cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we bypass self-signed https calls in CAI consume API

ramana999
Explorer

on ‎05-21-2020 3:25 PM

0 Kudos

Hi,
I had trained the bot to detect as per a PoC business use case and turned out well and in the end as action Consume API has to be triggered. I have been getting "PKIX path building failed: Details: unable to find valid certification path to requested target;" as our API is using self-signed cert. Is there a way I can bypass self-signed cert API calls to proceed. I see similar requirements from people.
Could you please add this feature as this is turning out to be blocker to complete the use case and utilize the full potential of SAP CAI platform and might be impacting the opportunity to grab potential business too.

Show replies
Show replies
Answer
View Entire Topic
thomas-bruckner
Product and Topic Expert
Product and Topic Expert
‎05-26-2020 5:27 PM

Dear ramana999,

thank you for reaching out. Unfortunately it is not possible to bypass the certificate validation for HTTPS communication when using the "Consume SAP Service" feature of SAP Conversational AI. Let me give you some background why it is like that and must always be the case.

So first of all why checking the certificate when using HTTPS communication?
HTTPS is not only key to avoid people (or intermediate parties) to inspect sensible content of your communication but also to verify that you are talking to the server you are expecting. SSL certificates are therefore used to build up a secured communication on the transport layer and to avoid that you send your valuable data to someone just pretending to be your backend.

How can my backend be used for HTTPS communication with SAP Conversational AI?

Your backend server needs to use a certificated signed by a well-known and trusted CA. SAP Conversational AI acts here pretty similar to most of modern browsers when looking at the certificates that are trusted or not. I of course cannot name all the CAs we are trusting, but it can be said it is a common set in our trust store, which is aligned with SAPs security guidelines.

Of course a self-signed certificate can never be accepted in such a scenario. When accepting those the impact for our customers and users of CAI would be that they are vulnerable with their bot to a set of attack vectors, where for example sensible personal data or business data could be stolen. So that is clearly the reason why this cannot be done in a cloud software product.

You have different ways to get around that and make your use-case work:

  • Use a trusted certificate with your backend server, there are even good free ways to do that (like letsencrypt)
  • Use a so-called middleware, where you are calling an intermediate server (you are controlling) with a trusted certificate. That one can then proxy the request to your backend with the self-signed certificate. (still not recommended when looking at the security of such a setup)
  • If it is a on-premise SAP system, you can also make use of SAP Cloud Platform destinations and the SAP Cloud Connector to tunnel your request to your premises' network

I hope this makes this topic clearer and helps for solving your issue

Regards,

Thomas

Show replies
Show replies
former_member1573
Participant
‎08-11-2020 9:11 AM
0 Kudos

Hi thomas.bruckner,

Nicely explained !!

I have installed the self-signed certificate for the backend system and trying to fetch the data from the API.

and getting the same issue as above mentioned PKIX path building failed: Details: unable to find valid certification path to requested target; nested exception is Details: PKIX path building failed: Details: unable to find valid certification path to requested target".And I have also created the node js service, but DEPTH_ZERO_SELF_SIGNED_CERT getting this.

So, to resolve this issue, can we proceed with installing the certificate from letsencrypt.

ramana999, how you resolved this issue?

Thanks in advance.

Ask a Question