Consumer-Proxy authentication via x.509 Certificate

Similar Messages

• RUNNING PROXY CLIENT FOR X.509 CERTIFICATE WEB SERVICE THROWS SOAPFAULTEXCE

  Hi all!
  I have a problem on securing my web service.
  It's written: "Policy requires confidentialityenc key : 0"
  I found a few information here:
  https://metalink2.oracle.com/metalink/plsql/f?p=130:15:9796228426720331207::::p15_database_id,p15_docid,p15_show_header,p15_show_help,p15_black_frame,p15_font:BUG,7260434,1,1,1,helvetica
  Is it a bug? Please advice.

  Hi Talimeren,
  when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
  SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
  HTH
  Daniel
  Message was edited by: Correct Link
          Daniel Sass

• ABAP SE37 Web Service and x.509 certificate

  ECC 7.01 EPH 1
  I have created a Web Service from an ABAP function module. I then created a service using SOAMANAGER and have configued it and tested it using Web Navigator. This WS uses no auththentication or username/password.  It also works being consumed from a non-SAP server/application
  I want to have another non-SAP server and application use this WS. Currently the non-SAP  can consume it passing the user/password.
  I now want to have the WS consumed using x.509 certs.
  I have tried multiple methods with no success.
  On the server I have imported using STRUSTS
  Maintain the serveru2019s SSL server PSE.
  Use the trust manager (transaction STRUST) and import the issuing CAu2019s root certificate into this PSEu2019s certificate list.
  Created Web Service communication user, technical type with security roles --> zwebserviceuser
  Cretaed entries in table USREXTID using transaction SM30, view VUSREXTID
  external type = DN
  imported non-SAP server cert into external id
  user = zwebserviceuser
  activated
  Tthe ICM to request a client X.509 certificate. (check icm/HTTPS/verify_client profile parameter) was alreday configued
  I choose tha appropriate security profile for your ABAP web service --> security HIGH
  I choose in SOAMANAGER http authentication and x.509 certificate
  The NON-SAP Server/application is calling the SAP WEBservice and sends the "certificate"
  The RunTime error is
  The request failed with HTTP status 401: Unauthorized.
  Any Help would be appreciated
  thank you,
  Sarah

  Take a kind look on SAP note 495911 to analyse ABAP logon errors.
  Most likely you have forgotten to add the root certificate of the CA which has issued the SSL client certificate (of the WS consumer) to the certificate list of the SSL server PSE (of the NWAS ABAP, acting as WS provider). In that case the SSL handshake will be incomplete: the SSL client certificate will not be requested by NWAS ABAP and thus no SSL client certificate will be send by the WS consumer. That's why no credentials are there resulting in the 401 error.

• TopLink Proxy authentication issue

  Hello all,
  I tried to use proxy authentication for TopLink for connecting to a database via TopLink in a J2EE application deployed on an Oracle iAS 10.1.2. For doing that, I tried to follow the steps described in the TopLink documentation (http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm#BABDABCF) with the last scenario, "Server Session uses Proxy Connection".
  According to the previously mentioned documentation, I created a session event handler for the preLoginEvent session event, the preLogin(SessionEvent event) method that I copied below.
  The issue with this is that, when I try to run a TopLink query in a Java DAO class, I obtained some exceptions. There are two cases here:
  1-If the code preLogin(SessionEvent event) is exactly as below, it seems that the queried views/tables cannot be seen. The exception obtained is:
  Exception [TOPLINK-4002] (Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)): oracle.toplink.exceptions.DatabaseException
  Internal Exception: java.sql.SQLException: ORA-00942: table or view does not exist
  Error Code: 942
  Call:SELECT count(*) FROM CIFHUB.SCQA_TEMPLATE
  Query:DataReadQuery()
  at oracle.toplink.exceptions.DatabaseException.sqlException(DatabaseException.java:290)
  at oracle.toplink.internal.databaseaccess.DatabaseAccessor.basicExecuteCall(DatabaseAccessor.java:570)
  at oracle.toplink.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:442)
  at oracle.toplink.threetier.ServerSession.executeCall(ServerSession.java:453)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:117)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:103)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeSelectCall(DatasourceCallQueryMechanism.java:174)
  at oracle.toplink.internal.queryframework.DatasourceCallQueryMechanism.executeSelect(DatasourceCallQueryMechanism.java:156)
  at oracle.toplink.queryframework.DataReadQuery.executeNonCursor(DataReadQuery.java:118)
  at oracle.toplink.queryframework.DataReadQuery.executeDatabaseQuery(DataReadQuery.java:110)
  at oracle.toplink.queryframework.DatabaseQuery.execute(DatabaseQuery.java:603)
  at oracle.toplink.queryframework.DataReadQuery.execute(DataReadQuery.java:96)
  at oracle.toplink.publicinterface.Session.internalExecuteQuery(Session.java:2062)
  at oracle.toplink.publicinterface.Session.executeQuery(Session.java:981)
  at oracle.toplink.publicinterface.Session.executeQuery(Session.java:938)
  at oracle.toplink.publicinterface.Session.executeSelectingCall(Session.java:1027)
  at oracle.service.infra.myservlet.ACSProxyTestServlet.callTopLinkQuery3(ACSProxyTestServlet.java:138)
  at oracle.service.infra.myservlet.ACSProxyTestServlet.doGet(ACSProxyTestServlet.java:60)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
  at oracle.service.infra.servlets.SecurityFilter.doFilter(SecurityFilter.java:105)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:663)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  at java.lang.Thread.run(Thread.java:534)
  2 - If in the preLogin(SessionEvent event) code, the line login.setProperty("proxytype", Integer.toString(OracleConnection.PROXYTYPE_USER_NAME)); is uncommented, then another exception is obtained. In this case another exception is obtained: an Invalid User/Password exception is thrown. If I comment this line, the login is successfull, but I obtain the exception at section 1.
  I have to tell you in both cases the parameters of the Data source are properly set. I tested the datasource in another servlet where I created directly the connection based on the same datasource taken from the application server's JNDI.
  Do you have any hint or idea about this issue?
  Thanks a lot in advance!
  Regards,
  Marinel
  public void preLogin(SessionEvent event)
  DatabaseLogin login = event.getSession().getLogin();
  // Make sure that external connection pooling is used
  login.setUsesExternalConnectionPooling(true);
  // Custom code to get the connector
  try
  login.setConnector(new OracleJDBC10_1_0_2ProxyConnector("jdbc/acs_proxyDS"));
  } catch (Exception ex)
  ex.printStackTrace();
  // End of custom code to get connector
  // login.setProperty("proxytype", Integer.toString(OracleConnection.PROXYTYPE_USER_NAME));
  login.setProperty(OracleConnection.PROXY_USER_NAME, "[email protected]");
  login.setProperty(OracleConnection.PROXY_DISTINGUISHED_NAME, "cn=my_name,l=emea,dc=oracle,dc=com");
  String[] roles = new String[1];
  roles[0] = "Manager";
  login.setProperty(OracleConnection.PROXY_ROLES, roles);
  }

  Hi, I am also working on proxy authentication and am having the same problem as Marinel.
  If I use a normal jdbc proxy connection, I can access the table just fine, and using a direct Toplink connection works fine.However, when i try and use proxy authentication via Toplink, i do not have permissions on the table.
  From your last update,it seems that if I want to use DISTINGUISED NAME authentication, I should set "proxytype" to OracleConnection.PROXYTYPE_DISTINGUISHED_NAME, and set OracleConnection.PROXY_DISTINGUISHED_NAME to the full user distinguised name.
  I have temporarily altered my preLogin Event as below to show these two scenarios, to access the table via normal jdbc proxy connection (and this part works), and then below that I try and set up the Toplink proxy session(which fails).
  public void preLogin(SessionEvent event) {
  DatabaseLogin login = event.getSession().getLogin();
  // Make sure that external connection pooling is used
  login.setUsesExternalConnectionPooling(true);
  String urlThin =
  "<jdbc_url>";
  OracleDataSource ds;
  OracleConnection oc = null;
  try {
  // Part 1 - Setup and access the PROXYDUMMY1 table using jdbc proxy sessions
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  ds = new OracleDataSource();
  ds.setURL(urlThin);
  Properties props = new java.util.Properties();
  props.put(OracleConnection.PROXY_DISTINGUISHED_NAME,
  "cn=firstname_lastname,l=emea,dc=oracle,dc=com"); props.put("proxytype",OracleConnection.PROXYTYPE_DISTINGUISHED_NAME);
  ds.setUser("database_account");
  ds.setPassword("database_password");
  oc = (OracleConnection)ds.getConnection();
  oc.openProxySession (OracleConnection.PROXYTYPE_DISTINGUISHED_NAME, props);
  String sql= " SELECT COL1, COL2 FROM PROXYDUMMY1";
  Statement stmt = oc.createStatement();
  ResultSet rSet = stmt.executeQuery(sql);
  System.out.println("==============User requested data=================");
  while ( rSet.next() )
  System.out.println(rSet.getString(1));
  rSet.close();
  stmt.close();
  //Part 2 - set up the proxy session for use by Toplink
  login.setConnector(new OracleJDBC10_1_0_2ProxyConnector(ds));
  login.setProperties(props);
  } catch (Exception e) {
  System.out.println("Exception: ProxyConnection.getConnection: "+e.getMessage());
  e.printStackTrace();
  }

• Consuming WS using X.509 certificate not working after NetWeaver 7.02 SP08

  Hi
  For more than two years we have had a solution that consumes web services over HTTPS using an X.509 certificate for authentication. Now, after upgrading to NetWeaver 7.02 SP08, the web services no longer work.
  Today, roughly a week after the upgrade, all the logical ports have been set by the system to an Inconsistent state, and have been renamed with a prefix of ERROR.
  When I try to re-create the logical ports I cannot assign the correct PSE file from STRUST to the newly created Logical Port. Previously, we would go into SM59 and set the SSL Certificate to the PSE containing the client and root certificates. But that option is apparently no longer available, see DUETE - Logical Port for OBAfielReciever. 
  I have been able to get the HTTPS communication to work again by copying the SSL certificate of the service provider into the PSE ANONYMOUS. But I cannot get the soamanager to use the client certificate, so I always get a "HTTP Code 403  : Client Authentication Error" back when consuming the web service.
  Any pointers on how to attach the PSE to the logical port would be appreciated.
  Best regards,
  Bo

  Still no ideas ?

• Import X.509 certificate via LDAP

  Hello,
  I have an iPad running iOS 5 and I'd like to know if it's possible to import people's X.509 certificates via LDAP. I have my corporate LDAP set up in Settings>Mail, Contacts  and I can search for people fine. The LDAP also has X.509 certificates that I'd like to use for encryption when sending emails from the iPad.
  regards,
  Tex

  I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication,  you will not see anything in the receiver agreement.

• WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

• Safari, Proxy Authentication, and Certificate Authorities ( for https )

  A recent update to Safari has caused it to not work with our proxy authentication.  It will not provide authentication details when looking up SSL certificate authorities, causing certificate errors on all https:// websites. All other traffic (http, https if certificate is bypassed, plugins, etc.) seem to work just fine. Is anyone else having this problem?  If so, is there a fix?
  It occurs on Mac and PC.  I am using SquidGuard with NTLM authentication.  All other browsers on our system (IE x.x, FireFox, Chrome, Opera ) don't have this issue.

  I have the same problem and it's frustrating as can be.
  What happens to me is that When I bring my laptop to work, and put it on the work network and launch Safari, Safari informs me that each of my plugins is invalid and then uninstalls them - I'm effectively not able to use any plug ins at work, and I have to go hunt them down when I get back home (for reference, The extensions are still physically in \users\me\Library\Safari\Extensions - so when I get home I can just double click on all of them)
  I opened a case with apple and I encourage you to do the same. Perhaps if enough users complain they will find a gentler way to work with it.
  They had me do a capture and after analyzing it said it was an issue with the work network and not being able to valdate the extensions.
  It sounds like the same issue you have - as my work network uses a proxy as well.
  The rep suggested that I use a different browser at work, but I'm so used to clicking safari, that I do it out of habit.
  I really like Safari, and hope they get it fixed - Safari may not get respect in the windows world, but it's really a great browser - especially on a laptop where screen real estate is limited (where I often hit command-shift-\ to hide the address bar to see more of the page)
  -Jack

• Web service Security using X.509 certificate

  Hi All,
  I have a web service deployed on the SAP Web AS J2EE.
  I want to include Authentication option in my web service
  I have configured the settings for using X.509 certificate(HTTPS) in my
  web service configuration and similarly I've configured my client proxy
  for the same.
  My question is..... from where do I get the X.509 certificate?
  actually I have the .crt and .der files, which I created from
  the visual administrator.
  And also do I need to install anything on my SAP server
  in order to use the authentication service? (Any prerequisite)
  Thanks,
  Talimeren

  Hi Talimeren,
  when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
  SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
  HTH
  Daniel
  Message was edited by: Correct Link
          Daniel Sass

• Failed Calling A X.509 Certificate Secured Web Service From OSB

  Hi,
  I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
  Below is my approach:
  The consumer of the proxy service of OSB signs its saop request header.
  My OSB proxy service authenticates the signature and forward the request to business service.
  The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
  This is not working yet. Not sure if my approach is correct or not?
  Thank you,
  Eric

  I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
  The error message is:
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
  In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
  In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
  In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
  I don't know how to attach document here, so i add long saop message here.
       Business Service Testing - BookSec_Biz_Svc_52
       Request Document
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
  <wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
  </wsse:BinarySecurityToken>
  *<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
  <dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
  <dsig:KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
  <wsse:TransformationParameters>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </wsse:TransformationParameters>
  </dsig:Transform>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
  MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
  </dsig:SignatureValue>
  <dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
  </xenc:EncryptionMethod>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  <xenc:CipherData>
  <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
  Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
  0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
  8JUiohXhiHErTDn6fFQ=
  </xenc:CipherValue>
  </xenc:CipherData>
  </xenc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Document
  The invocation resulted in an error: Internal Server Error.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault>
  <faultcode>soapenv:Client</faultcode>
  <faultstring xmlns:lang="en">
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Metadata
  <con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
  <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <tran:user-header name="Accept" value="text/xml"/>
  <tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
  <tran:user-header name="SOAPAction" value="&quot;&quot;"/>
  <http:Cache-Control>max-age=0</http:Cache-Control>
  <http:Connection>close</http:Connection>
  <http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
  <http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
  <http:Server>Apache</http:Server>
  <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
  </tran:headers>
  <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
  <tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
  <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
  <http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
  </con:metadata>

• Extracting X.509 certificate information from OSB/OWSM

  Hello everyone,
  I'm using SOA suite 11gR1 and I'm creating a proxy service with an OWSM policy ( oracle/wss11_x509_token_with_message_protection_service_policy ) . I'd like to know how to extract the certificate details from the incoming message so my Web Services can acess them with something like the WebServicesContext interface.
  Thanks !

  I am working on this same scenario as well (and agree that OWSM documentation is incomplete for this important use case). Vikas Jain provides some further explanation of Verify Signature in a blog entry: http://ws-security.blogspot.com/2007/06/faq-owsm-1013-what-is-use-of-cerificate.html . Essentially he clarifies that the Verify Signature policy step is doing two different functions: 1) validating the signature using the public cert passed in the request, 2) validating that said public cert is actually trusted by the server (directly or through a trusted CA).
  Unfortunately, even with this assistance, I have yet to get OWSM to work correctly using the X.509 certificate token profile for authentication purposes. OWSS does work for me but the desire is to externalize this security function to OWSM (outside of the service container).
  Any information you find out appreciated.
  Todd

• How to create Consumer Proxy in SAP ME SDK?

  Hi,
  i'm working with a ME 6.0 release and since i need to set some settings for a webservice and that is only possible via a consumer proxy, my question would be: How do i create a consumer proxy for an external webservice that i want to call in the SDK?
  I have no problems creating webservices in ME SDK but i don't know how to transform them so that they are consumer proxies. Can anyone point me in the right direction?
  Regards,
  David Strohmayer

  Please do check the thread mentioned below if it is of any help.
  Re: SOAP to PROXY (Synchronous)
  Rg,
  Harshit

• Consumer proxy to PI

  Hi,
  We have a consumer proxy that was created with class interfaces in ABAP. This did not follow the traditional message interface from ESR. The integration of this consumer proxy is through PI to a .net Webservice through SOAP adapter. Since the consumer proxy is created using ABAP class interfaces, the logical port needs to be set up using SOA manager. But the SOA manager needs a WSDL URL to be filled in the definition of the logical port. I am aware for proxy objects in SPROXY, the WSDL is available but how is the WSDL URL derived for proxies created from ABAP? or Does the  WSDL URL need to be the same as the receiver WSDL URL ? I am a bit confused here. I am trying to do a simple consumer proxy->PI->SOAP scenario.
  Teresa

  Hi,
  Thanks for the response
  "you can either call PI via proxy class created in sproxy - then you don't need to use any receiver CC (any sender agreement)
  in PI"
  This is not a Proxy class created from SPROXY.
  "you can call PI WS from ECC then you do it over SOAP channel - then you need logical point "
  I intend on going this route. I have the WSDL imported into PI and SOAP receiver has been set. Also a logical port with reference to the PI WSDL URL has been created in ECC and assigned to the ABAP class interface.
  Now when the Abaper implements the class, is it the logic  that the PI WS would be called from the execute method through the logical port and the request passed on to PI ?
  Teresa

• Web Service Call From Consumer Proxy in ABAP: Security Settings

  Hello All,
  Have a couple of questions:
  We are working on a scenario where we have to connect to a web service from ABAP. We have extracted the WSDL, and generated the client proxy, and configured a Logical Port. However, at the time of actual call, we receive an error message "Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.". We suspect that this is a problem with the SOAP Header, which might be missing some tags, which are required by the Web Service. Problem is, we can not trace the Web Service SOAP Header. We can not see it in SOAMANAGER, or any other transaction as such.
  1. Does any body have an idea where to look for the complete SOAP Request, in case of a Consumer Proxy call?
  2. After re-configuring the Logical Port in SOAMANAGER, our scenario is now stuck at an error which says: 'SoapFaultCode:1  Security requirements are not satisfied because the security header is not present in the incoming message.'. This is probably happening because the target web service is WSE 3.0 compliant, and hence it is asking for UsernameToken and TimeStamp attributes in SOAP Header. In SOAMANAGER Logical Port configuration, we do not see a placeholder for providing this information. However, in earlier LPCONFIG transaction, there was a field for providing WS Security Profile for Operations. Where does this config lie in SOAMANAGER?
  Awaiting Replies.
  Thanks and Regards,
  Sid

  Hi Sid,
  The setting username/password in the manual logical port configuration will send the username and password in the http header as basic authentication. That's why you don't see a security header.
  To configure usernametoken you have to create the logical port out of a WSDL. This WSDL needs to contain WS-Security Policies . So in the policy section of the WSDL you see an XML element called UsernameToken.
  In order to let .Net generate a compatible WSDL you have to configure your WCF Web Service to use a CustomBinding with authentication "UsernameOverTransport". This is a username token in the security header send over SSL. So therefore you need an HTTPSTransport (instead of HTTPTransport) in the binding of your .Net WCF endpoint as well.
  For an example of such a WCF service configuration see my comment on http://weblogs.sdn.sap.com/cs/user/view/cs_msg/59671.
  Regards,
  Mathias

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff