Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

Similar Messages

• Client Certification for Sender SOAP Adapter

  I am trying to configure an incoming SOAP call to allow client certification for autentication and not ask for username/pwd. I already tried changing the configuration of the SOAP adater in visual admin to have the client certification module with no luck.
  Please let me know if anyone has already done this before.

  Hi,
  Check the link for Client Certificate authentication...
  [http://www.i-barile.it/SDN/EnablingSSL&ClientCertificatesOnTheSAPJ2EEEngine.pdf]
  Regards,
  Prakasu.M

• Configure Client Authentication for Receiver SOAP Adapter

  Hi,
  Can you please tell me what i should give in receiver soap channel for KeyStoreEntry and KeyStoreView after checking Configure Client Authentication checkbox,as I have got certificate from third party.
  Thanks in advance
  Best Regards,
  Harleen Kaur Chadha

  Hi,
  Keystore Entry:
  Login to Visual Admin --> Server --> Services --> KeyStorage --> TrustedCAs --> Load --> Select the location where you have stored the certificate on your local system
  Load function is used as you have already got the certificate....
  Once this is done you will find an entry for your certificate in the Entries tab of your TrustedCAs section.
  This is your Keystore Entry...in other words it the name of your certificate.
  Keystore View:
  http://help.sap.com/saphelp_webas630/helpdata/en/16/c0503e1dac5b46e10000000a114084/content.htm
  Are you going to consume Logon tickets of the Third party system (which is other than SAP J2ee engine of your XI)? If yes, then you may also need to do some more settings in the J2ee Engine.
  Regards,
  Abhishek.

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• HTTPS with Client Authentication not available in EHP1?

  Hi Guys,
  I am not seeing this option in PI 7.1 EHP1.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  any help would be appreciated
  Thanks,
  Srini

  Hi Srinivas,
  I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  But you have an option sender agreeement for security. Please see this help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
  Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
  Regards,
  ---Satish

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• Alias for Sender SOAP Adapter URL

  When I create a web service for an o/b interface using the wizard, I need to give the URL of the pattern
  http://<host:<port>/XISOAPAdapter/MessageServlet?channel=<party>:<service>:<channel>
  Looking at the URL, I think there is servlet that is processing the incoming SOAP messages based on the parameter (channel) and adding the SOAP Header for Sender Service, Sender Interface from that channel before sending it to IE.
  Is there anyway to create aliases for these URLs so that I can have distinct URL for each interface eg. http://<host:<port>/DeliveryConfirmation, http://<host:<port>/InvoiceCheck etc?
  I need to publish web services in custom-built UDDI tool which expects the URLs to be unique. (This uniqueness should not based on the parameter 'channel'). UDDI tool expects the part of the URL before '?' to be unique, which is not in my case. So, I'm thinking of aliases.
  Did anyone create Alias for sender SOAP adapter URL?
  I appreciate your inputs on this.
  thx
  praveen

  Stefan,
  Creating an alias like (http://<host:<port>/DeliveryConfirmation) for each web service makes the end Point URL (http://<host:<port>/DeliveryConfirmation?channel=<party>:<service>:<channel>) unique and my custom-built UDDI server would allow it.
  In this case, all the aliases would be for the same context path '/XISOAPAdapter/MessageServlet', right?
  I see the following on the help page.
  Prerequisites
  You must first have the J2EE Web applications deployed so that their aliases are added to the list of available application aliases. Then you can decide which one to remove from it.
  Do I need to deploy any J2EE Web Application here?
  I'm thinking that since 'XISOAPAdapter/MessageServlet' is already deployed, I just have to create a various aliases for it.
  I highly appreciate your inputs.
  thx
  praveen

• Https with client authentication handshake_failure

  Hi everyone. I hope anyone could help me. I have a client class 1 certificate from verisign (digital id) which is needed for https service request. I have installed it on Internet Explorer and it works fine:
  1) Internet Explorer ask me to trust in https server certificate.
  2) I accept the server certificate
  3) Internet Explorer ask me for select which client certificate send to server.
  4) I select my verisign client certificate
  5) Https server returns an xml with the response of the service.
  Now I have to implement this behaviour in Java. I have exported the client certificate to a .pfx file from Internet Explorer. Now I use this file directly as my key store. Then I used Internet Explorer to export server certificate as a .cer file and imported it into cacerts. The fact is that no matters what kind of transformation on the client certificate nor what validations i disable: I always get "Received fatal alert: handshake_failure" exception when trying to do in.readLine() (where in comes from BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));).
  I couldn't guess that connecting to a https server with client certificate was so difficult. I have read lots of examples and documentation, that always drive me to implement the same code.
  Sincerely, I don't use to ask in forums when having the first problems, but this time I'm really frustrated.
  Thanks in advance for any answer.

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• Does Flex HttpService support https with client authentication

  Hi,
  We have a set of backend services available over https with client auth (cert based). We need to use mxml HttpService to access these backend services. Does HttpService support ssl with client auth?
  Another question is, for Https does flex share the browser keystore and certstore or uses its own?
  Thanks,
  Debashis

  Yes , a flex HTTPService can access services on https://.  But if I remember correctly , to use an https:// service , the swf has to be served on an https.  Example ,
  Served from https:// ... --> Can access https:// ...
  Served from https:// ... --> Can acess https:// ...
  Served from https:// ... --> CANNOT access https:// ...
  Served from https:// ... --> CANNOT access https:// ...
  Since Flex has the browser do the connecting , the browser handles the keystore stuff , not Flex. I think.

• Display WSDL in ID with difference URL for send SOAP scenario

  Hi Experts,
  I have one question here about Display WSDL tool in ID.
  The first step is to specify the Integration Server SOAP Inbound Channel (URL).
  Refering to the help document this URL can be either the Integration Server or an Adapter Engine.
  However by simply click Propose URL option, the URL given automatically is pointing to the Integration Engine only.
  http://<host>:<port>/sap/xi/engine?type=entry
  Does this mean in this case, no sender SOAP adapter channel is required?
  And the further question is what is the difference between URL to IE and AE.
  Here i know the URL format are different, my question is what is the major difference in the processing process?
  And what are the pros and cons of giving different URL when Display WSDL?
  Thanks in advance. Any inputs will be appreciated.
  Best Regards,

  Hello,
  Does this mean in this case, no sender SOAP adapter channel is required?
  If it will be connecting directly to the integration engine, yes. No sender adapter is required.
  And the further question is what is the difference between URL to IE and AE.
  Here i know the URL format are different, my question is what is the major difference in the processing process?
  And what are the pros and cons of giving different URL when Display WSDL?
  The advantages and disadvantages are summed up in Stefan's blog below:
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  Hope this helps,
  Mark
  Edited by: Mark Dihiansan on Sep 8, 2011 5:43 AM

• How to use Basis Authentication in Sender SOAP Adapter

  We implemented one Sender SOAP Adapter and we had to implement the modified WEB.XML method to remove the security specification.  We have now asked the developer to correct this situation so we can remove this modification.  The Interface developer would like to use Basic Authentication. If you have an automated interface sending in a SOAP Message, how do you do Basic Authentication? 
  I've tried using:
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  When I do this, I still get the Authentication Pop-Up Window.
  How does the Sending Interface either supply the ID and Password on the incoming SOAP Message or respond to the Authentication Pop-Up?
  Thanks,
  Anne

  By Defualt the web service exposed by you will use Basic Authentication mode only.
  But the way you do Basic Authentication in the web client is platfrom dependent.
  This is not the way to do Basic authentication
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  I am providing you a code snippet on how to Basic Authentication in Java when making the Web Service Call.
  If the client is on some other platform just look for the corresponding api.
  Please award points if you find this answer useful.
  Code Snippet
  URL url = new URL(URL);
  URLConnection connection = url.openConnection();
  if( connection instanceof HttpURLConnection )
  ((HttpURLConnection)connection).setRequestMethod("POST");
       //connection.setRequestProperty("Content-Length",Integer.toString(content.length()) );
       connection.setRequestProperty("Content-Type","text/xml");
       connection.setDoOutput(true);
       String password = User + ":" + Password ;
        //Where con is a URLConnection 
       connection.setRequestProperty ("Authorization", "Basic " + encode(User + ":"+ Password));
       connection.connect();
  Encode Method
  public static String encode (String source) {
  BASE64Encoder enc = new sun.misc.BASE64Encoder();
  return(enc.encode(source.getBytes()));

• Remove authentication in sender soap adapter pi 7.1

  Hello
  Did anyone manged to remove authentication in PI 7.1 sender soap adapter?
  I have updated file web.xml in the file com.sap.aii.adapter.soap.war
  and now I want to deploy it,but I dont have any sda in the folder
  thx
  Shai

  hi Shai,
  just something to try in case:
  you don't need any java parameters of SOAP sender
  you can try approach from Stefan:
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  and then:
  1. in SICF copy the engine service to a new one
  2. put the credentials for this new service inside SICF
  then you will have sender SOAP adapter without a password right?
  I didn't try it but I guess it would work without
  crashing the whole original SOAP sender adapter by
  making changes into web.xml
  Regards,
  Michal Krawczyk

• Failed in Message Mapping for Sender SOAP Adapter

  I am using a synchronous Sender SOAP adapter for sending SOAP messages using HTTP security protocol. I am trying to send SOAP messages to XI and then to RFC-R/3. And Responses back from RFC to XI and then to SOAP. I am getting an error for failed in message mapping in SXMB_MONI for converting SOAP messages to RFC. When I debug it in Message Mapping in Integration Repository, it works fine.
  Any help is appreciated.
  Thanks in advance!
  Mrudula

  Hi,
  try to do a full cache refresh
  regards,
  Jakub

• SEcurity settings for sender SOAP adapter

  Hey guys
  i m implemeting some security features in sender SOAP adapter by taking help frm www.help.sap.com,i have checked the message security box in sender Communication channel but in sender agreement i dont see any options for Decryt or Validate,i only see Keystore,Issuer and subject.
  i m on SP9 and XI 3.0
  where can i find these options of Decrypt etc?
  thanx
  ahmad

  Hi,
  Please see below links
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/a3229d73-170d-42b7-bab9-12ae5f2d0fa7.asp
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/f869bd82-df93-45e1-b747-b538820253fb.asp
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/121b053d-0401-0010-539f-f9295efb7bad
  Document security option in webservices
  And also check,
  Launch Visual administrator and navigate to Server->Services->Security Provider. In 'Policy Configurations' tab page, select the component 'sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter'. Then click on the tab page 'Security Roles' and select 'xi_adapter_soap_message'. You will find the groups (equivalent to roles in PFCG) to which this security role (xi_adapter_soap_message) is assigned to. Make sure you assign the PFCG role listed here to the user.
  regards
  Chilla..