites, and then click Default Web Site.
  14. In the Actions pane, click Bindings….
  15. On the Site Bindings dialog box, click Add….
  16. On the Add Site Binding dialog box, in the Type box select https, in the SSL certificate box select the certificate you created in step 5, click OK, and then click Close.

Note   In many of the subsequent procedures in this document, NETServer is a placeholder for the hostname of the .NET Framework 4 server in your environment. The preceding procedure defines for you the hostname you must use when you replace NETServer. Use the Issued To value of the self-signed certificate.

3.2.2.2      Create the certificate snap-in and confirm the scenario certificates

Create an MMC certificate snap-in. Then use this snap-in to confirm that the test suite certificates and the SSL certificate you created in Section 3.2.2.1.

  1. Click Start and in the Search programs and files box, type mmc, and then press ENTER.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. On the MMC console root, click File, and then click Add/Remove Snap-in….
  4. In the Available snap-ins box of the Add or Remove Snap-ins dialog box, select Certificates, and then click Add.
  5. On the Certificate snap-in box, select Computer account, and then click Next.
  6. On the Select Computer box, select Local computer, click Finish, and then click OK.
  7. In the console root click File, and then click Save.
  8. In the Save As dialog box, in the File name box assign a name to the snap-in that is easy for you to remember, and then click Save.
    Note   The snap-in console now appears when you click Start, click All Programs, and then click Administrative Tools.
  9. In the Console Root, click Certificates, click Personal, and then click Certificates.
    The self-signed SSL certificate should appear in this store, along with the Alice and Bob certificates used in a number of the Ping/Echo scenarios. Each certificate should have a small key in the certificate icon to indicate that a private key is available.

3.2.2.3      Test that Windows trusts site certificates for the Microsoftserver and the SAP server

Use Internet Explorer to test that Windows trusts the self-signed certificate on the WCF server over the HTTPS protocol. The first three steps test the HTTPS connection for the local server and the subsequent steps describe what to do if Windows does not trust the certificate. The procedure also includes steps that verify that Windows trusts the certificate on the SAP NetWeaver Application Server.

  1. Click Start, click All Programs, right-click Internet Explorer, and then click Run as Administrator.
  2. If a User Account Control dialog box appears, type in your administrator credentials if necessary, and then click Yes.
  3. In the address bar, type https://NETServer/ and then press ENTER. NETServer is the host name for the server that hosts the .NET Framework 4 test client. This name must match the Subject and Issued To names that IIS assigned to the self-signed certificate that you created in section 3.2.2.1. In most cases, IIS assigns the fully-qualified computer name to these fields.
  4. If Internet Explorer displays an SSL Certificate Not Trusted error, confirm the URI to make sure you are navigating to the correct server and then click Continue to this website (not recommended).
  5. On the Address bar, click Certificate Error, and then click View Certificates.
  6. Check that the Issued To information is the same as the Issued By information to verify this is the self-signed certificate created in section 3.2.2.1.
  7. On the General tab of the Certificate dialog box, click Install Certificate….
  8. On the Certificate Import Wizard, click Next.
  9. In the Certificate Store page of the Certificate Import Wizard, select Place all certificates in the following store, and then click Browse.
  10. In the Select Certificate Store dialog box, expand Trusted Root Certificate Authorities, click Local Computer, click OK, click Next, and then click Finish.
  11. In the Import was successful dialog box, click OK, and then click OK again.
  12. Close Internet Explorer and repeat steps 1 through 3.
  13. If Internet Explorer displays another error, repeat steps 1 through 3.
    Note   If you continue to get this error, or any other error, accessing this page, redo the procedure in Section 3.2.2.1 to create the self-signed certificate and binding again.
  14. In the Internet Explorer address bar, type https://SAPServer/ and then press ENTER. SAPServer should be the fully-qualified name of the server on which the SAP NetWeaver Application Server is installed.
  15. If Internet Explorer displays an SSL Certificate Not Trusted error, confirm the URI to make sure you are navigating to the correct server, and then click Continue to this website (not recommended).
  16. Repeat steps 5 through 11.
  17. Close Internet Explorer and repeat steps 1, 2, and 14.
  18. Close Internet Explorer.

Note   Steps 1 through 4 and 12 through 15 of this procedure work if you open Internet Explorer without elevated privileges. However, the rest of the procedure requires you to open Internet Explorer as an administrator.

Download

Source code

Document Sections

Additional Resources
  • Last updated on