Requiring https in Apex-authenticated application

Similar Messages

• How to call a web service from BPEL that requires HTTP basic authentication

  Hi All,
  I need to calling some Web Services from BPEL (SOA 10.1.3.1 production running on XP machine). The services require HTTP basic authentication.
  I have tried adding httpUsername and httpPassword properties to the ParnterLink, and I see in BPEL Console that they are deployed by checking the descriptor page. But I still get a SOAP fault, HTTP 401: Unathenticated.
  I have also tried using basicHeaders (from memory) = credentials, httpBasicUsername, and httpBasicPassword. Same result.
  I have done a packet trace using Ethereal, and the headers do not seem to contain the userid and password at all.
  Can anyone help?
  Thanks,
  Mark Nelson

  Thanks Bas,
  I have resolved the issue. The provider of the Web Service had not configured if for Basic Authentication. For some reason it worked when they tested, or maybe the did not test. The only thing I had to change was to use:
  <property name="basicHeaders">credentials</property>
  <property name="basicUsername">WMDATA</property>
  <property name="basicPassword">WMDATA</property>
  Instead of:
  <property name="httpUsername">WMDATA</property>
  <property name="httpPassword">WMDATA</property>
  I don’t know why this is, maybe because it is an Axis Web Service.
  Sorry for wasting your time.
  Regards Pete

• Fiori Wave 2 Launchpad HTTP 511 Network Authentication Required

  Dear expert,
  When I try to call the Fiori launchpad, it returns the code of HTTP 511 Network Authentication Required. BEFORE the login screen shows.
  Also error: GET /sap/bc/ui5_ui5/ui2/ushell/shells/abap 401 Unthorized.
  However if I maintain the ushell service in SICF on LOGON DATA tab with a specific user A103296.
  The homepage(with error "unable to load groups") comes out directly without the login screen.
  For "unable to load groups", it says  401 Unauthorized for PAGE_BUILDER_PERS.
  However I have both the authorization SAP_UI2_ADMIN_700 and SAP_UI2_USER_700 for A103296.
  I suppose there's no need to maintain the logon data for SICF service,right?
  On the other hand, Launchpad Admin screen runs smoothly without any issue.
  Could you please help on this?  Masayuki Sekihara
  Thank you very much indeed!
  Thanks,
  Chloe

  Hi Masa,
  The issue is solved.
  Because the customer's /bc/ui5_ui5/ui2 service logon ABAP class was changed from /UI2/CL_SRA_LOGIN to /IWFND/CL_COC_SYSTEM_LOGIN.
  Change the class back to /UI2/CL_SRA_LOGIN  and is able to log on to the launchpad now.
  But cannot figure why this error message shows about "authentication".
  Thanks,
  Chloe

• HTTP Status 401. This request requires HTTP  authentication ()

  Hi!
  Could you please help me with the following problem: i go to Infoview login page using the link: http://mostro-bo-web:8082/InfoViewApp/logon.jsp. When i use the IE there is no problem, i go to login page, but when i use Mozilla browser i have the following error:
  HTTP Status 401 - type Status report
  description This request requires HTTP authentication ().
  Apache Tomcat/5.5.20
  We use SSO for Infoview for domen users, but when i go to login page (http://mostro-bo-web:8082/InfoViewApp/logon.jsp) i'm not in domain (my computer isn't in domain) and when i use IE i go to login page of InfoView, but when i use Firefox i have error above.
  What's the problem?
  Thanks, Viktor

  Hi,
  try the following URL:
  http://YOUR_BO_SERVER:8080/InfoViewApp/logonNoSso.jsp
  Check also SAP Note 1326266 and 1263764
  Regards
  -Seb.

• Self password reset functionality (Apex Authentication)

  Hi everyone,
  I am using Apex 4.1 (can upgrade to 4.2 if any new feature helps solve my problem)
  Oracle DB XE 10g
  Authentication Scheme: Standard Apex Authentication
  I have created a page for Resetting password of End Users which takes username in a txt box and runs the process with the code on clicking button as
  APEX_UTIL.RESET_PW(:P102_USERNAME, 'Some custom message');After going through documentation (and also the message displayed on use), I found that it requires admin privileges to execute, while I want to use it for End users of application.
  Is there a work around to this problem? Please help.
  Thanks
  Saurabh

  Hi Saurabh,
  another way to implement the forget password feature without seeing the standard APEX screens for this is call the standard reset form from PL/SQL and automatically SUBMIT it via the URL (so you don't have to show the form but you can use your own layout ).
  The only downside I know so far is that the email cannot be formatted ( as far as I know ), but the first step for a customized reset pw feature is there :
  Just call this URL :
  http://<<SERVER>>:<<PORT>>/apex/f?p=4550:7::BRANCH_TO_PAGE_ACCEPT|resetpassword:NO:7:F4550_P7_EMAIL,F4550_P7_COMPANY:<MAILADRRESS>>,<<WORKSPACE>>
  In a PL/SQL proc called from your reset password link this could look something like this :
  declare
    lv_rest_result varchar2(4000);
  begin
     lv_rest_result := wwv_flow_utilities.clob_to_varchar2 (
                           apex_web_service.make_rest_request( p_url         => 'http://<<SERVER>>:<<PORT>>/apex/f?p=4550:7::BRANCH_TO_PAGE_ACCEPT|resetpassword:NO:7:F4550_P7_EMAIL,F4550_P7_COMPANY:<MAILADRRESS>>,<<WORKSPACE>>'
                                                             , p_http_method => 'GET'
  end;You might have to tweak the code a bit, I've tested this a while ago and it should work but you might add some code to find the current workspace etc.
  Regards
  Bas

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar

• JNLP & User Authentication (Application Portal Dilemma)

  There is an interesting article on JavaWorld under the Applied Java Topic about distributed applications and Java Web Start. Recently I have also become a big fan of rapid thick-client deployment using the JNLP framework. However, I (and many others I suspect) have come across a road-block implicit to distributed application (non-applet) development. There is no ability to preserve a session.
  Now in Jonathan Simon's article, in presents the case for "Application Portals" in which one could easily set up an authentication servlet and during run-time construct a list of verified applications. This implementation seems straightforward and but I am confused on one simple point for which I am in "dying-need" of clarity. The JNLP simply provides a link and protocol to deploy and update the client-side application. Upon initial execution or launching, the "link" is unknown making this solution great. However, once launched the link can be determined and the application can be executed without the use of the authentication portal (or if an off-line implementation is also deployed - launched locally).
  Is there a current design pattern to circumvent this limitation? How can I pass session information or even arguments to the client-application when launched? What happens when the application is launched via the desktop integrated icon? At first glance, I would expect the solution to be to invoke a WebService from the application upon execution of main. This service would then authenticate, but still would require its own interface for data (user/pass) capturing - thereby nullifying the entire point of setting up an authenticating application portal.
  Any suggestions or clarity would be well received

  I'm not sure if this will help you guys or not, but there is a guide for deploying JNLP applications from a servlet here: http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/downloadservletguide.html
  Perhaps you can use this to dynamically specify the JNLP file. If a user accesses the server from the plain URL the servlet assigns a new session id, and places this in the codebase or href of the JNLP file it sends to the user. Later when the user runs the JNLP application from app manager, or an icon, the servlet will see the decorated codebase/href and act accordingly.
  Anyway, like I said, I'm not sure if this is exactly what you are looking for, but I think it has been used in the past for session maintenance.
  As to why JNLP doesn't support portal tech... these two technologies were invented at the same time. Initially they were somewhat competing ideas.
  For the future it might be possible to make JNLP more portal friendly, but in that case, Sun needs to have a better idea from the users what is needed. Simply saying, "make it better" is just to vague. Be specific, and who knows what good ideas might be picked up. (Another possibility is to contribute your own ideas for improvement through http://www.java.net/).
  Mike.

• APEX Timesheet application

  Hello,
  I installed APEX timesheet application from http://www.oracle.com/technetwork/developer-tools/apex/application-express/packaged-apps-090453.html#TIME
  It got installed fine, but seems to have lot of bugs.
  1. "Add Row" does not work on the timesheet page
  2. "Delete" for a row gives weired results.
  3. Can't create any admin user and there-after 2 parts of the application can't be seen.
  Has anyone faced similar issues, and if YES, is there a fixed version of this application?
  regards, Yora

  Hi all,
  In response to my previous post, I would like to update that I have been able to generate my required region.
  Now the final query is as follows:
  DECLARE
  v_query varchar2(10000);
  v_count number;
  BEGIN
  select count(*) into v_count from tb_opti_emp_ts where emp_id=:P7_EMPLOYEE and proj_ref=:P7_PROJ_REF and rel_id=:P7_RELEASE_ID;
  IF ((:P7_RELEASE_ID is not null) and (v_count>0)) THEN
  v_query := 'SELECT b.act_code activities,apex_item.text (1, a.ts_wd1, 10, 10) monday,apex_item.text (2, a.ts_wd2, 10, 10) tuesday,apex_item.text (3, a.ts_wd3, 10, 10) wednesday,apex_item.text (4, a.ts_wd4, 10, 10) thursday,apex_item.text (5, a.ts_wd5, 10, 10) friday,apex_item.text (6, a.ts_wd6, 10, 10) saturday,apex_item.text (7, a.ts_wd7, 10, 10) sunday,apex_item.text (8, a.ts_remarks, 70, 128) remarks from tb_opti_emp_ts a, tb_opmi_proj_act_map b WHERE a.proj_ref = b.proj_ref
  AND a.rel_id = b.rel_id
  AND a.emp_id = '''||:P7_EMPLOYEE||'''
  AND b.rel_id = '''||:P7_RELEASE_ID||'''
  AND a.proj_ref = '''||:P7_PROJ_REF||''';';
  ELSIF (:P7_RELEASE_ID is null) then
  v_query := 'SELECT 1 FROM dual WHERE 1=0';
  else
  v_query:='select (select act_desc from tb_opmi_act_code a where a.act_code=b.act_code) as activities,apex_item.text(1,null) Monday,apex_item.text(2,null) Tuesday,apex_item.text(3,null) Wednesday,apex_item.text(4,null) Thursday,apex_item.text(5,null) Friday,apex_item.text(6,null) Saturday,apex_item.text(7,null) Sunday,apex_item.text(8,null) Remarks from tb_opmi_proj_act_map b where proj_ref='''||:P7_PROJ_REF||''' and rel_id='''||:P7_RELEASE_ID||''';';
  END IF;
  return(v_query);
  END;
  Now I have created a button which have dynamic action as its on click action. Now in the dynamic action I have to write the code for inserting/updating the data in the timesheet table.
  I need help with it please its urgent..........

• Why an organization require SSL for Shared Web Applications?

  Hi
  what is ssl and why an organization  require SSL for Shared Web Applications?
  adil

  Hi adil,
  Secure Socket Layer (SSL) is an encrypted communication protocol which uses encryption certificates. For more information about SSL in SharePoint, please refer to:
  http://technet.microsoft.com/en-us/magazine/2009.09.insidesharepoint.aspx
  http://technet.microsoft.com/en-us/library/cc262366(v=office.15).aspx
  SSL is supported for server-to-server authentication and app authentication.
  Regards,
  Rebecca Tu
  TechNet Community Support

• Error in setting up HTTP Header Variable Authentication

  Hi,
  I am trying to set-up SSO for SAP Biller Direct aplication (deployed on SAP J2EE 7.0) using HTTP Header variable authentication.
  As per SAP documentation I have created a new login module "HeaderVariableLoginModule" pointing to class "com.sap.security.core.server.jaas.HeaderVariableLoginModule".
  Then I have added this new login module to Statck "Ticket" and the new config looks as below. HTTP header when UID is passed is USI_LOP.
  Name                                                                                Flag                                            Options
  com.sap.security.core.server.jaas.HeaderVariableLoginModule    Sufficient                                    ume.configuration.active= tue,
                                                                                  Header=USI_LOP
  BasicPasswordLoginModule                                                           Optional
  CreateTicketLoginModule                                                                 Optional                                         ume.configuration.active= tue
  EvaluateTicketLoginModule                                                              Sufficient                                      ume.configuration.active= tue
  The problem I am now having is that the authentication through HTTP_HEADEr does not work. Even though I ahve increased the trace level for JAAS module to debug, there is not any type of information generated in the log.
  Each time I call the Biller Direct URL from the extrenal web server which also passes the HEADER variable for Authntication, the authrisation just fails and I am being shown a Logon Screen to pust UID/PASSWORD.
  Can someone please guide me, how I can debug this? There is very no information whether anyone tried to login with HEADER varibale and that has failed...
  Also, I am not pretty sure whether I am using the right Authentication Stack, which is is Ticket in my case..
  But when I enter the application without any URL redirects and enter UID and password directly for Biller Direct, I get the following in log file, which makes me believe that I am using the right stack.
  LOGIN.OK
  User: CONDLG
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.HeaderVariableLoginModule             SUFFICIENT  ok          false      false                
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   OPTIONAL    ok          true       true                 
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  4. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  Central Checks                                                                                true                 
  Any help will be very much apprecated..
  Thanks,
  Vikrant Sud

  Vikrant,
  The reason why it is not working is because your login modules in ticket stack are in wrong order and with wrong flags. The first one should be EvaluateTicketLoginModule with flag=SUFFICIENT, then the Header Variable login module, with flag=OPTIONAL, then CreateTicketLoginModule with flag=SUFFICIENT, then BasicPasswordLoginModule with flag=REQUISITE, and lastly CreateTicektLoginModule with flag=OPTIONAL
  Thanks,
  Tim

• Required dependencies for Web Dynpro Application accessing KM

  Hi all,
  I need to implement a Web Dynpro application that access km documents (NW 2004s). But i'm having problems to find one required api. I read several tutorials acording to which I need the EP5 user api (com.sap.security.api.ep5.jar).
  The problem is that the application I need to make has to be a development component in NWDI (not a plain proyect).
  What I need to know is which Siftware Component dependencies I should add to my siftware component in order to be able to access the EP5 user api.
  I found the SC required for KM api is KMC-CM, but this doesnot include the EP5 user api.
  Any ideas ?
  Thanks,
  Diego.

  Hi Check this link below , you can understand what you require
  http://help.sap.com/saphelp_nw04s/helpdata/en/45/1282b176a341e1e10000000a1553f6/frameset.htm
  Points are welcome if it is helful
  Koti Reddy

• HTTPs without client authentication, error while posting through Altova

  Hi Experts
  I am doing a SOAP- XI-Proxy synchronous scenario where i have to use HTTPs without client authentication for the first time in my system.
  I have made the scenario and WSDL out of it.
  When i am trying to test it through Altova, i am getting the following error:
  <?xml version="1.0"?>
  <!-- see the documentation -->
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP:Body>
          <SOAP:Fault>
              <faultcode>SOAP:Server</faultcode>
              <faultstring>Server Error</faultstring>
              <detail>
                  <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                      <context>XIAdapter</context>
                      <code>ADAPTER.JAVA_EXCEPTION</code>
                      <text><![CDATA[
  java.security.AccessControlException: https scheme required
      at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:918)
      at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3.process(ModuleLocalLocalObjectImpl0_3.java:103)
      at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:296)
      at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0_0.process(ModuleProcessorLocalLocalObjectImpl0_0.java:103)
      at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:187)
      at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:496)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
      at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
      at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
      at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
      at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
      at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
      at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
            ]]></text>
                  </s:SystemError>
              </detail>
          </SOAP:Fault>
      </SOAP:Body>
  </SOAP:Envelope>
  i saw a few discussion on web but nowhere the solution was provided.
  the url is
  http://abc.sap.point:1234/XISOAPAdapter/MessageServlet?channel=:system:communicationchannel&amp;version=3.0&amp;Sender.Service=x&amp;Interface=x%5Ex
  i changed it to https also but in that case it was not even posting the request.
  i have set the sender adapter like this
  is there any setting that i am missing.
  What is the setting the i need to do in SM59.
  Please help me getting through this.
  Your help is highly appreciated. Thanks in advance.
  Neha

  HI Neha,
  1. Enable the https service in the ICM: you can follow the way to do it like is pointed out in the page 4 of this document (PI 7.1 and PI 7.0 has the same smicm abap transaction) http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?overridelayout=t…
  2. Generate the certificate. Use the STRUST transaction. Chech this document SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure
  Hope this helps.
  Regards.

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• SQL Injection threat with APEX developed applications

  We are using a tool, HP WebInspect, to scan some of our APEX developed applications for web application security testing and assessment. We are getting some critical and high vulnerabilities identified (see below) and would like to know if someone else has encoutered these and to determine a solution, whether it be a setting/settings within APEX or is it more related to the application and the way it was developed.
  Critical:
  Possible SQL Injection
  File Names: • https://xxx.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records'+OR%2cwe+will+send+the+workspace+name
  s+associated+with+this+email+address.+If+you+are+having+problems+receiving+the+workspace+name
  s%2cplease+contact+your+administrator.%2fC34A0EF5494AB92C95AA4D0F7BF52332%2f
  • https://busaff-test.utdallas.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records%2cwe%2bwill%2bsend%2bthe%2bworkspace
  %2bnames%2bassociated%2bwith%2bthis%2bemail%2baddress.%2bIf%2byou%2bare%2bhaving%2bprob
  lems%2breceiving%2bthe%2bworkspace%2bnames'%2bOR%2cplease+contact+your+administrator.%2fC3
  4A0EF5494AB92C95AA4D0F7BF52332%2f
  High:
  Possible Username or Password Disclosure
  File Names: • https://xxx.edu:443/pls/apex/f?p=104:101:1328157658320206:&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/
  • https://xxx.edu:443/pls/apex/f?p=104:101:2360963243212364&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/

  You can help us by telling us your first name, putting it into your profile, and by selecting a friendlier handle.
  The details you showed indicate no SQL injection possibilites whatsoever. The "Critical" examples also are unrelated to Application Express applications that you may have developed (application 4550 is the login application for the product itself and should rarely be used by end users in production environments).
  Scott

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John