How often do you get the order to consume a WS, establish an SSL connection, and troubleshoot any incident? The simple task of consuming an API usually requires several technical teams to give support: programmers, basis, networking and security. It is usually difficult to align the planets with all the teams and give a solution or answer to quickly start testing the interface. In this article, you will find a step-by-step guide to implement and troubleshoot a basic API consumption with SSL connection. Let’s take the following site as an example to explore US public data: Data USA And what is important to us is the following link: https://datausa.io/about/api/ This is where we have the API definition. It tells us what parameters we must add to our request and how to interpret the answer that we receive. Let’s enumerate the steps to achieve our goal:

1. Define the connection in SM59
2. Download the SSL certificate from the site
3. Upload the certificate to SAP
4. Code the program
5. Troubleshoot

Define the connection in SM59 In this first step, we must define the URL that we want to reach according to the definition got in the API documentation. We can define this connection hard-coded in the program, but this is not an excellent practice. In case the endpoint changes, the only thing we need to do is to update our connection, defined in transaction SM59, and no change in the source code is needed. So, let’s execute transaction SM59, and create the connection. We will create a type G connection (“HTTP Connection to External Serv”) as shown in the following image. In the “Logon and Security,” tab, we activate “SSL Protocol” and select “Default SSL Client.” We save our RFC Connection et voilá! Our connection is created! Let’s check if the connection works by clicking on the button “Connection Test.” In my case, I get an “ICM_HTTP_SSL_PEER_CERT_UNTRUSTED” error. Anyway, let’s continue reading! Download the SSL certificate from the site As this is a new service that will be consumed, we need to add the SSL certificate to the system, so that the service and the ERP can communicate “in the same language.” To get this certificate, we run Chrome and type the URL that we want to consume, in this case, https://datausa.io is the URL. We click on the lock that is just on the left of the URL and a menu is displayed. We click on “Connection is secure” and then on “Certificate is valid.”                         The information of the certificate is displayed. But we are interested in the last tab (Certification Path), where we have an overview of the entire certificate chain. In my case, I can see 3 different rings and the one that we care about is the “root” that is on the top. We always need to upload the “root certificate” to SAP. We double click on “Digicert Baltimore Root” and a new window is opened with its information. We go to the second tab, which is “Details,” and we click on “Copy to file.” The exporting assistant is launched, and we must follow all the steps to obtain a copy of this certificate in our local computer. Upload the certificate to SAP For the moment, we have completed the first step, which is the connection definition, and the second, which is the download of the root certificate. Let’s upload this certificate to SAP. We quit Chrome and we return to the GUI and execute transaction STRUST. The screen is divided in two. On the left, we find folders. On the right, there is some information. We search for the folder “SSL Client (Standard)” (this should be the same reference when defined the RFC connection, section “SSL Protocol”) and we open it. We click on the green dot, and the right side will be updated with all the certificates uploaded in this section. At the end of the right pane there is a button with a green arrow. When you place the mouse on it, the “Import certificate” message appears. We click on it and select the certificate that was downloaded in the previous step. If it is successfully imported, the certificate fields will be filled with the information got from the file that was read. To import it to the list, we click on “Add to certificate List” and a message so is displayed (“Certificate added to PSE”). We save the change, and another appears. To evaluate this step, we execute transaction SM59, and open the recent entry created called “DATAUSA.” We click on “Connection Test” and the result should be successful: HTTP/1.1 200 OK. Code the program Now we can start coding our program. To make this step easier, I have created a public repository in GitHub to copy + paste the source code. You can enter to the following URL to get it: https://github.com/estewil/abap_demo_api This program is documented and provides all the steps to perform the consumption of the API. You can simply debug it and analyze each sentence. Modify it for all your needs. Troubleshoot Finally, we will focus on troubleshooting some problems that can arise with SSL communication. Transaction SMICM will be a superb partner in every situation. By pressing “SHIFT+F5” or by clicking on the menu “Go to - Trace File - Display all” you will see a detailed logging of the execution, starting with Crypto library initialization and all the steps involved in the communication. Sometimes the log is really long, so an easy way to search for the error is to find the string regarding the connection URL, in this case “datausa.io” is the URL. If the error is not so clear, you can increase the trace level to see more detailed information. Pasting the error in Google or searching for notes will hopefully give clues regarding the issue. One important SAP note is 510007. In this note, you have many considerations for setting SSL on an application server. Good luck and enjoy!