Certificate based authentication with sender SOAP adapter. Please help!

Similar Messages

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• How to use Basis Authentication in Sender SOAP Adapter

  We implemented one Sender SOAP Adapter and we had to implement the modified WEB.XML method to remove the security specification.  We have now asked the developer to correct this situation so we can remove this modification.  The Interface developer would like to use Basic Authentication. If you have an automated interface sending in a SOAP Message, how do you do Basic Authentication? 
  I've tried using:
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  When I do this, I still get the Authentication Pop-Up Window.
  How does the Sending Interface either supply the ID and Password on the incoming SOAP Message or respond to the Authentication Pop-Up?
  Thanks,
  Anne

  By Defualt the web service exposed by you will use Basic Authentication mode only.
  But the way you do Basic Authentication in the web client is platfrom dependent.
  This is not the way to do Basic authentication
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  I am providing you a code snippet on how to Basic Authentication in Java when making the Web Service Call.
  If the client is on some other platform just look for the corresponding api.
  Please award points if you find this answer useful.
  Code Snippet
  URL url = new URL(URL);
  URLConnection connection = url.openConnection();
  if( connection instanceof HttpURLConnection )
  ((HttpURLConnection)connection).setRequestMethod("POST");
       //connection.setRequestProperty("Content-Length",Integer.toString(content.length()) );
       connection.setRequestProperty("Content-Type","text/xml");
       connection.setDoOutput(true);
       String password = User + ":" + Password ;
        //Where con is a URLConnection 
       connection.setRequestProperty ("Authorization", "Basic " + encode(User + ":"+ Password));
       connection.connect();
  Encode Method
  public static String encode (String source) {
  BASE64Encoder enc = new sun.misc.BASE64Encoder();
  return(enc.encode(source.getBytes()));

• X.509 certificate based authentication with load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  Hi George,
  If you want the client's cert, the server has to ask for it and this
  implies two-way SSL. Normal one-way SSL the server provides the cert to
  the client and the client decides if it wants to continue the handshake.
  If the client is OK with the server certs and two-way SSL is configured
  on the server, then the server will request the client send it's certs.
  If the client certs are OK, then the pipe is established.
  Concerning the load balancer I'm assuming it is simply providing a
  tunnel, but I don't have the experience to comment and it is something I
  would suggest that you that you seek guidance from our outstanding
  support team [1] or drop a note in the security newsgroup [2] for the
  experts to review.
  Regards,
  Bruce
  [1]
  http://support.bea.com
  [email protected]
  [2]
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
  George Coller wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• Certificate based authentication with iOS Client

  Hello experts,
  I have a question regarding the certificate based authentication in SAP Mobile Documents. With the Android Client it is "easy" possible to use certificate based authentication by just sending the user certificate to the Android device (using mail, MDM or whatever).
  For the iOS App it is written that the user has to sync the certificate to the device using iTunes sync. Is this really the only possibility to bring the certificate to the iOS device so that the App can use it? I have successfully tested by adding the certificate using iTunes, but I cannot make it working using MDM to push the certificate to the device. SAP Mobile Documents just cant see the installed certificate.
  Am I doing something wrong here?
  Thanks for your help.
  Ernst

  Hi, I don't think this is supported on iOS right now. Something for future ....

• Remove authentication in sender soap adapter pi 7.1

  Hello
  Did anyone manged to remove authentication in PI 7.1 sender soap adapter?
  I have updated file web.xml in the file com.sap.aii.adapter.soap.war
  and now I want to deploy it,but I dont have any sda in the folder
  thx
  Shai

  hi Shai,
  just something to try in case:
  you don't need any java parameters of SOAP sender
  you can try approach from Stefan:
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  and then:
  1. in SICF copy the engine service to a new one
  2. put the credentials for this new service inside SICF
  then you will have sender SOAP adapter without a password right?
  I didn't try it but I guess it would work without
  crashing the whole original SOAP sender adapter by
  making changes into web.xml
  Regards,
  Michal Krawczyk

• Regarding authentication in sender soap adapter

  how to do basic authentication in case of sender side soap adapter

  Hi
  To do the Basic Authentication in the sender soap adapter u have to provide the user name and the password of ur XI server.
  Thanks
  Rinku

• DPS attempting certificate based authentication with Directory Servers

  I'm running DPS 6.3 and DS 6.3.
  I have DPS configured to always connect to the directory servers over SSL. This is working, however, all of the Direectory server error logs are showing certificate based bind attempts originating from the DPS. This results in err=32, since the certificate isn't stored in the ldap server. Anyone else seeing this type of behavior?
  I checked the DPS Security config, and under the "Certificate to use with Data Sources" I have it set to 'None'.
  Thanks.

  Hello,
  Certificate-based authentication cannot be proxied (it was designed to prevent man-in-the-middle attacks).
  When the proxy receives a certificate-based bind (SASL EXTERNAL authentication method), it first validates the client certificate (signature, validity,trust etc), and map the certificate identity (subject) onto a LDAP identity. This is done by doing some LDAP lookups against the directory server. Then, that LDAP identity is used for subsequent LDAP requests to the directory servers. As the password is not available, the proxy must be configured to contact the directory server using proxied authorization method or using fixed credentials (used in conjunction with acis set on the proxy)
  DPS 6.3 never uses the SASL/EXTERNAL (certificate-based) authentication method when it contacts directory servers.
  When SSL is used between the proxy and the server, the proxy may present its own certificate to the directory server (controlled by the DPS security property you mentioned). It is possible to check if DPS stashes its own certificate when it establish a SSL channel to the directory server by using the ssltap tool [http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] . If a certificate is passed, the No-Such-Object error you see might be generated during certificate validation by the directory server.
  Hope this helps
  -Sylvain

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• How to use HTTPS with sender SOAP Adapter

  Hi,
  I am implementing a synchronous SOAP- proxy scenario and on the sender communication channel I have to use the Http Security Level as "HTTPS with client Authentication".
  Where from I get the certificates to be used in sender Agreement.
  Please give me a step by step approach to achieve this.
  Regards,
  Nitin

  Nitin,
  Kindly go through the below links ...
  http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  Also, make a search on the SDN as this question has been answered many a times on the forum.
  Regards,
  Neetesh

• Certificate based authentication with Anyconnect

  Dears,
           i successfully configured ASA to be used as VPN gateway with anyconnect using certificate in authentication , my issue my be not realted to Cisco directly.
  i am using CA server installed on Windows 2008 R2 , when i checked the issued certicate i found that all certicates requester name is "CAadmin" .
  i need to differeniate between users certificate using thier domain users as requester name.
  Thanks,
  Ibrahim

  John,
  Reference the RFC for TLS (in this case 1.0)
  http://www.ietf.org/rfc/rfc2246.txt
  Server send certificate_list and certificate request, containing certificate_authorities, which is the key info here.
  when client responds it can send a certificate
  Client certificates are sent
         using the Certificate structure defined in Section 7.4.2.
  same section describing server certificate.
  Server sends its certificate, certificate_list and list of acceptable signers of certificates it will accept (certificate_authorities), client responds with a (one) corresponding cert and certificate_list.
  If server has client's signer certificate I do not believe it needed a whole chain sent.
  Client still needs to send certificate list but can ommit signing root.
  About CRL, you authenticate root and subCA, i.e. implicitly trust.
  AFAIR you only perform revocation check of certs you do not implicitly trust.
  (My PKI is a bit rusty, feel free to challange)
  HTH,
  M.
  Message was edited by: Marcin Latosiewicz, re-read parts of RFC and adapted my answer.

• Authentication in Sender SOAP Adapter

  Hi experts,
  We have a scenario were EP sends SOAP Message to XI. We have created the WSDL from XI and it has been consumed by EP. When EP tries to send the SOAP Request to XI we get UnAuthorized Exception.
  Below is the Exception
  #1.5#001372E937FC00670000012000000D8C0004298100849F8B#1171533943519#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#CLASP#6953####18f1d310bcdc11db9500001372e937fc#SAPEngine_Application_Thread[impl:3]_29##0#0#Warning#1#/System/Server#Java###Call failed
  [EXCEPTION]
  #1#com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Problem in server response: [Unauthorized].
       at com.sap.engine.services.webservices.jaxm.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:207)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:163)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:325)
       at com.sapportals.portal.prt.service.soap.SOAPService.call(SOAPService.java:152)
       at com.sapportals.portal.prt.service.soap.PRTSOAPCall.invokeMethod(PRTSOAPCall.java:209)
       at service.XIUserCreateCall.IOS_UserCreate(XIUserCreateCall.java:168)
       at service.XIUserComp.doContent(XIUserComp.java:46)
  I tried to send the basic authentication details in my URL. But it didn't work.
  Pl. help me resolve this.

  HI,
  for XI EP
  Please see the below links so that you can have clear Idea..
  /people/saravanakumar.kuppusamy2/blog/2005/02/07/interfacing-to-xi-from-webdynpro
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/java/integrating%20web%20dynpro%20and%20sap%20xi%20using%20jaxb%20part%20ii.article
  Consuming XI Web Services using Web Dynpro – Part II-/people/riyaz.sayyad/blog/2006/05/08/consuming-xi-web-services-using-web-dynpro-150-part-ii
  Consuming XI Web Services using Web Dynpro – Part I -/people/riyaz.sayyad/blog/2006/05/07/consuming-xi-web-services-using-web-dynpro-150-part-i
  /people/sap.user72/blog/2005/09/15/creating-a-web-service-and-consuming-it-in-web-dynpro
  /people/sap.user72/blog/2005/09/15/connecting-to-xi-server-from-web-dynpro
  Regards
  Chilla..

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• OCSP Validation in Certificate-Based Authentication

  Hi,
  Has anybody done OCSP Validation in Certificate-Based Authentication ? If yes - then please describe how can we configure an OCSP responder for Certificate Validation?
  Regards,
  YK

  Hi,
  Thanx for all of ur replies :)
  I am now able to do lot of stuff using Identity Server :)
  My main target is to use Identity Server for certificate-based authentication by enabling OCSP validation.
  First I configured Web server to enable SSL and client authentication. Then I configured Identity Server and enabled the Certificate based authentication. I edited the certificate authentication properties and enabled the OCSP validation check. I provided the OCSP responder address and corresponding CA name in AMConfig.properties.
  Now I am testing this setup up as follows.
  1- I try to access the default index page by following URL
  https://identity-1.identity.com:58090/
  2- It asks for client certificate to choose from available certificates
  3- I select a certificate (issuer of this cert is configured for OCSP validation) and proceed
  4- Identity Server make an OCSP request and send it to my OCSP responder
  5- OCSP responder response with revocation status 'good'
  6- Now I get the server certificate on browser
  7- I press OK and I see the index page of Identity Server
  I think it is working fine now :)
  now if in step 3, I select a wrong certificate i.e. issuer of this certificate is not configured for OCSP validation then It shows the DNS Error Page. Why dont it show the proper authentication failed page of Identity Server? If I see the error log for the web server I see the following error:
  [03/Jun/2003:11:18:10] failure ( 1692): Error receiving connection (unable to map error number -8062)
  What does it mean ? Any ideas ?
  Regards,
  Yasir Khan

• Sender SOAP Adapter problem in PI 7.1

  Hello Everyone,
  I have a problem with Sender SOAP  Adapter
  In PI 7.0 i am able to receive the messages through sender SOAP Adapter for both HTTP and HTTPS. But when i am testing in PI 7.1 i am unable to receive any messages at Adapter level for both HTTP and HTTPS
  All sender leagcy system are getting different error messages like
  1. 400 HTTP Bad request.
  2. Invalid request.
  3. BAPI  error message
  Could any one please assist me in this problem.
  Thanks
  Vick

  Hi Vick,
  Try like this......in ID from your sender agreement in which you have your sender SOAP comm channel, from menu select Display WSDL and then copy the WSDL URL and give it to source applications to use it.............create a service user for them to access PI 7.1 server while sending the SOAP req msg.............
  your source applications may have to generate proxy from this WSDL URL in their application and then they can send a SOAP req msg to your PI 7.1 server............
  Regards,
  Rajeev Gupta