SSL / X.509 In SOAP Sender/Receiver Adapter

Hi Friends,
We have few third party Java based systems which need to integrate with SAP PI7.1
For this we are using
SOAP Sender from Third PartyTo PI
SOAP Receiver From Pi To Third Party Systems                                 
The Customer Wants to implement SSL.X>509 certificates for encryption and decryption. as one of the option.
we are  Facing few issues like.
   I am assuming each of the source system webservice calls will have
to use a username/password to authenticate with the PI system
a.       Will this use 'basic authentication', ie., credentials sent over as
part of the HTTP header field ?
   i.
Assuming we use SSL for transport level security - this is still not secure as the credentials are not encrypted
ii.      Is  there a way to send in encrypted credentials and for the PI layer to decrypt the same, validate and process the request ?
b.      Should we consider using a single sign-on mechanism ?
c         Should we consider using X.509 digital certificates ?
      i.      This would require that the X.509 certs are maintained in the Source & PI webserver Java key stores
d.      Should we also consider digitally signing the payload ?
     i.      This  requires using an appropriate hashing algorithm such as SHA-1 or MD5
SOAP Sender /receievr Adapter has few properties not specific to them.How to Acheive this.
Regards
Chandra Dasari

Hi Chandra,
You may try to implement this using the AXIS framework of the SOAP adapter. This provides functionality for handling of X.509 encryption and decryption.
You can generate/get the digital certificate and use it for both transport level as well as message level security. You would not require any additional encoding apart from this.
Coming to your queries:
Q - I am assuming each of the source system web service calls will have to use a username/password to authenticate with the PI system
A - If you are using a certificate, then they can call XI using this certificate. You can share your public certificate with each of the parties.
Q. Will this use 'basic authentication', ie., credentials sent over as part of the HTTP header field?
A - Depends...if you are using basic authentication, then it will not be via X.509. It will be the normal process. These two are two different things.
Q. Assuming we use SSL for transport level security - this is still not secure as the credentials are not encrypted
A - This problem is resolved if you are using digital certificates.
Q. Is there a way to send in encrypted credentials and for the PI layer to decrypt the same, validate and process the request?
A - Yes. It is possible. But then you will have to implement encryption decryption logic at both the ends separately if you are not using certificates.
Q. Should we consider using a single sign-on mechanism?
A - Is your third party part of your landscape? if not then you might want to check and confirm this approach with your security adviser.
Q Should we consider using X.509 digital certificates?
A - Yes...This would resolve most of your problems.
Q. This would require that the X.509 certs are maintained in the Source & PI web server Java key stores
A - Yes.
Q. Should we also consider digitally signing the payload?
A - If you require message level encryption along with transport layer.
Q. This requires using an appropriate hashing algorithm such as SHA-1 or MD5. SOAP Sender /receiver Adapter has few properties not specific to them.How to achieve this.
A - You can provide this option while generating the certificate itself.
Please let me know if this helps.
Cheers,
Sarath.

Similar Messages

  • Missing soap action in the soap axis receiver adapter ?

    Hi Guys,
    I could not find the soap action field in the soap receiver adapter and i followed the OSS note
    Note 1054986 - SOAP (Axis) receiver adapter's SOAPAction field missing
    Please apply the following patch and use the handler parameter defaultSOAPAction for the XI30OutboundHandler handler in the request chain. This handler parameter can be configured as a module parameter for the HandlerBean module associated with this handler. It is noted that this module parameter takes precedence over the channel parameter for SOAPAction if this field is available.
    For SP12
    XI ADAPTER FRAMEWORK CORE 7.0
    Support Package 12, Patch Level 1 (SAPXIAFC12P_1.SCA)
    we are on SP15 so i think the option should be available ?
    Do i need to add this parameter in the Module Configuration ?
    Moduel Key : ?
    Parameter Name: handler.type ---> is this right
    Parameter Value ---> ?
    we need to validate the user id and pw on IIS for NTLM authentication. Any help regarding developong the handlers would be great
    any help would be appreciated.
    Thanks,
    Srini

    Srinivas,
    You are on the right path...........yes that is the right note for this issue.
    The problem is this is not a general fix that comes with all service packs as the axis adapter is not used a lot, that being said.if you dont see it with sp15..i would safely go apply this fix and see if it works..else you might have to open an oss note for the same...
    Hope that helps..
    Regards
    Ravi Raman
    P.S: On my home system..i did apply the fix and i was on a much higher sp level ..i saw some errors..in the logs but nothing a restart couldent fix..

  • JDBC Sender/Receiver Adapter Configuration with key fields in SAP XI

    Hi All,
    Good evening.
    Please let me know, what are the settings required for key fields when configuring both sender and receiver Adapter?
    In My IDOC-XI-File Scenario, when i am sending an IDOC from R/3, I got Mapping Runtime exception error? So, How to send the same IDOC after correcting the error?
    Thanks to all in advance.
    Regards,
    Nagarjuna.

    HI Nagarjuna,
    If my understanding is correct, When you trigger the Idoc from R/3 it thrown the error in XI.
    If  you want to send the same Idoc then go to WE19 in R/3 system enter the same Idoc number and execute the scenaio. It send the Idoc to XI system, but the message number will change.
    Regards
    Goli Sridhar

  • Configuring iWay Siebel  Sender/Receiver adapter in SAP XI.

    Hi,
    I am evaluating iWay Siebel Adapter for connection between Siebel system and SAP system. I am using both the sender and receiver iWay adapter for both inbound and outbound scenario.
    In both the case the transport protocol used is HTTP. I searched a lot but could not find a document which explains the different parameter in the Communication channel for both sender and receiver adapter.
    Please let me know if you have some document regarding the same. Also in my present scenario I don't have access to Siebel system so I am using a HTTP client to simulate a Siebel system.
    I want to know what should I use in the Listener port in the Sender CC and how to send message using this port from a Local HTTP Client.
    Regards,
    Nilesh

    Hi Nilesh,
    Check this link on the service marketplace for more information on available 3rd Party Adapters for XI:
    https://websmp104.sap-ag.de/~sapidb/011000358700008673832004E/index.htm
    http://eai.ittoolbox.com/groups/vendor-selection/eai-select/adapters-to-integrate-sap-xi-and-siebel-639308#
    Please see the below threads
    iWAY
    IWAY Adapter(siebel): Error while using Applicaiton Explorer
    XI to mainframe adapter
    B2B Adapters
    step by step procedure to configure a BAAN adapter
    In this thread I have given the connection parameters to connect Siebel using HTTP reciever adapter...
    Query String
    Siebel - http://www-128.ibm.com/developerworks/rational/library/05/419_siebel/index.html
    /people/siva.maranani/blog/2005/09/15/push-data-to-mvc-architectured-application-using-xi
    /people/siva.maranani/blog/2005/09/03/invoke-webservices-using-sapxi
    /people/siva.maranani/blog/2005/03/01/testing-xi-exposed-web-services
    See the below links
    Integration with Peoplesoft, Oracle and Siebel
    /thread/93179 [original link is broken]
    XI integration with PSFT/Seibel ?
    SAP Siebel Integration
    Sap-Siebel integration
    XI-Seibel integration using webservices
    /people/yomeshp.sharma/blog/2006/06/01/integrating-jdedwards-system-with-xi-using-iway-adapter-part--i
    part -II /people/yomeshp.sharma/blog/2006/06/01/integrating-jdedwards-system-with-xi-using-iway-adapter-part--ii
    part -III /people/yomeshp.sharma/blog/2006/05/31/integrating-jdedwards-system-with-xi-using-iway-adapter-part--iii
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e2aeb02c-0601-0010-d680-c9be61ffa390
    /thread/96443 [original link is broken]
    inetgartion of Ep-XI-seibel project
    /people/sriram.vasudevan3/blog/2005/03/18/points-to-ponder-over-while-considering-webservices-implementations-vis-a-vis-eai
    Regards,
    Vinod.

  • Data Types for JDBC Sender/Receiver Adapter

    HI experts,
                    I am very much confused how the data types shoudl be for the Sender/receiver for JDBC.
    And is there any standard format where it should be used, or what is the strucutre to be used,.
    Please let me know in clear and help me out in this regard,
    Edited by: Amruth on Dec 4, 2008 6:11 AM

    HI Nagarjuna,
    If my understanding is correct, When you trigger the Idoc from R/3 it thrown the error in XI.
    If  you want to send the same Idoc then go to WE19 in R/3 system enter the same Idoc number and execute the scenaio. It send the Idoc to XI system, but the message number will change.
    Regards
    Goli Sridhar

  • SOAP Sender & Receiver Adapters

    Hi I want to use SOAP adapter on both sides of XI. Since its way different from other adapters, could someone tell me how to make use of it.
    Will I be able to trigger a process on the 3rd party application and receive a payload from it  using Sender SOAP adapter ?
    How can I schedule Sender sOAP Adapter ?
    Any How-to guides available for SOAP adapters setup ?

    <i>Any How-to guides available for SOAP adapters setup ?</i>
    Check this, exactly what you want,
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/d23cbe11-0d01-0010-5287-873a22024f79
    Regards,
    Bhavesh

  • HTTPS authentication using SSL in SOAP Sender adapter

    Hi,
    We are currently doing a SOAP to RFC synchronous scenario in PI 7.0. Our client wants to ensure that the data security is maintained at the transport level. So, we have planned to implement the HTTPS without client authentication using SSL certificates. Our Basis team has promised us that they will take care of the cerficate generation and installation part in the server. Now i am confused at the PI communication channel setup level.
    1) Do i have to specify the certificate installed path in the channel or in any other object ? If so, where do i have to configure the path ?
    2) What is the exact path that has to be carried by a PI developer once the certificates are installed in the server ?
    I have attached my communnication channel screenshot below,
    http://i41.tinypic.com/mk49h.jpg
    Please let me know what i have to configure in the Sender SOAP channel to receive data securely once the certificates are installed in the system.
    Thanks & Regards,
    Sherin Jose P

    Hi,
    1.for transport level security you should assign the HTTPS connection created in SM59 to the SOAP communication channel.
    The HTTPS connection should use the certificates imported in t-code STRUST.
    have you seen below thread,
    SSL / X.509 In SOAP Sender/Receiver Adapter
    Please go through below blog,
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c?overridelayout=true
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?QuickLink=index&overridelayout=true
    http://help.sap.com/saphelp_nwpi71/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm
    2. you nedd to check the message flow between the sender and receiver through PI .
    regards,
    ganesh.

  • Hadeling multiple files in sender and receiver adapter

    Hi ,
    In my sender FTP server multiple files gets created at a same time i want to send this same files to the target FTP server am not doing any file content conversion. Just pick this multiple files at a single poll and drop it in the target FTP system.
    I gave . in the as file name parameter in the sender file adapter..PI system picks all the files as separate message but if i give . in the receiver adapter itu2019s not creating the file and its giving Java exception..
    Is there any other method to do this without having File content conversion... ?
    Regards
    Shakfie

    I gave *.* in the as file name parameter in the sender file adapter..PI system picks all the files as separate message but if i give *.* in the receiver adapter itu2019s not creating the file and its giving Java exception..
    For receiver adapter you have to give some file name, '.' will not work for receiver adapter. So give any temporary name just to satisfy the mandatory field. And when you selet the ASMA settings in both SENDER & RECEIVER adapter then your Receiver File adapter will write the same file name which it has picked up and NOT the one which you have written in your receiver adapter.
    Note: Set ASMA setting in both else you will not get the same file name at receiver. You can see the same in blog given by Siva. You need not to create any UDF since you are not using any mapping. Just use the ASMA settings.. that's it.
    > Is there any other method to do this without having File content conversion... ?
    You can go through this blog for the same...
    /people/william.li/blog/2006/09/08/how-to-send-any-data-even-binary-through-xi-without-using-the-integration-repository
    Regards,
    Sarvesh

  • Update sql statement in sender/receiver jdbc adapter

    Hi
    What is the update sql statement we give in the sender/ receiver adapter when
    1) SELECT statement was written in query sql statement
    2) EXECUTE statement was written for a stored procedure in query sql statement
    thanks
    Anitha

    > 1) SELECT statement was written in query sql statement
    your table should have some value "already_processed" which prevents a second processing of that table.
    the update statement sets that value.
    > 2) EXECUTE statement was written for a stored procedure in query sql statement
    the same as above.
    when your stored procedure already does the update, then write a second stored procedure which does nothing.

  • Sender HTTP adapter

    Hi,
    I have been working with SOAP sender / receiver adapters.. Now I am working on a new scenario where I am developing scenarios from and to HTTP servers.
    1. I use http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel URL to call PI from web server using SoAP adapter.  sap help suggests to use http://<hostname:port>/<path>?<query-string> for calling PI from HTTP server... Can someone tell me in detail what is path and query string values to call PI?
    2. I use soap sonar or soap UI to call PI using these web services. IS there any equivalent tool to test HTTP - PI communication? If yes can I do that with the WSDL?
    3. While sending messages from PI to HTTP box, there is 404 not found error message.. But when I logged onto the target server, the URL seems to be right. I know it is not trying to find the correct resource. Plese throw some light on how do I validate the URL?
    THanks,
    ~N

    All,
    Please help me test my latest version, which is released as Beta.
    SAP PI HTTP Client 3.0
    Regards,
    Vikas

  • Problem: Original Attachment Name from SOAP Sender changes to attachment-1

    Hi everybody,
    we have a scenario where a SOAP sender receives a xml message describing several documents. Each document has a mime type and a file name, size, md5 checksums etc as attributes.
    The documents are send as attachments with the same Web service in SWA(SOAP with attachment style).
    The web service calls an ABAP proxy provider class in a R/3 backend.
    The ABAP proxy class will save the attached documents for further processing and must use the original document names.
    At the soap communication channel monitoring(Java Stack) we still see the original attachment names in the message content tab.
    At the Integration Server(sxmb_moni) the attachment name changes to attachment-1, attachment-2 and so on.
    Using the method
    IF_AI_ATTACHMENT ->GET_DOCUMENT_NAME
      in the provider ABAP proxy class returns the name attachment-1.
    We can see that there is a mapping of the new attachment-1 name to the old, original name in the manifest section of this message on the Integration server.
    Is there a way to access the manifest section at a provider ABAP proxy class?  Or otherwise a PI configuration setting to preserve the original attachment names.
    Thanks a lot,
    Heiko
    => PI 7.1 SP9

    Hi Stefan,
    (I was hoping you would find that thread ...)
    I see a good reason why the attachment names are changed as the PI message protocol sends the main document as an attachment as well. So no problem with that because the information of the mapping old to new names still exists in the manifest part and is visible at the sxmb_moni.
    We see a manifest part like this (Sorry cant post the whole xml doc as the formatting for longer messages isn't working in the forum)
    <SAP:Payload xlink:href="cid:4cc43edd-839f-423f-b7c6-7e44294d663a_sig.p7m">
      <SAP:Name>attachment-1</SAP:Name>
      <SAP:Description>attachment</SAP:Description>
      <SAP:Type>ApplicationAttachment</SAP:Type>
    </SAP:Payload>
    The (red) cid entry is the original file name. This manifest is from the sxmb_moni in the r/3 backend. So all the information is there..  The question is how to retrieve this information .. Any idea?
    Best Regards,
    Heiko Bergmann

  • Soap Sender and RFC Adapter receiver getting APPLICATION_ERROR

    Hi, all,
    I have a webservice soap sender and RFC Adapter receiver scenario, it works fine with RFC "RFC_SYSTEM_INFO", When i tried the RFC "RFC_READ_TABLE", getting the following error message,  <SAP:Code area="RFC_ADAPTER">APPLICATION_ERROR</SAP:Code> in
    SXI_MONITOR, in webservice client, i am getting error message like this:
    <faultcode>SOAP:Server</faultcode>
             <faultstring>Server Error</faultstring>
             <detail>
                <rfc:ZZTEST_RFC_READ_TABLE.Exception xmlns:rfc="urn:sap-com:document:sap:rfc:functions">
                   <Name>TABLE_NOT_AVAILABLE</Name>
                   <Text>QUERY_TABLE not active in Dictionary</Text>
                </rfc:ZZTEST_RFC_READ_TABLE.Exception>
    Thanks a lot!

    Hi
    Its not compulsory but its good to wrap it as Z object.
    Well if you are facing problem with SOAP data. Then try to do one thing. Check with the data you received from SOAP message. If this works
    Then try to check in mapping is it passing the data correctly or not. With this check with the user authorization PIAPPLUSER. if its having less authorizations to execute this BAPI in ECC
    Thanks
    Gaurav

  • SOAP Receiver Adapter using SSL - PI 7.0

    Hi all,
    i am currently faced with a .net WCF webservice integration using https via SOAP Receiver Adapter in PI 7.0.
    Can anybody tell me into which Visual Administrator view i have to import my certificate in order to get https working ?
    Thanks in advance,
    Martin

    It must be the View you have created for your partners. There is usually a Trusted view where you have your own certificate. And there are other views where partners cerificates are stored. There you have to store the certificate.
    Regards,
    Prateek

  • FTP/SSL Connection Problem for FTP Receiver Adapter

    Hello All,
    We are trying to establish an FTPS/SSL connection with one of our customers from our XI(Unix) system, and are receive following error:
    <b>iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier</b>
    Communication Channel Parameters:
    Connection Security: FTP (FTP Using SSL/TLS) for Control Connection or FTP (FTP Using SSL/TLS) for Control Connection and Data Connection
    Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
    Checkbox - Use X.509 Certificate.... checked (Certificate was provided by third party (customer issued) and uploaded to service_ssl certificate store on J2EE server)
    Data Connection: Passive
    Port: 10021
    Keystore: service_ssl
    X.509 Certificate & Private Key: ssl-credentials
    Note: Initial handshaking occurs but connection is being dropped by the third party FTP Server when SSL certificate credentials are being validated. We also tried connecting to the third party FTPS server using standard FTPS client(FileZilla software), this connection gets established successfully with no certificate issues which means certificate and third party FTP Server is functioning correctly.
    We therefore are thinking that the problem lies with our XI system being unable to load the certificate information correctly at the point when FTPS session is being established.
    Your help and suggestions will be greatly appreciated.
    Thanks and Best Regards
    Prashant Rajani

    Hello All,
    Further in order to test connection set up and communication channel configuration we tried simulating the FTP connection locally by configuring FTP Server using FileZilla at a local machine and accessed it from Client's XI Server.
    This set up simulates the problem we encounter with our customer's FTP Server.
    If connection security parameter in communication channel for Sender FTP Adapter is set to <b>"FTPs( FTP Using SSL/TLS) with Control Connection" only</b>, file gets successfully created with data at the FTP server but as soon as we switch the connection security parameter to <b>"FTPs( FTP Using SSL/TLS) with Control and Data Connection"</b>, we receive error "Certificate rejected by Chain Verifier". The initial handshaking happens successfully and file gets created at the FTP Server but its empty, connection fails when attempt is made to write data into file and we end up with said error thereby closing the connection.
    This is what the FTP (FileZilla) sees when the XI system attempts to set-up a fully encrypted data  (FTPS) connection i.e., connection security parameter value as<b>"FTPs( FTP Using SSL/TLS) with Control and Data Connection"</b> :-
    - (not logged in) (10.18.106.34)> Connected, sending welcome message...
    - (not logged in) (10.18.106.34)> 220-FileZilla Server version 0.9.18 beta
    - (not logged in) (10.18.106.34)> 220-written by Tim Kosse ([email protected])
    - (not logged in) (10.18.106.34)> 220 Please visit http://sourceforge.net/projects/filezilla/
    - (not logged in) (10.18.106.34)> AUTH TLS
    - (not logged in) (10.18.106.34)> 234 Using authentication type TLS
    - (not logged in) (10.18.106.34)> SSL connection established
    - (not logged in) (10.18.106.34)> USER test
    - (not logged in) (10.18.106.34)> 331 Password required for test
    - (not logged in) (10.18.106.34)> PASS ***********
    - test (10.18.106.34)> 230 Logged on
    - test (10.18.106.34)> PBSZ 0
    - test (10.18.106.34)> 200 PBSZ=0
    - test (10.18.106.34)> PROT P
    - test (10.18.106.34)> 200 Protection level set to P
    - test (10.18.106.34)> SYST
    - test (10.18.106.34)> 215 UNIX emulated by FileZilla
    - test (10.18.106.34)> PWD
    - test (10.18.106.34)> 257 "/" is current directory.
    - test (10.18.106.34)> CWD /payment/
    - test (10.18.106.34)> <b>250 CWD successful. "/payment" is current directory.</b>- test (10.18.106.34)> TYPE I
    - test (10.18.106.34)> 200 Type set to I
    - test (10.18.106.34)> PASV
    - test (10.18.106.34)> <b>227 Entering Passive Mode (10,27,7,103,15,63)</b>- test (10.18.106.34)> STOR BHPDSB20060911-153840-834.txt
    - test (10.18.106.34)> <b>150 Connection accepted</b>
    - test (10.18.106.34)> <b>Data connection SSL warning: SSL3 alert read: fatal: bad certificate</b>
    - test (10.18.106.34)> <b>Data connection SSL warning: SSL_accept: failed in SSLv3 read client certificate A</b>- test (10.18.106.34)> <b>Data connection SSL warning: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate</b>- test (10.18.106.34)> <b>Data connection SSL warning: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure</b>- test (10.18.106.34)> <b>426 Connection closed; transfer aborted.</b>- test (10.18.106.34)> QUIT
    - test (10.18.106.34)> 221 Goodbye
    - test (10.18.106.34)> SSL connection established
    Please suggest your valuable inputs if we are missing out something. Any helpful inputs in this regard is highly appreciated.
    Thanks and Best Regards
    Prashant

  • Error in SOAP Receiver Adapter with HTTPS

    Dear All,
    I am developing a SOAP to SOAP scenario with HTTPS i.e. client without authentication and I am facing an issue with the receiver adapter. Few messages fails in the receiver side while rest are successful.
    Error - Delivery of the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    Please let me know what can be the reason for the error.
    Thanks and Regards,
    Rana Brata De

    Hi Rana,
    Check the certificates sequence as well the certificates end dates in STRUST in SAP PI system. if, deployed in NWA level check over there.
    One more :: sending the data to web server or web page. make sure, PI is pointing to which server.
    Regards,
    Kesava.

Maybe you are looking for