Message Level Security with SOAP Adapter
Hi,
I need to use Message Level Security with my SOAP Adapter. Please let me know if anyone has done the same in the past?
What are the steps I would need to do? How can I use WSS based security in the SOAP Adapter?
Hi,
Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
It improves communication-level security by adding security features that are particularly important for inter-enterprise
Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
Refer
How to use Client Authentication with SOAP Adapter
XML Encryption Using Web Services Security in SAP NetWeaver XI
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
Thanks
swarup
Similar Messages
-
SOAP receiver - Message level security - Encryption
Hello,
I want to use message level security when using HTTPS. Client provided us the encryption certificate which we have uploaded in the keystore, also done the necessary settings in PI 7.1 but we are getting the below mentioned error.
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: apply( Message, CPALookupObject ). Message: SecurityException in method: apply( Message, CPALookupObject ). WSSEThread-Exception: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect; To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect. To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: apply( Message, CPALookupObject ). WSSEThread-Exception: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect; To-String: com.sap.aii.security.lib.exception.SecurityException: SecurityException in method: run(). Message: Connection timed out: connect. To-String: java.net.ConnectException: Connection timed out: connect
Thanks & Regards,
Rahul NawaleI agree
Try executing a Full CPA Cache refresh. -
Message Level security : PI 7.1
Hello All,
We are currently evaluating the message level security options in PI in order to communicate with native ABAP systems like CRM , HR, BW etc. Does it need us to set up a PCK (Decentralized adapter engine) in order to use it ?
http://help.sap.com/saphelp_nwpi71/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
The scenarios are
SOAP - XI - Proxy
SOAP - XI - WS Adapter
Thanks.
KiranThanks Marcus & Caio !! The settings listed in the link
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
Do they have to be done on our ECC box and how do I do it for both Consumer and Provide Proxy ?
Is ther a link to the blog available for the same with comm channel documents.
Thanks.
Kiran -
Hi All,
In the PI to PI scenario i used certificates for sigining and encryption. For this i followed message level security document.
In PI1 message is signed and encrypted, but the sign is not validated and message is not decrypted in PI2 server. Output from PI2 server is coming in encrypted form. How to solve this issue.
PI1 SP is 11 and PI2 SP is 06.
Kindly suggest some solution.
Regards
PrakashHi,
Message-Level Security
Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
● A digital signature authenticates the business partner signing the message and ensures data integrity of the business document carried by a message.
Signatures are used in two scenarios:
○ Non-repudiation of origin
The sender signs a message so that the receiver can prove that the sender actually sent the message.
○ Non-repudiation of receipt
The receiver signs a receipt message back to the sender so that the original sender can prove that the receiver actually received the original message.
● Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
SAP NetWeaver usage type Process Integration (PI) offers message-level security for the XI protocol itself, for the RosettaNet protocol, for the CIDX protocol, and for the SOAP and Mail adapters. The table below summarizes the message-level security features of these protocols and adapters.
Message-Level Security Features
XI Protocol (XI 3.0)
Messaging components
Integration Server and PCK
SOAP
Adapter Engine and PCK
Mail
Adapter Engine
RNIF 2.0
Adapter Engine
RNIF1.1/CIDX
Adapter Engine
IIly
Signature
X
X
X
X
X
Non-repudiation of origin
X
X
(Web service security)
X
X
Non-repudiation of receipt
X
X
X
Encryption
X
X
X
X
Technology
Web service security (XML signature)
Signed parts are the SAP main header, the SAP manifest, and the payloads (SOAP attachments).
Encrypted parts are the payloads (SOAP attachments).
S/MIME or
Web service security (XML signature)
The SOAP body is signed.
S/MIME
S/MIME
PKCS#7
XI 3.0 is the XI protocol valid for both SAP NetWeaver ´04 and SAP NetWeaver 7.0.
Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.
● XI protocol
○ (s4) Integration Server to Integration Server, PCK to Integration Server
○ (r4) Integration Server to Integration Server, Integration Server to PCK
● SOAP protocol
○ (s3) SOAP sender to Adapter Engine or PCK
○ (r3) Adapter Engine or PCK to SOAP receiver
● Mail protocols
○ (s3) Mail server to Adapter Engine or PCK (IMAP4/POP3)
○ (r3) Adapter Engine or PCK to mail server (IMAP4/SMTP)
● RNIF and CIDX protocol
○ (s3) RNIF or CIDX sender to Adapter Engine
○ (r3) Adapter Engine to RNIF or CIDX receiver
You define whether and how message-level security is to be applied to messages in the Integration Directory by using sender agreements on the inbound (sender) side in scenarios (s3) and (s4) and by using receiver agreements on the outbound (receiver) side in scenarios (r3) and (r4). For more information about configuring message-level security, see Security Configuration at Message Level.
Message-level security relies on public and private x.509 certificates maintained in the J2EE keystore, where each certificate is identified by its alias name and the keystore view where it is stored. Certificates are used in the following situations:
● When signing a message, the sender signs it with its private key and attaches its certificate containing the public key to the message.
The receiver then verifies the digital signature of the message with the senderu2019s certificate attached to the message. There are two alternative trust models to verify the authenticity of the senderu2019s public certificate:
○ In the direct trust model, the signeru2019s public key certificate is compared with the locally maintained, expected public key certificate of the partner. Therefore, the direct trust model requires offline exchange of public key certificates, which can be self-signed or issued by a CA.
○ In the hierarchical trust model, the signeru2019s public key certificate is validated by a locally maintained public certificate of the CA that issued the signeru2019s public certificate. In addition, the subject name and the issuer of the signeru2019s certificate is compared with the expected partneru2019s identity configured in a receiver agreement on the receiver side.
Generally, the hierarchical trust model enables chains of certificates attached to the message. The XI 3.0 message format, however, does not support such chains; the certificate used for signing has to be signed by a root CA.
In the hierarchical trust model, the sender and the receiver only need to agree upon the CA and the subject name that the sender has used in its certificate.
The following trust models are supported:
○ The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust models.
○ The XI protocol and the SOAP adapter (with Web service security) only support a single-level hierarchical trust model.
○ The Mail adapter and the SOAP adapter (with S/MIME) support a multi-level hierarchical trust model.
● When encrypting a message, the sender encrypts with the public key of the receiver (also verifying the correctness of the receiveru2019s certificate by using the public key of the certificateu2019s root CA).
The receiver decrypts with its private key certificate.
For more information about the certificate store, see Certificate Store.
Whenever a message is signed, the receiver archives the signed messages for non-repudiation purposes. See Archiving Secured Messages.
reg,
suresh -
Invoking a message-level secured webservice WS Security
I am not having any luck invoking a webservice that has been secured via message-level security. For simplicity, I have been using WS-Security Policies provided by WebLogic and applying them on my webservice via annotations. I have been testing with Wssp1.2-Wss1.0-X509-TripleDesRsa.xml. I am using soapUI to invoke the webservice. When I send a singed soap request, I get a response indicating that it wasn't able to validate the signature. I made sure that both soapUI and WebLogic server is using the same identity store. I have also made sure that the certificate in the identity store is also in the trust store for WebLogic. There could also be a problem with the structure of the soap request. I send a soap request that includes a signature of the timestamp, the initiator token (x509 in binary form), and the body.
Anyone have luck with WebLogic webservice security and soapUI?Applying 'format XML' after signing it changes the message and makes the signature invalid, different content == different signature.
You should also ask yourself why you'd like to transport blank characters (zero information) over the wire just to make it more readable for yourself? Just compare the size of the unformatted and formatted message to see the waste of bandwidth.
--olaf -
Message Level Security in FTPS
Hi ,
Did File Adapter with FTPS will provide the Message Level Security ?
And What is the Exact Difference Between FTPS for Control Connection and FTPS for Control and Data Connection .
What is the Significance of Use X.509 Certificate for Client Authentication check box. If we check it what will happen r if we dont what will happen ?
Thanks.
Anitha.>
Anitha SAP wrote:
> Hi Rajesh,
>
> I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
> And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
> Neccesity of Public key certificate from FTP Sever?
>
> Thanks.
> Anitha.
PI supports FTPS. you can use the File adapter for the same.
The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
FTPS works with Certificates and hence the need for the same -
Message Level Security in XI 7.0
Hi,
Have someone worked on Message level Security in XI 7.0 for transferring a file from one system to an external third party system?
If so can u provide me with links or documents?
Thanks
ManjulaHi,
Please Find the Required Details in the Links
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Reward Points if Helpful
Regards
Khanna -
HTTP 415 Unsupported Media Type with SOAP adapter ?
Hello All,
Iam getting HTTP 415 Unsupported Media Type with SOAP adapter error while executing the scenario.
i got one thread which have the solution. iam not getting exactly how to write message transform Bean.
HTTP 415 Unsupported Media Type with SOAP adapter trying to put SOAP header
Please tell me where i need to write the MessageTransformBean at sender adapter or receiver file adapter.
Thanks and regards,
chinnaHi Chinna,
Have you checked this
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
Regards
Ramesh -
XIServer error raised: 503 Service Unavailable with SOAP Adapter
Hi,
We are getting a very strange error from a process that is working fine in 2 other environments.
We are sending a message into the SOAP receiver adapter and are getting the following error at the Call Adapter part of the process :
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Call Adapter
-->
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
<SAP:Category>XIServer</SAP:Category>
<SAP:Code area="INTERNAL">HTTP_RESP_STATUS_CODE_NOT_OK</SAP:Code>
<SAP:P1>503</SAP:P1>
<SAP:P2>Service Unavailable</SAP:P2>
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Error Report</title> <style> td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;} A:link A:visited A:active </style> </head> <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0" rightmargin="0"> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="4" color="#666666"><b>&nbsp;&nbsp;503 &nbsp Service Unavailable</b></font></td> </tr> <tr bgcolor="#3F73A3"> <td height="23" width="84"><img width=1 height=1 border=0 alt=""></td> <td height="23"><img width=1 height=1 border=0 alt=""></td> <td align="right" height="23"><font face="Arial, Verdana, Helvetica" size="2" color="#FFFFFF"><b>SAP J2EE Engine/6.40&nbsp;</b></font></td> </tr> <tr bgcolor="#9DCDFD"> <td height="4" colspan="3"><img width=1 height=1 border=0 alt=""></td> </tr> </table> <br><br><br><br><br><br> <p><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><b>&nbsp;&nbsp;The requested application, AFW, is currently unavailable.</b></font></p> <p><font face="Arial, Verdana, Helvetica" size="2" color="#000000"><table><tr><td valign="top"><b>&nbsp;Details:</b></td><td valign="top"><PRE>No details available</PRE></font></td></tr></table></font></p> </body> </html></SAP:AdditionalText>
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>HTTP response contains status code 503 with the description Service Unavailable XML element Envelope missing in SOAP message header (SAP XI Extension)</SAP:Stack>
<SAP:Retry>N</SAP:Retry>
</SAP:Error>
We are on XI 3.0 SP13.
Any suggestions ?
Kind regards
Colin.Hi Colin,
Quick look into these-
1) Are you able to test the WebService, because the error tells about unavailable...
For more-
/people/siva.maranani/blog/2005/09/03/invoke-webservices-using-sapxi
/people/siva.maranani/blog/2005/03/01/testing-xi-exposed-web-services
2) Is your SOAP Receiver COnfiguration is correct
~ http://help.sap.com/saphelp_nw2004s/helpdata/en/29/5bd93f130f9215e10000000a155106/content.htm
3) Check the wsdl is correct and try look into the input message for the Webservice(SOAP Adapter)
Have a look into this thread-
503 service unavailable
Hope this helps,
Regards,
Moorthy -
Prolog with soap adapter in PI
Dear All,
We run a scenario Proxy=>PI=>HTTP
The remote service accepts messages POSTed using either the form-encoded format (name, value pairs)
or the multi-part mime format which enables the files to be passed to the web service.
In both cases, the external service replies with a multi-part message.
We are going to use the SOAP adapter (plain HTTP does not support attachments)
with nosoap flagged.
What is best approach to add a prolog before the actual XML with SOAP adapter,
to simulate the form-encoded format?
Example :
USER=USER1&PASS=PASS1&DB=DB1
In the 2nd situation, how to create the different documents before the actual XML?
Example :
7d924f5b0464
Content-Disposition: form-data; name="USER"
USER1
7d924f5b0464
Content-Disposition: form-data; name="PASS"
PASS1
7d924f5b0464
Content-Disposition: form-data; name="DB"
DB1
Best regards,
KR,
LaurentDear All,
We run a scenario Proxy=>PI=>HTTP
The remote service accepts messages POSTed using either the form-encoded format (name, value pairs)
or the multi-part mime format which enables the files to be passed to the web service.
In both cases, the external service replies with a multi-part message.
We are going to use the SOAP adapter (plain HTTP does not support attachments)
with nosoap flagged.
What is best approach to add a prolog before the actual XML with SOAP adapter,
to simulate the form-encoded format?
Example :
USER=USER1&PASS=PASS1&DB=DB1
In the 2nd situation, how to create the different documents before the actual XML?
Example :
7d924f5b0464
Content-Disposition: form-data; name="USER"
USER1
7d924f5b0464
Content-Disposition: form-data; name="PASS"
PASS1
7d924f5b0464
Content-Disposition: form-data; name="DB"
DB1
Best regards,
KR,
Laurent -
WebServices and message level security
Hello,
I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
If anyone could shed some light into this matter i would be thankful.
Regards,
Leandro FonsecaHello,
I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
If anyone could shed some light into this matter i would be thankful.
Regards,
Leandro Fonseca -
Data level Security with Oracle Apps as Source
Hi all
I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
(for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
I have created Groups in rpd with same name as the responsibility in Apps.
I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
I have created Group in WEB with the same name as the Group name in rpd.
If I say show all Users and Groups in WEB, I m getting the APPS Users.
I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
But in the Report, I m getting all the Business Group Ids,
Plz advice if I m doing something wrong.
ThanQ
AnandYou need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box. -
Message Level Security and Performance
Hi All,
Does the implementation of Message Level security features Like SSL and Encryption degrade the performance of the server in Processing the messages ?
regards,
RahulEncryption related performance issue is purely related to size of messages.
In my opinion, SSL wouldnt affect the performance for large messages. SSL will take its usual time for checking for security.
And the volume and size could anytime affect the performance
Regards,
Prateek -
Messages failing in the SOAP adapter with the errror
HI
I am getting the below error in the SOAP adapter monitoring . can any body tell what does "No route to host: Connect" mean .
could some one help us on resolving this .
Error Exception caught by adapter framework: No route to host: connect
Error Delivery of the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: No route to host: connect: java.net.NoRouteToHostException: No route to host: connect. Setting message to status failed.
Error The message status set to FAIL.
Error Returning synchronous error message to calling application: com.sap.aii.af.ra.ms.api.RecoverableException: No route to host: connect: java.net.NoRouteToHostException: No route to host: connect.
thanks and regards
sandeepHi!
First please confirm whether you are working on XI or PI 7.1 ?
because in XI you need to generate WSDL manaually via Tools>Define Web service-Giving Input..and in XI you need to test the SOAP scenario from external tool like Altova xml spy tool kit or else SOAP client tool.
In PI 7.1::
You can publish directly the web service in the SERVICE REGISTRY from sender agreement onwards.
once it is published you can check the status on your interface in service registry as CONFIGURED..Okay
Here you can test directly in service registry...
According to your error check ocne agan even though you gone through all the steps..
1. Check whether the SOAP service is active or not in SICF>SAP>bc>XI>Service-->SOAP.
2. sicne after generating wSDL u can get one url right that URL itself acts as a gateway to enter the source data into XI..
lets give to the source team to try with XI super uID adn PWD as authentification.
3. Also please STOP ur communication Channel and start once again.
4. Please check whether the WEB Service is configured correctly or not.
Regards::
Amar Srinivas Eli -
Following message failing in sender soap adapter
Hi all,
The message below fails when it is sent to our adapter with a 500 error from a webmethods server. however if I pull the soap message out of the mime, and use our client test tool, it posts fine.
What is wrong with the message below?
Message-ID:<28413146.1155935375732.JavaMail.webmethods@exshaw>
MIME-Version: 1.0
Content-Type: multipart/related; type="text/xml"; boundary=X-K12456234-X
X-K12456234---X
content-type: text/xml;charset=UTF-8
content-transfer-encoding: 7bit
Content-ID: <SES>
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header>
<SOAP-ENV:Body>
<nr1:ServiceAcknowledgementRequest xmlns:nr1="http://sap.com/xi/SAPGlobal/Global">
<MessageHeader>
<ID schemeID="0240">74000003400000000020060329170547</ID>
<CreationDateTime>2006-03-29T17:05:47Z</CreationDateTime>
<SenderParty>
<InternalID schemeID="PartnerID" schemeAgencyID="SSR_100">6000000011</InternalID>
</SenderParty>
<RecipientParty>
<InternalID schemeID="PartnerID" schemeAgencyID="SSR_100">0000000236</InternalID>
</RecipientParty>
</MessageHeader>
<ServiceAcknowledgement>
<ID schemeAgencyID="SSR_100" schemeAgencySchemeAgencyID="ZZZ">7400000340</ID>
<BuyerID>7400000340</BuyerID>
<CreationDateTime>2006-03-29T17:03:55Z</CreationDateTime>
<Note>Service Entry Sheet#1</Note>
<Item>
<ID>10</ID>
<Quantity unitCode="EA">5.0</Quantity>
<Product>
<TypeCode>1</TypeCode>
<Note>Test Service</Note>
</Product>
<Price>
<NetUnitPrice>
<Amount currencyCode="USD">1.0</Amount>
<BaseQuantity unitCode="EA">1.0</BaseQuantity>
</NetUnitPrice>
</Price>
<PurchaseOrderReference>
<ID>2000000742</ID>
<ItemID>1</ItemID>
</PurchaseOrderReference>
</Item>
</ServiceAcknowledgement>
</nr1:ServiceAcknowledgementRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
X-K12456234---XHi Richard,
I think, it is because of the Autorization Problem..i.e
Webservice is not able to execute by SOAP adapter.. So Security Roles etc..
Check this SAP SOAP Note for FAQ-856597 (Question No 1)
A similar symptom is mentioned in this note....
Regards,
Abhy
Maybe you are looking for
-
Moving files from one account to another
I have set up a new account for my wife, how do I move all of her folder to her account from mine. Thanks iMac Mac OS X (10.4.3) iMac Mac OS X (10.4.3)
-
Using iCloud mail in Snow Leopard - AND restoring old mail system
I use Snow Leopard and cannot upgrade to Lion since my MacBook Pro is too old. Apple discontinued my traditional Mail service last week and said it is now transferred to iCloud. 1. Is there any way I can get my traditional Mail service restored since
-
Document Resizing question - InDesign CC
In previous versions of InDesign that I've used, if I had something centered on a 12" x 18" page (so centered at 6" x 9"), I could decide to change the document setup size to a different sized paper, for example 13" x 19". When I would do that, it w
-
Hi, We have been receiving several POs from other SAP systems which will be created as SO in our sytem. The following error occurs for the IDocs and the IDoc could not be processed automatically. This needs to be processed in foreground. "The materia
-
CS5 Save for web not showing in Name order..Help
Hi I have noticed today that something has changed. I am using Photoshop CS 5 on Windows XP Pro. When saving images for web (for my proofing system i do which is saving photos of cars i.e CAR-10_01, _02 and so on then CAR-22_01, _02 and so on when i