Message Level security : PI 7.1

Similar Messages

• Invoking a message-level secured webservice WS Security

  I am not having any luck invoking a webservice that has been secured via message-level security. For simplicity, I have been using WS-Security Policies provided by WebLogic and applying them on my webservice via annotations. I have been testing with Wssp1.2-Wss1.0-X509-TripleDesRsa.xml. I am using soapUI to invoke the webservice. When I send a singed soap request, I get a response indicating that it wasn't able to validate the signature. I made sure that both soapUI and WebLogic server is using the same identity store. I have also made sure that the certificate in the identity store is also in the trust store for WebLogic. There could also be a problem with the structure of the soap request. I send a soap request that includes a signature of the timestamp, the initiator token (x509 in binary form), and the body.
  Anyone have luck with WebLogic webservice security and soapUI?

  Applying 'format XML' after signing it changes the message and makes the signature invalid, different content == different signature.
  You should also ask yourself why you'd like to transport blank characters (zero information) over the wire just to make it more readable for yourself? Just compare the size of the unformatted and formatted message to see the waste of bandwidth.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Message Level Security in XI  7.0

  Hi,
  Have someone worked on Message level Security in XI 7.0 for transferring a file from one system to an external third party system?
  If so can u provide me with links or documents?
  Thanks
  Manjula

  Hi,
  Please Find the Required Details in the Links
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Reward Points if Helpful
  Regards
  Khanna

• SOAP receiver - Message level security - Encryption

  Hello,
  I want to use message level security when using HTTPS. Client provided us the encryption certificate which we have uploaded in the keystore, also done the necessary settings in PI 7.1 but we are getting the below mentioned error.
  Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: apply( Message, CPALookupObject ). Message: SecurityException in method: apply( Message, CPALookupObject ). WSSEThread-Exception: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect; To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect. To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: apply( Message, CPALookupObject ). WSSEThread-Exception: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect; To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect
  Thanks & Regards,
  Rahul Nawale

  I agree
  Try executing a Full CPA Cache refresh.

• Message Level Security with SOAP Adapter

  Hi,
  I need to use Message Level Security with my SOAP Adapter. Please let me know if anyone has done the same in the past?
  What are the steps I would need to do? How can I use WSS based security in the SOAP Adapter?

  Hi,
  Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  It improves communication-level security by adding security features that are particularly important for inter-enterprise
  Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  Refer
  How to use Client Authentication with SOAP Adapter
  XML Encryption Using Web Services Security in SAP NetWeaver XI
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks
  swarup

• Message Level Security

  Hi All,
    In the PI to PI scenario i used certificates for sigining and encryption. For this i followed message level security document.
  In PI1 message is signed and encrypted, but the sign is not validated and message is not decrypted in PI2 server. Output from PI2 server is coming in  encrypted form. How to solve this issue.
  PI1 SP is 11 and PI2 SP is 06.
  Kindly suggest some solution.
  Regards
  Prakash

  Hi,
  Message-Level Security
  Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  ●      A digital signature authenticates the business partner signing the message and ensures data integrity of the business document carried by a message.
  Signatures are used in two scenarios:
  ○       Non-repudiation of origin
  The sender signs a message so that the receiver can prove that the sender actually sent the message.
  ○       Non-repudiation of receipt
  The receiver signs a receipt message back to the sender so that the original sender can prove that the receiver actually received the original message.
  ●      Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  SAP NetWeaver usage type Process Integration (PI) offers message-level security for the XI protocol itself, for the RosettaNet protocol, for the CIDX protocol, and for the SOAP and Mail adapters. The table below summarizes the message-level security features of these protocols and adapters.
  Message-Level Security Features
  XI Protocol (XI 3.0)
  Messaging components
  Integration Server and PCK
  SOAP
  Adapter Engine and PCK
  Mail
  Adapter Engine
  RNIF 2.0
  Adapter Engine
  RNIF1.1/CIDX
  Adapter Engine
  IIly
  Signature
  X
  X
  X
  X
  X
  Non-repudiation of origin
  X
  X
  (Web service security)
  X
  X
  Non-repudiation of receipt
  X
  X
  X
  Encryption
  X
  X
  X
  X
  Technology
  Web service security (XML signature)
  Signed parts are the SAP main header, the SAP manifest, and the payloads (SOAP attachments).
  Encrypted parts are the payloads (SOAP attachments).
  S/MIME or
  Web service security (XML signature)
  The SOAP body is signed.
  S/MIME
  S/MIME
  PKCS#7
  XI 3.0 is the XI protocol valid for both SAP NetWeaver ´04 and SAP NetWeaver 7.0.
  Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.
  ●      XI protocol
  ○       (s4) Integration Server to Integration Server, PCK to Integration Server
  ○       (r4) Integration Server to Integration Server, Integration Server to PCK
  ●      SOAP protocol
  ○       (s3) SOAP sender to Adapter Engine or PCK
  ○       (r3) Adapter Engine or PCK to SOAP receiver
  ●      Mail protocols
  ○       (s3) Mail server to Adapter Engine or PCK (IMAP4/POP3)
  ○       (r3) Adapter Engine or PCK to mail server (IMAP4/SMTP)
  ●      RNIF and CIDX protocol
  ○       (s3) RNIF or CIDX sender to Adapter Engine
  ○       (r3) Adapter Engine to RNIF or CIDX receiver
  You define whether and how message-level security is to be applied to messages in the Integration Directory by using sender agreements on the inbound (sender) side in scenarios (s3) and (s4) and by using receiver agreements on the outbound (receiver) side in scenarios (r3) and (r4). For more information about configuring message-level security, see Security Configuration at Message Level.
  Message-level security relies on public and private x.509 certificates maintained in the J2EE keystore, where each certificate is identified by its alias name and the keystore view where it is stored. Certificates are used in the following situations:
  ●      When signing a message, the sender signs it with its private key and attaches its certificate containing the public key to the message.
  The receiver then verifies the digital signature of the message with the senderu2019s certificate attached to the message. There are two alternative trust models to verify the authenticity of the senderu2019s public certificate:
  ○       In the direct trust model, the signeru2019s public key certificate is compared with the locally maintained, expected public key certificate of the partner. Therefore, the direct trust model requires offline exchange of public key certificates, which can be self-signed or issued by a CA.
  ○       In the hierarchical trust model, the signeru2019s public key certificate is validated by a locally maintained public certificate of the CA that issued the signeru2019s public certificate. In addition, the subject name and the issuer of the signeru2019s certificate is compared with the expected partneru2019s identity configured in a receiver agreement on the receiver side.
  Generally, the hierarchical trust model enables chains of certificates attached to the message. The XI 3.0 message format, however, does not support such chains; the certificate used for signing has to be signed by a root CA.
  In the hierarchical trust model, the sender and the receiver only need to agree upon the CA and the subject name that the sender has used in its certificate.
  The following trust models are supported:
  ○       The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust models.
  ○       The XI protocol and the SOAP adapter (with Web service security) only support a single-level hierarchical trust model.
  ○       The Mail adapter and the SOAP adapter (with S/MIME) support a multi-level hierarchical trust model.
  ●      When encrypting a message, the sender encrypts with the public key of the receiver (also verifying the correctness of the receiveru2019s certificate by using the public key of the certificateu2019s root CA).
  The receiver decrypts with its private key certificate.
  For more information about the certificate store, see Certificate Store.
  Whenever a message is signed, the receiver archives the signed messages for non-repudiation purposes. See Archiving Secured Messages.
  reg,
  suresh

• Message Level Security and Performance

  Hi All,
  Does the implementation of Message Level security features Like SSL and Encryption degrade the performance of the server in Processing the messages ?
  regards,
  Rahul

  Encryption related performance issue is purely related to size of messages.
  In my opinion, SSL wouldnt affect the performance for large messages. SSL will take its usual time for checking for security.
  And the volume and size could anytime affect the performance
  Regards,
  Prateek

• WebServices and message level security

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

• Message Level Security in FTPS

  Hi ,
     Did File Adapter with FTPS will provide the Message Level Security ?
  And What is the Exact  Difference Between FTPS for Control Connection and FTPS for Control and Data Connection .
  What is the Significance of Use X.509 Certificate for Client Authentication check box. If we check it what will happen r if we dont what will happen ?
  Thanks.
  Anitha.

  >
  Anitha SAP wrote:
  > Hi Rajesh,
  >
  >       I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
  > And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
  > Neccesity of Public key certificate from FTP Sever?
  >
  > Thanks.
  > Anitha.
  PI supports FTPS. you can use the File adapter for the same.
  The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
  FTPS works with Certificates and hence the need for the same

• Message level security: difference digital signature and certificate

  Hi everybody,
  could anybody please explain the difference between <b>digital signature</b> and <b>certificate</b>?
  Thans
  Regards Mario

  Mario,
  A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
  A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
  where as
  A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
  hope it helps u.
  --Archana

• HTTPS (Transport Level Security)

  Hi SDNers,
  I have a question regarding securing a SOAP Sender scenario using HTTPS. We are on PI 7.11 and have a SOAP-PI-RFC scenario. I have used a HTTP Sender instead of a SOAP channel to configure the option of 'HTTPS without Client Authentication'. I have generated the WSDL for this and tested successfully using SOAP UI.
  But our client needs a SSL certificate for this. As far as I understand SSL certificates are used only for message level security. But here they are OK with just transport level security. Do we need any certificates in this case? Please clarify.
  Another question I have is, is there any way of using HTTPS (transport level security) using SOAP Sender adapter? The option of 'HTTPS without Client Authentication' is not available anymore from PI 7.1 SP1 onwards. That is the reason I used a HTTP sender adapter.
  Any help is much appreciated  <text removed>
  Thanks & regards,
  Sudheer
  Edited by: Matt on Oct 12, 2011 6:49 AM

  Hi Abhishek,
  I am not able to see that option in the SOAP Sender channel configuration. Besides, the help link from SAP also does not show this option.
  Here is the link for EHP1:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  and here is the link you gave,
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/fc/5ad93f130f9215e10000000a155106/content.htm
  Clearly, both are for configuring the sender SOAP channel, but the options are different if you notice.
  I am not able to understand where I am going wrong.
  Appreciate your quick response.
  Regards,
  Sudheer

• What is content level security?

  Hello All,
  What is content level security?? how is it different from role/access based security?
  Please clarify.
  Thanks
  Ram

  I think that are thinking about message-level security, where you can protect either an entire message, or simply parts of it (the content of the message). This type of security can be used with web services.
  WSIT (Web Services Interoperability Technology) can be used to secure message contents. An overview of WSIT technology can be found at http://blogs.sun.com/ashutosh/entry/overview_of_security_in_wsit or at http://java.sun.com/webservices/interop/. A tutorial discussing how to secure web services using WSIT technology is at https://wsit-docs.dev.java.net/releases/m4/SecurityProfiles.html#wp113333.
  Hope this helps

• Sending Transport-level Secured messages to OSB

  Hi all,
  I'm working with OSB, I created a proxy service to expose a Business Service as HTTP, the Proxy has Transport-level security set with XACMLAuthenticator for a Role. I can test it in the test console perfectly however I don't know how to call it any other way.
  I would need to call it from an SCA and from a JSP. I'd like to know how to add the credentials to the message.
  Thanks,
  Pablo

  Hi Pablo,
  If it is a WSDL based web-service then you may use SOAPUI (http://www.soapui.org/) to test this service.
  I would need to call it from an SCA May I know which type of proxy service you have created and what is the input and output type expected?
  and from a JSP. I'd like to know how to add the credentials to the message.http://blogs.oracle.com/mneelapu/2010/09/how_to_serve_html_through_osb.html
  Quite a similar implementation could be done to call it from a JSP.
  Regards,
  Anuj

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Row Level Security in EPM Workspace 11.1.2.2

  Hi All,
  I'm facing an issue while implementing Row Level Security in Workspace.
  The error goes like this: "Error Accessing Row level security information Server Error: 1012 Unable to acquire row level security information from repository ..........".
  I have configured ODBC,DAS as per the documentation and enabled the RLS using Navigate option.Given below are windows and db info
  OS:Windows Server 2008- 64 bit
  DB:MS Sql Server 2008
  DBUser: with full admin permission on database.
  Thanks in Advance

  Hi All,
  Given below is the DAS log..
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host:] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] SQL API: [SQLExecDirectW], SQL RETURN: [-1], SQL STATE: [42S02], SQL NATIVE ERROR: [208], SQL MESSAGE: [[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'RLSUser1.BRIOSECG'.][[
  [2013-06-25T10:16:21.761-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxx] [nwaddr: 10.24.206.86] [tid: 22] [userId: epmt] [ecid: 0000JxqQx2F4ulmLwqH7iW1Hm49K00000E,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: gmarichetty] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] Unknown exception handled in RequestProcessor::GetRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\proc\reqproc.cpp:1284[[
  [2013-06-25T10:16:21.762-04:00] [IR] [ERROR] [] [oracle.IR.com.brio.one.services.das] [host: xxxxxx] [nwaddr: 10.24.206.86] [tid: 20] [userId: epmt] [ecid: 0000JxqQx2C4ulmLwqH7iW1Hm49K00000D,0] [resource_id: Fetching Row Level Security Info] [session_id: OG77kW6K-0000013f7ba3e00d-0000-cd7b-0a18ce56] [subject: xxxxxxx] [resource: IDataAccessServiceImpl::getRowLevelSecurityInfo] [originator_name: InteractiveReportingDataAccessService] DAS Exception handled in IDataAccessServiceImpl::getRowLevelSecurityInfo()@D:\talleyrand\views\buster_talleyrand_bi_code\v1_bi_code\services\com\brio\one\services\das\idl\impl\idasimpl.cpp:1560[[
  Exception Message: Unable to acquire row level security information from repository.
  Please note that ODBC/DAS are configured as per the documentation.I am able to see BRIOSECG table in SQL Server,IR Studio and Web Client "Invalid object name 'RLSUser1.BRIOSECG'.][[" ,but when i select some fields from this tables in web client and process,then getting stated above error..
  Any Suggestions are appreciated...