Enabling HTTPS level authentication in SOAP adapter (PI 7.1)

Similar Messages

• Message Level Security with SOAP Adapter

  Hi,
  I need to use Message Level Security with my SOAP Adapter. Please let me know if anyone has done the same in the past?
  What are the steps I would need to do? How can I use WSS based security in the SOAP Adapter?

  Hi,
  Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  It improves communication-level security by adding security features that are particularly important for inter-enterprise
  Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  Refer
  How to use Client Authentication with SOAP Adapter
  XML Encryption Using Web Services Security in SAP NetWeaver XI
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks
  swarup

• HTTP Header fields in SOAP adapter - Part 2

  Hi All,
  With regards to my previous thread HTTP Header fields in SOAP adapter
  my header issue is solved and hence I have closed the thread but still I am not able to make the connection successful. The new problem is below
  My vendor requirement is to specify the header as "Ent-sender" but when we give the same in XI in communication channel it automatically convets into uppercase "ENT-SENDER".  Due to case-sensitive in vendor server the connection is not gettingestablished.
  Please help me out how to solve the problem.
  <b>Note:</b> Sorry for the new thread as it was created due to new problem and also the previuos thread is already too long.
  Regards,
  Dhill

  Hi Neaves,
    Thank you, I jave seen the note and find the below solution will be some what realated to my prblem.
  <u><b>The nosoap mode lets the adapter send the XI payload directly without wrapping it in the SOAP envelope. Although the main use of this mode is to send some plain text content directly to some web server, one can use this mode to send their own SOAP message (e.g., with arbitrary headers) to an external web service (See related questions). In this case, the XI payload must be formatted in the SOAP envelope.
             To use the nosoap mode, the channel must be configured to use no SOAP envelope.</b></u>
  If yes, can you please let me know how to use nosoap mode otherise let me the other possibilities.  I am already using tcpg2.zip to trace the SOAP adapter in which it was confirmed that XI is changing the header automatically into CAPS whatever case we give,
  Regards,
  Dhill

• HTTP Header fields in SOAP adapter

  Hi All,
    I have a scenario IDoc to SOAP adapter. In which my receiver given the details as
  URL : https://b2b.ecsc.us.gxs.com/invoke/GXSGateway:receiveCTE
  Header Name:             Header Value
  Ent-sender                xxxx
  Ent-receiver              yyyyy
  Ent-APRF                 zzzzz
  Ent-filename             (not sure what data need to give)
  1. I request you to let me know where I need to give these headername and hader values in soap adapter. 
  2. my client require file as an attachment.  Please let me know how I need to send the payload as an file and where the name need to be given in the header name (Ent-filename).
  Currently I used  MessageTransformBean to conver my XML to text structure(flatfile structure).
  Please let me know if any more details required
  Regards,
  Dhill

  Was out for lunch break..
  Juz Rechecking
  Transport Protocol : HTTP
  Message Protocol: Soap 1.1
  Adapter Engine -> Adapter Engine on the Integration Server
  Connection Parameters
  Target URL - > https://b2b.ecsc.us.gxs.com/invoke/GXSGateway:receiveCTE
  Sure about no sever authentication required  and they are not using any HTTP proxy for webservice >????
  Conversion Parameters
  Do Not Use SOAP Envelope -> Unchecked
  Keep Headers -> Checked.
  Keep Attachments -> Unchecked
  Use Encoded Headers -> Unchecked
  Use Query String -> not so sure might be Unchecked
  <b>Authentication Keys</b>
  If authentication is required for the receiver system, you can enter a password and a confirmation for each key value. This means that you do not need to write passwords in the enhanced message header.
  If you want to specify or display authentication keys, select View Authorization Keys.
  You can enter and confirm passwords for each authentication key value (TAuthKey or TproyxAuthKey).
  Try once sending the message with Adapter-Specific Message Attributes
  Unchecked. See if there is a hit.I knw itz not req but juz testing.
  Yeah adapter stat must be active.
  Last thing need to go through the whole scenario.
  <b>Cheers,
  *RAJ*
  *REWARD POINTS IF FOUND USEFULL*</b>

• Enabling https for SOAP adapter

  Hello all,
  Can anyone suggest how to  enable https for SOAP adapter in PI system?
  Thank You,
  Regards,
  Hasan

  Hi Hasan,
  CHeck the blog :/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter which guides you clearly
  Also check SAP Note#891877 for reference.
  Thanks and Regards,
  Naveen

• Sender SOAP Adapter with HTTPs call

  Hello,
  Our scenarion is ..  we will have a sender SOAP adater .. but it needs to be called using HTTPs(SSL).
  Now considering we have the certificate generated and installed ..and that integration server is HTTPs enabled....What URL should the sending system call..?
  For normal HTTP call the inbound address for inbound Adapter is: http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel
  For the case of HTTPs just changing the htttp to https and the port number in in the calling system will suffice? Or is there other configurations that needs to be done??
  Thanks and Regards,
  Himadri

  Hi Himadri,
  Firstly as suggested by others you can call using https and give the https port in the soap adapter servler URL. Secondly you need to do the following configurations:
  1) If its PI 7.0/3.0, deploy the latest version of the SAP Java cryptography toolkit.
  2) Configure SAP PI as the server for HTTPS calls. In short
        Using the SSL Provider service:
                              a.      Select whether the J2EE Engine should:
                                 ■      Request (but not require) that the user presents a client certificate for authentication.
                                 ■      Require that client certificates are to be used for authentication.
                              b.      Import the CAu2019s root certificate into the Trusted Certification Authorities list. (Choose Add.) using the following For all the steps, link is mentioned below for XI 3.0, you can find similar ones for PI 7.0
  http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/content.htm
  3) If you want to enable client authentication then you would need to add the client certificate in the TrustedCA keystore view of the SAP J2EE engine.
  4) In the SOAP Adapter sender channel, configure Inbound Security level as HTTPS or HTTPs with client authentication based on your scenario.
  Best Regards,
  Pratik

• SOAP -Client Certificate Authentication in Receiver SOAP Adapter

  Dear All,
  We are working on the below scenario
  SAP R/3 System  -> XI/PI -> Proxy -> Customer
  In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
  Cusomer gave us the WSDL file and also a Certificate for authentication.
  Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
  Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
  Require your inputs on Client Certificate authentication and Proxy server configuration.
  Regards,
  Srini

  Hi
  Look this blog
  How to use Client Authentication with SOAP Adapter
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  Also refer to "SAP Security Guide XI" at service market place.
  ABAP Proxy configuration
  How do you activate ABAP Proxies?

• SOAP Adapter (Client Authentication)

  Hi Guys,
  I am trying to follow this blog
  How to use Client Authentication with SOAP Adapter
  Am new to this security settings stuffs , i hear that we have to maintainn keys in visual admin and then later authenticate , am confused all around
  My Question
  1) Who would provide the Key or certificate ?
  2) Should we generate and give it to client r is it given by the client??
  3) Where to maintain these key , i know in visual admin , but what r the steps and which place ?
  $) How to use this to get authenticated with SOAP Sender Adapter ?
  Can any one elobrate this in details and provide any more links on this.
  thx in advance for help
  with regards
  Srini

  HI
  1.These will be provided by th Client or they can be downloaded from the website n then the Basis Team or the System Adminstrator will do the needful for us.
  2.it depends , if the client wishes to give to us he will give or Basis team will be helping us in this Query.
  Digital certificates
  A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
  Certificates are issued by Certifying Authority(CA) for people or an organization. This is used to identify unique person or unique organization.
  Also look at these links
  http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html
  http://mindprod.com/jgloss/certificate.html
  Please go through these links and i am sure they will help you in some ways.
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/db3d8798-0701-0010-9781-8a6e925dd5da
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
  cheers
  Edited by: vemuganti naga phalguna on Jul 2, 2008 1:00 PM

• Adding ClientCertLoginModule into SOAP adapter causes problem for HTTP

  Hi there,
  We are configuring SOAP adapter to use HTTPS with client authentication
  for a B2B project. We followed note 891877 to add ClientCertLoginModule
  into service sap.com/com.sap.aii.af.soapadapter*XIOAPAdapter in the
  security provider service,
  ClientCertLoginModule, SUFFICIENT
  BasicPasswordLoginModule, SUFFICIENT
  The interface for the B2B project works fine after the change.
  But other interfaces which are using HTTP to connect to SOAP adapter
  are all failing with HTTP code 302. Because all these interfaces are
  using HTTP protocal with username/password for authentication, we
  expect they should still work because the BasicPasswordLoginModule is
  listed in the login module stack.
  Any help is much appreciated..

  Hi there,
  We are configuring SOAP adapter to use HTTPS with client authentication
  for a B2B project. We followed note 891877 to add ClientCertLoginModule
  into service sap.com/com.sap.aii.af.soapadapter*XIOAPAdapter in the
  security provider service,
  ClientCertLoginModule, SUFFICIENT
  BasicPasswordLoginModule, SUFFICIENT
  The interface for the B2B project works fine after the change.
  But other interfaces which are using HTTP to connect to SOAP adapter
  are all failing with HTTP code 302. Because all these interfaces are
  using HTTP protocal with username/password for authentication, we
  expect they should still work because the BasicPasswordLoginModule is
  listed in the login module stack.
  Any help is much appreciated..

• SOAP Adapter XI 3.0 - HTTP 200 response fails

  We have a scenario where a request message is sent successfully to a URL by the SOAP Adapter.
  However, the response message has an HTTP response of 200 (meaning ok) which is not handled correctly by the
  SOAP Adapter.
  The error text shown in SXMB_MONI is:
  com.sap.aii.af.ra.ms.api.DeliveryException: Failed to call the endpoint HTTP 200 OK
  Is there something I am missing in the configuration to allow HTTP responses in the SOAP Adapter ? It is very odd that the SOAP Request works fine, but the SOAP Response does not.
  Any ideas anyone ?
  Kind regards
  Colin.

  Hi Bill
  1. synchronous out / in
  2. yes
  3. working fine
  following the way out to the elocateserver system is working fine.
  The soap is working and the responce from the elocteserver is fine . But when the message is pick put the Timeout show up.
  below is the Responce from elocateserver to xi
  Hope this will help you
  thanks olaf
  Help
  !http://sapnt09:50200/sap/public/icman/img/theme.jpg|alt=SAP|width=122 height=61 border=0 |src=http://sapnt09:50200/sap/public/icman/img/theme.jpg!
  500 Connection timed out
  Connection timed out (-5)
  Error:
  -5
  Version:
  6040
  Component:
  ICM
  Date/Time:
  Sat Oct 16 06:13:25 2004
  Module:
  icxxthr.c
  Line:
  2556
  Server:
  sapnt09_M64_02
  Detail:
  Connection to partner timed out
  © 2001-2003, SAP AG

• SOAP Adapter S/MIME error

  Hi all,
  In PI I have created one scenario to expose a Web Service and one scenario to consume the same Web Service and I have tested them successfully.  They work fine.
  When I attempt to use message level security via their SOAP adapters and I chose the "Web Services Security" profile to Sign and Verify the messages, they still work fine.
  However if I choose security profile "S/MIME" using the exact same configuration and certificates then the scenarios go in error.
  This is what I get in the Adapter Response message:
  <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
    <SAP:Category>XIServer</SAP:Category>
    <SAP:Code area="INTERNAL">HTTP_RESP_STATUS_CODE_NOT_OK</SAP:Code>
    <SAP:P1>500</SAP:P1>
    <SAP:P2>Internal Server Error</SAP:P2>
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText>java.lang.NullPointerException at java.util.Hashtable.put(Hashtable.java:393) at com.sap.aii.messaging.mo.MessageContext.setAttribute(MessageContext.java:96) at com.sap.aii.adapter.xi.ms.XIMessage.updateHeaders(XIMessage.java:4217) at com.sap.aii.adapter.xi.ms.XIMessage.getTransportHeaders(XIMessage.java:562) at com.sap.aii.af.ra.ms.impl.ServerConnectionImpl.request(ServerConnectionImpl.java:211) at com.sap.aii.af.ra.ms.impl.core.transport.http.MessagingServlet.doPost(MessagingServlet.java:332) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)</SAP:AdditionalText>
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack>HTTP response contains status code 500 with the description Internal Server Error Error while sending by HTTP (error code: 500, error text: Internal Server Error)</SAP:Stack>
    <SAP:Retry>N</SAP:Retry>
    </SAP:Error>
  Anybody can tell me what is causing this? Any idea?  
  Is there anything that I have to do to configure S/MIME and to enable its use in the SOAP adapter?
  Many thanks,
  Aldo

  Prakasu,
  Now I am sure that I need to use SMIME over HTTP.  It is a requirement for my client. 
  I need to upload documents with SMIME using an HTTP POST.  Content-Type in this case will be multipart/signed I guess.
  It should be achievable with the SOAP adapter and I think that what you said above is not completely correct.
  Anyone can guide me through this?
  Many thanks,
  Aldo

• Receiver SOAP adapter SSL error - client certificate required?

  Hi all,
  Problem configuring SSL in XI 3.0 NW04 SP17....
  I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
  <b>Sender File -> <u><i>Receiver SOAP -> Sender SOAP</i></u> -> IDoc Receiver -> IDocs in R/3</b>
  The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
  The problem is when I set HTTPS <b>With</b> Client Authentication in the Sender. I then get the following error in the message monitor:
  SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: <b>client certificate required caused by: java.security.AccessControlException</b>: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
  Has anyone got any idea what this could be caused by?
  Many thanks,
  Stuart Richards

  Have you configured the https port with that keystore entry?
  Check out these links:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
  Regards,
  Henrique.

• HTTP Basic authentication on EJB 3.0 based web service

  How do I enable HTTP Basic authentication on EJB 3.0 based web services for OAS? Does any one have a sample solution ?
  I manually updated oracle-webservices.xml file to include the following:
  <ejb-transport-security-constraint>
  <soap-port/>
  <role-name>users</role-name>
  <transport-guarantee>NONE</transport-guarantee>
  </ejb-transport-security-constraint>
  <ejb-transport-login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>jazn.com</realm-name>
  </ejb-transport-login-config>
  When I use SOAP UI to test the web service I get the following error.
  403 Forbidden
  Error initializing security, security-role not found: users

  I still get the 403 forbidden error message. I do not get the second part of the error message though.

• Network Level Authentication

  We have enabled Network Level Authentication on all of our test servers.  We are now having issues with 2 servers where folks are receiving an error stating that the remote computer Network Level Authentication which your computer does not support.
  All clients are Windows 7 SP1, and can access other servers that have Network Level Authentication.
  When comparing the servers to working servers, there doesn't appear to be any differences.
  Any Ideas?
  DJ

  Hi DJ,
  From the current description it seem is the self-signed certificate corrupt, please perform the following action, open the Certificate Management mmc snap-in with the Local
  Computer account. You will find the self-signed certificate in the 'Remote Desktop' store of the server.
  Delete the certificate here.
  For Windows 2003/ 2008, a server restart is required for this certificate to be re-generated.
  On Windows 2008 R2, you can restart the Remote Desktop Services Configuration service to get the certificate re-generated.
  The similar thread:
  Configure Certificate for NLA...
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/d7d45464-dcb6-4dc6-b840-cb29578a9f23/configure-certificate-for-nla
  Windows Server 2008 R2: Why Use Network Level Authentication?
  https://technet.microsoft.com/en-us/magazine/hh750380.aspx
  Secure RDS (Remote Desktop Services) Connections with SSL
  https://technet.microsoft.com/en-us/magazine/ff458357.aspx
  Configure Server Authentication and Encryption Levels
  https://technet.microsoft.com/en-us/library/cc770833.aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How To use certificate in SOAP-Adapter

  Hi, well because the invoked external WebService needs a certification in SOAP-Adapter the option <i>Configure Certificate Authentication</i> exists.
  I know that i have to put some values in keystore via VisualAdmin but i only got a certificate key. Do i need to generate some other values?!
  Can somebody provide me with some links or a blog on this issue?!
  br

  See this
  /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
  Regards,
  Prateek