Configuring use of clinet certificates for jax web services configuring u
Hello dear people,
I have a very simple jax web service under glassfish v.2.1 and I want to secure it using mutual authentication. I could configure using server certificates but I have problems with configuring the server to ask client certificates. The problem is that the clients are not asked to provide a valid client certificate to use the service. The clients can easily use the service without having a certificate.
Can anyone tell me what should I do to have this?
I got the example code from http://java.net/projects/javaeetutorial/downloads and the sample code that I used is in the folder : javaeetutorial5/examples/jaxws/helloservice-clientcert
Best regards,
Arash.
Did you resolve your issue?
I´m posting some comments that maybe can help newer administrators facing similar doubts.
I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process) a "handshake" is required to accepting the certificate and produces a error.
We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
Hope this can help someone. It´s an "easy" part of SSL communication.
Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
Regards,
Rodrigo Aoki
Similar Messages
-
We are using the Azure server for our web services. Server is generating an error "Unable to connect to the remote server". What is this error means
Hello,
Did you means that you use the Windows Azure Virtual Machine DNS name as the server name in the Reporting Server Web Services URL?
For example:
Report server:http://uebi.cloudapp.net/reportserver
Report manager:http://uebi.cloudapp.net/reports
If you want to connect to Report Manager on the virtual machine from a remote computer, you should create a virtual machine TCP Endpoint and open the port in the virtual machine’s firewall. By default, the report server listens for HTTP requests
on port 80.
Reference:http://msdn.microsoft.com/en-us/library/jj992719.aspx#bkmk_ssrs_connect_2_remote_RM
Regards,
Fanny Liu
Fanny Liu
TechNet Community Support -
Hi,
Our company has a SAP Netweaver Enterprise Portal implementation.
Recently we have been asked to create a Web service from a Java class in SAP Netweaver using Netweaver Developer Studio. The connection to Web service must be an https connection.
In steps of web service's creation we saw that we have the option to create an https (secure soap) web service.
Can anyone tell us how we can create an https web service?
The portal server belongs to a Windows Active Directory Domain that has a Certification Authority from which we can request and take a certificate.
What is the configuration that we must do on server, so that we can call the web service using https?
Thanks in advancedHi,
Check this URL:
[Web Services Over SSL |http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html]
Regards,
Shyam. -
Can we use receiver enhancement feature for a web service scenario?
Hi Experts,
We have to send across an invoice to web service enabled legacy system from ECC.
ECC>ABAP Proxy>SAP PI>SOAP Adapter>Legacy System1
ECC>ABAP Proxy>SAP PI>SOAP Adapter>Legacy System2
Requirement is like if the invoice number starts with 1A, it should go to Legacy System1 & if the invoice number starts with 2A, it should go to Legacy System2.
Can we do it in one single scenario using receiver enhancement and if yes How?
Regards
Nidhi KukrejaYou can make use of the XPATH function starts-with(string1,string2) and customize your condition as shown in this blog:
/people/shabarish.vijayakumar/blog/2006/06/07/customise-your-xpath-expressions-in-receiver-determination
Update:
It can even be done without using any XPATH function.....just make use of the option Contains Pattern from the dropdown available for the Middle Operand....right operand will be 1A*
Regards,
Abhishek.
Edited by: abhishek salvi on Feb 3, 2010 1:00 PM -
Sending SSL Certificate to external Web service in BizTalk 2010
Hi,
We are facing issues in calling the external web service(SAP I Web service) which is authenticated using the SSL self signed certificates.
When BizTalk sends the request to SAP it fails with HTTP 401 error, and in SAP PI the log says calling application not sending the client certificate. Please help us in sending the request to external web service by signing with the client
certificate.
Below are the details,
1. This is a 2-way SSL communication authenticating based on the client Certificate.
2. BizTalk server public key certificate is shared to SAP PI and using SAP PI certificate public key in biztalk
3. Configuration done at BizTalk as given below
1. Created BizTalk Certificate using makecert command
2. Client and Server Certificate Installation
- Installed BizTalk Client Certificate in Certificates Store under
a. Current User--> Personal (Private Key)
b. Current User --> Trusted Root Certification Authorities (Public Key)
c. Local Computer --> Personal (Private key)
d. Local Computer --> Trusted Root Certification Authorities (Public Key)
e. Current User--> Other People
Installed SAP Server Certificate in Certificates Store under
a. Current User --> Trusted Root Certification Authorities
b. Current User --> Trusted People
c. Local Computer --> Trusted Root Certification Authorities
d. Local Computer --> Trusted People
e. Current User--> Other People
3. BizTalk Status Solicit Response Send Port(used to call the SAP PI Web service) Configuration
- Transport Type WCF-Custom
- Binding BasicHttpbinding
Security Mode : Transport
Client Credential Type : Certificate
Proxy Credential Type : None
Realm : localhost
• Message
Client Credential Type : Certificate
Client CredentialsClient Certificate
findValue : CN=< Thumbprint >
x509Findype : FindByThumbPrint
• Server Certificate
findValue : <Thumbprint>
x509Findype : FindByThumbPrintHi All,
The reasons why the trigger from BizTalk is failing and the trigger from SoapUI is successful.
In SoapUI configuration we select the Private key of the client certificate and provide the password for the same.
In BizTalk we only have the option of selecting the certificate and we cannot provide the password. Below is the MSDN article for the same
In one of the Site , its mentioned as below, Kindly let us knwo whether the below mentioned will work or not
Organization Security Restrictions::
Each organization may have restriction on using client certificates for security reasons . One such restriction is when a user requests a client certificate a password prompt is displayed . A client certificate can be used only if the correct password is provided
becuase Biztalk Server uses services and services cannot interact with dialog boxes so do not use client certificates requiring password validation.
To Prevent the issue , configure the policy so no password are prompted when a certificate is used this setting is enforced by the Group policy Object (GPO) system cryptography: Force strong Key protection for user keys stored on the computer . If setting
this policy , then the value should be set to "User input is not required when new keys are stored and used "
Kindly let us know whether setting needs to be done in the system cryptography
Thanks -
OWSM and Webservices -Define policies once for multiple web services
I thought that through using OWSM we had the possibility to use the same Policy Lines for multiple web services.
Mostly when web services are used/integrated within an application, the same rules need to be defined and I thought this requirement could be met when using OWSM.
But you need to define the policy requirements on each web service that's passing through a gateway or agent, why isn't it supported to define policy lines one level higher to be able to use the same requirements for multiple web services?Nathalie,
For this purpose OWSM allows you to use Template Policy Pipelines.
For individual services, you can than replace the pipeline with the Template.
But I have to agree with you here: the templating functions are rough on the edges, e.g. limited editing capabilities.
Hope this helps.
Best regards, Sjoerd -
Using Identity Management for Securing Web Services
My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
(My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
Here is what I did:
1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
2. I made a data control for the web service and put it in an ADF application . (client)
3. I deployed the client project(2) to OC4J.
I could use the web service through the page.
Then
I secured the webservice to expect SAML for authentication.
Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
4.
I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
to one of the configuration files, but don't know where exactly.
Best Regards,
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
Using Web Dynpro authentication for a Web Service call
Hi all,
I want to develop a Web Dynpro that calls a Web Service running on the same Web AS (7.0). The Web Dynpro will be integrated in a Portal. The web service that has to be called is automatically generated when we create a guided procedure :
http://help.sap.com/saphelp_nw2004s/helpdata/en/44/44c59fd7c72e84e10000000a155369/frameset.htm
In my Web Dynpro, I imported the WSDL of this WS and created a model.
The first time I tried to call the WS in my Web Dynpro I got an authentication error :
Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://<myHostName>:50100/GPRuntimeFacadeWS/GPProcessExposing?style=document&pid=CA544E9B629A11DB91480017A48D672A&pver=0.5"
So I hard-coded an HTTP authentication :
model._setUser("myWASuser");
model._setPassword("myPassword");
And the Web Service call now works.
Now the next step is that the WS call is made by the user that runs the Web Dynpro. So I found this documentation :
http://help.sap.com/saphelp_nw04/helpdata/en/59/e8e95d1eba48dfa86ae91ad8816f5d/frameset.htm
It would resolve my authentication problem, AND the transport issue : at the moment the Web Service URL is stored in the Logical Port of the WD model, and at transport time, a rebuild of the WD project will be needed.
So I applied what is said in the doc : from the point of view of the Web Service consumer, I just had to add :
model._setHTTPDestinationName("STARTGP");
(where STARTGP is the name of the destination I created in the Visual Administrator with a "Logon Ticket" authentication.)
before the execute(), and I removed my hardcoded authentication.
Unfortunately, nothing changes... I still get a 401 authentication error.
Does anyone have an idea about this ? Or maybe a workaround ?
Thanks in advance for any suggestion.
Regards,
JulienHello Julien,
I have a scenario similar to yours. A client webdynpro application accessing a EJB methods exposed as web service. Those EJB's methods calls R3 RFC's. The client requirements' was to allow SSO through all the layers (Webdynpro -> EJB WS -> RFC). The Webdynpro and EJB's are deployed on the same WAS.
Solution:
1 - Create a RFC Destination on Visual Administration provide the R3 connection parameters and set the Authentication for "Current User (Logon Ticket)". Save your Destination;
2 - In your EJB Project open your Web Service Configuration, on the Security page, set:
Authentication Mechanism: HTTP Authentication
Basic (username/password)
Use SAP Logon Ticket
3 - In your EJB, implement the following code to create JCO Client for the RFC invocations:
Object obj = ctx.lookup(DestinationService.JNDI_KEY);
DestinationService dstService = (DestinationService) obj;
RFCDestination dst = (RFCDestination) dstService.getDestination("RFC", "<YOUR_RFC_DESTINATION_NAME>");
Properties jcoProperties = dst.getJCoProperties();
JCO.Client jcoClient = JCO.createClient(jcoProperties);
4 - In your EAR Project, open your "application-j2ee-engine.xml" and add the References:
"tc/sec/destinations/service" as Service
"tc/sec/destinations/interface" as Interface.
5 - Create your EAR File and Deploy;
6 - Check if the web service now requires Authentication: go to http://<host>:<port>/index.html and click on Web Services Navigator. Test your Web Service. Your Web Service should requiere you to log in before execute the test;
7 - Go back to your Visual Administrator and create a HTTP Destination. Provide your WS URL (should be something like "http://<host>:<port>/<WS_NAME>/Config1?style=document"). Choose Authentication: Logon Ticket. Save your Destination;
8 - Go to your webdynpro project, import your WS Model. (If you have already created it, you have to delete it and import it again, refer to this blog on how to reimport WS Models: /people/bertram.ganz/blog/2005/10/10/how-to-reimport-web-service-models-in-web-dynpro-for-java How To Reimport Web Service Models in Web Dynpro for Java );
9 - Open your model's Logical Ports node, go to the Security tab, and choose "Use SAP Logon Ticket";
10 - In your webdynpro code, before you call the ws invocation (should be something like that: <YOUR_NODE_DEFINITION>.modelObject().execute();), include the following line:
<YOUR_NODE_DEFINITION>.modelObject()._setHTTPDestinationName("<YOUR_HTTP_DESTINATION_NAME>");
11 - Save All Metadata and deploy your Webdynpro App. Test your results.
I hope it helps you, as the documentation on how to implement this scenario is scattered through the SDN and all the SAP help portal.
Best regards,
Paulo. -
Pros & Cons for consuming web services in ABAP using ABAP PROXY
Hi,
Other then performence is there any other disadvantages like security,etc for consuming web services in ABAP using ABAP proxy?
I really appreciate if some one provide the more details(Pros & Cons ) regarding cosuming web services and I also want to know is there any other way to consume web services in ABAP.
Thanks.<i> is there any other way to consume web services in ABAP</i>
you can use cl_http_client class to make your program to act as http client and post the soap message too webservice. This way you dont need to generate proxy, but you should know the soap message format.
Regards
Raja -
Problem using WSDL from SAP in IBM's RAD for generating web service client
When importing a WSDL from the ABAP stack on a SAP 6.40 system into IBM's RAD tool for generating a web service client there are errors with the soap fault classes that get generated. The WSDL declares the types for the faults with WebServiceName.RfcException and these have elements of name, text, and message. When the tools see this in the WSDL they generate classes that extend the Java exeception class and this causes an error because the "message" name conflicts with the standard java exception message. Has anyone else ran into this problem? It seems like a basic problem many java tools for generating web service client proxies would have because the soap faults get turned into java exceptions. This name conflict of the java exception with the WSDL fault definition means that code always needs to be adjusted and cannot simply use the classes that are generated from the WSDL. Anyone run across this or a similar problem in the java environment using the SAP WSDL?
AaronHi,
Hello again .
Have you tried your service using soapui ?
You can use your WSDL as input .
In order to eliminate eclipse problem try this service:(I just did)
http://www.oorsprong.org/websamples.countryinfo/CountryInfoService.wso?WSDL
Regards.
package main;
import java.io.FileInputStream;
import java.rmi.RemoteException;
import java.util.Properties;
import org.oorsprong.www.websamples_countryinfo.CountryInfoServiceSoapType;
import org.oorsprong.www.websamples_countryinfo.CountryInfoServiceSoapTypeProxy;
import org.oorsprong.www.websamples_countryinfo.TCountryCodeAndName;
public class Main {
public static void main(String[] args) {
try {
final Properties properties = new Properties();
properties.load(new FileInputStream("properties.ini"));
System.getProperties().putAll(properties);
} catch (final Exception exception) {
exception.printStackTrace();
new Main();
public Main() {
try {
final CountryInfoServiceSoapType infoServiceSoapType = new CountryInfoServiceSoapTypeProxy();
final TCountryCodeAndName[] tCountryCodeAndNames = infoServiceSoapType.listOfCountryNamesByName();
for (final TCountryCodeAndName tCountryCodeAndName : tCountryCodeAndNames) {
System.out.println(tCountryCodeAndName.getSName());
} catch (final RemoteException exception) {
exception.printStackTrace(); -
I cannot use the right colors for a web image.
I cannot use the right colors for a web image. Photoshop CC keeps replacing colors because my colors are "out of color space for print" or something like that (I hope I translated it right - I work with PS Dutch version and this forum is only in English).
I am not interested in printing at all. I do not want any adaption for printing! I only want the right color on screen for a web image.
I changed the color settings many times, I created my image all over again, but Photoshop keeps replacing my vivid red by pale pink because of print colors.
Thanks for your help.Use SRGB color space. and in the color picker when you see the warning don't click on the warning to have it fix the issue. As that will change the color you want want to use.
-
Details for 'Is Web service security available?'
Hi i am working on scenario rfc to webservice.Its as secued webserivce i need to do ssl configuration.
In component monitoring..for the integration engine its in yellow...
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
can any one please help me out..
Thanks
sriramI have already installed certificates on the j2ee engine & i have given the paramaters for keystore entry & keystore value.Still i have the same error
In component monitoring
For integration engine
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
In message monitoring
Audit Log for Message: f614df00-e9e0-11da-95ef-0004ac577b32
Time Stamp Status Description
2006-05-22 15:18:58 Success The message was successfully received by the messaging system. Profile: XI URL: http://saptst01:51000/MessagingSystem/receive/AFW/XI
2006-05-22 15:18:58 Success Using connection AFW. Trying to put the message into the request queue.
2006-05-22 15:18:58 Success Message successfully put into the queue.
2006-05-22 15:18:58 Success The message was successfully retrieved from the request queue.
2006-05-22 15:18:58 Success The message status set to DLNG.
2006-05-22 15:18:58 Success Delivering to channel: ZCH_VERISIGNPPGR
2006-05-22 15:18:58 Success SOAP: request message entering the adapter
2006-05-22 15:18:58 Success SOAP: call failed
2006-05-22 15:18:58 Error SOAP: error occured: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter
2006-05-22 15:18:58 Error Exception caught by adapter framework: Peer sent alert: Alert Fatal: illegal parameter
Can any one please help me out.
Thanks
sriram -
Best Practice for Securing Web Services in the BPEL Workflow
What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
Service Registry in Web Service Configuration
Hi
I have a unique problem
I am using NWDS
SAP NetWeaver Developer Studio
SAP Enhancement Package 1 for SAP NetWeaver Developer Studio 7.1 SP04 PAT0000
Build id: 200911281443
In NWDS when I go to Windows --> Preferences --> Destination Configuration --> Web Service Configuration --> and say CREATE in the Destination Type I can not see the option of Service Registry I can only see the option of WSDL and WSIL
and in the following doc
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e058a805-68b2-2b10-6a8b-fc570f1c37d1?quicklink=index&overridelayout=true
How to Browse an Enterprise Services Registry in Visual Composer.pdf
Page 13 they have shown a screenshot where it shows the Destination Type as Service Registry
Can anyone tell me please how can I get the option of having Service Registry in Web Service Configuration
I have also installed CE 7.1 EHP1 preview provided by SDN
I know its a unique problem but if someone can throw light on this it will be very helpful to all those who want to work on Enterprise Service Repository
Regards
JMHi John,
I think the screenshot is wrong.
You can use WSIL to configure the backend system.
The WSIL url for ABAP systems is http://[host]:[port]/ sap/bc/srt/wsil?sap-client=[client_no]
Regards,
Christian -
Good books for java web services
hi.. i want to learn java web services. can anyone pls tell me the good books or material if any to start with. I have exp in core java.
http://www.soabook.com/ The Good Book for modern web service development in Java.
http://www.amazon.com/J2EE-Web-Services-SOAP-JAX-RPC/dp/0321146182 The Bible about all things web services.
Get them both, use the first to learn and the second as a reference.
Maybe you are looking for
-
Remote Update to iWeb, is it possible?
I love iWeb and have everything working on my Mac desktop. I'm thinking about getting a netbook for easy travel use. Is there any way to update my iWeb account remotely through a netbook? Specifically I want to update my blog when I'm traveling and n
-
New Custom Field in MB1B Tcode
Hi All, In my requirement i have to add 4 custom field in MB1B TCode Screen. Please suggest some screen exit or BADI for the same. Please suggest some sollution. Moderator message: please do more research before asking, show what you have done yourse
-
Organizer does not show in Elements 9...Mac
I am new to Photoshop Elements 9 and to Mac. I have just downloaded it today. I cannot find an organizer button....my screen shows Edit, Create, Share. How can I find the icon for Organizer? Since I am new to Mac, I am not yet skilled at navigati
-
Is it possible to erase a Power Mac G5 without the disk
Is it possible to erase/clean a Power Mac G5 without the disc? We have the disk, but when ever we try to start up from it, the fan just gets louder and louder, and the circle spins on the desktop and never loads. We are trying to clean the computer o
-
Move Photos from IMac to Macbook Pro
Hello, I have a late 2009 iMac, 3.06 GHz Intel Core 2 Duo, 8 GB memory, OSX 10.10.01, 258 GB of free memory. I have 90 GB of photos on this Mac and I would like to transfer them to a new Macbook Pro. The Processor is 2.5 GHS Intel Core i5, 8 GB 1600