Sender SOAP Adapter Security Issue

Similar Messages

• Sender SOAP Adapter Authentication issue

  All,
  We have a SOAP-XI-RFC scenario. We exported the wsdl from the Integration Directory. When we try to call the web service using webservice studio client. We get the following error. We are using a user that has (SAP_XI_ADMINISTRATOR role on it).
  ResponseCode: 401 (Unauthorized)
  Connection:close
  Pragma:no-cache
  Content-Length:1790
  Cache-Control:no-cache
  Content-Type:text/html
  Date:Fri, 30 Nov 2007 20:01:23 GMT
  Expires:0
  Server:SAP J2EE Engine/7.00
  WWW-Authenticate:Basic realm="XISOAPApps"
  Any thoughts?
  Thanks.

  hi thezone  ,
  <i>ResponseCode: 401 (Unauthorized)</i>
  as per this specific error try checking that
  1.check the wsdl url format
  http://<server>:<port>/XISOAPADAPTER/MESSAGESERVLET?channel=:<Service>:<Channel>
  2. test the wsdl by putting the url in internet explorer and see if you are getting a dialog box for user name and password, also in this step you will confirm the working status of message servlets of web service.
  3. by step 2 IE will send a message to XI, now you check your adapter
  4. test ur xml instance in your soap tester, go to its properties and make sure that  you had given correct user name and password over there on specified fields.
  regarding your soap communication channel it will be activated after receiving first message. you can detect any problem in connection only after receiving first message.
  Regards,
  Mandeep Virk
  reward points if helpful

• Sender SOAP Adapter with Https

  Hi,
  can any one give me information on  how my Sender SOAP adapter to be configured with HTTPS port.
  please give me the what are all different ways to make my Sender SOAP Adapter secure and give me the steps to achieve the functionality.
  Thank You,
  Madhav

  check this section:
  http://help.sap.com/saphelp_nw70/helpdata/EN/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  Also some help from SAP note:
  https://service.sap.com/sap/support/notes/891877
  Regards,
  Abhishek.
  Edited by: abhishek salvi on May 29, 2009 1:59 PM

• SEcurity settings for sender SOAP adapter

  Hey guys
  i m implemeting some security features in sender SOAP adapter by taking help frm www.help.sap.com,i have checked the message security box in sender Communication channel but in sender agreement i dont see any options for Decryt or Validate,i only see Keystore,Issuer and subject.
  i m on SP9 and XI 3.0
  where can i find these options of Decrypt etc?
  thanx
  ahmad

  Hi,
  Please see below links
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/a3229d73-170d-42b7-bab9-12ae5f2d0fa7.asp
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/f869bd82-df93-45e1-b747-b538820253fb.asp
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/121b053d-0401-0010-539f-f9295efb7bad
  Document security option in webservices
  And also check,
  Launch Visual administrator and navigate to Server->Services->Security Provider. In 'Policy Configurations' tab page, select the component 'sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter'. Then click on the tab page 'Security Roles' and select 'xi_adapter_soap_message'. You will find the groups (equivalent to roles in PFCG) to which this security role (xi_adapter_soap_message) is assigned to. Make sure you assign the PFCG role listed here to the user.
  regards
  Chilla..

• Sender SOAP Adapter issue with webservices for authorization.

  Hi All
  Issue:
  As we are developing a Web Service to fetch account balance from SAP(upon receiving the account no from client) and have given the wsdl file to J2EE application  to call or make use of the service.  But as a part of that service they expect userid/password to be entered manually from client  pop-up.  At this point of time, we don't want to enter userid/password manually but  we want this to be hardcoded/embedded in Webservice so that  there is no need of manual intervention upon calling this service.
  Actual Requirement:
  From Webservices to R/3-ECC6.0-IS-Banking-RFC (Synchronous Interface)
  Sender: SOAP Adapter synchronous
  Receiver: RFC Adapter synchronous
  Note: Requesting a account number and getting response from RFC is account Balance and Date to webservice
  Regards
  Kiran kumar.s

  Hi praveen,
  Thanks for ur  reply.What you said is exactly right but for time being i have to make the client not get the authorization(password--Username and password(pop-up)) when he invokes the WSDL into webservice for that u told that to write some hardcode in J2EE application,but i don't know that where to write and what to write.so, if possible can u give me the code and procedure.
  This is the URL:
  http://hcl3sap:50000/XISOAPAdapter/MessageServlet?channel=:BS_WEBSERVICE:CC_SOAPSENDER
  Regards,
  kiran kumar.

• SMIME in sender soap adapter

  Hi,
  I'd like to know the proper format of the POST request to a sender soap adapter with SMIME activated. I've found almost no documentation about it.
  I'm trying to send a document ciphered to PI via soap adapter (HTTP POST). I've done the following steps
  1. I activate SMIME in the sender soap adapter, and I specify "Decrypt" as the security procedure in the sender agreement. I also incorporate the private key in the keystore DEFAULT and reference to it in the sender agreement.
  2. I use OpenSSL to cipher an xml document like this (I use the public certificate associated to the previous private key) :
  --> openssl smime -encrypt -in fich.txt -out fich_encrypted.txt certTesting.pem
  What I get is:
  MIME-Version: 1.0
  Content-Disposition: attachment; filename="smime.p7m"
  Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
  Content-Transfer-Encoding: base64
  MIIC....[base64 content of the file encrypted]
  3. I use CURL to send the HTTP POST request to PI. Previously I get the binary file from the base64 content.
  > POST /XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_1[...]
  > Authorization: Basic c2U[...]
  > Host: pi.[...].com:50000
  > Accept: /
  > Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=fich_encrypted.der
  > User-Agent: Jakarta Commons-HttpClient/3.1
  > Accept-Encoding: text/xml
  > Content-Disposition: attachment; filename=fich_encrypted.der
  > Content-Length: 620
  > Expect: 100-continue
  but I get this error from the SOAP Adapter:
  --> java.io.IOException: invalid content type for SOAP: APPLICATION/PKCS7-MIME.
  I also get the same error if I remove the header Content-Disposition.
  4. If I send the xml file without ciphering (header Content-Type: text/xml;charset=UTF-8) I get the error:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: call failed: java.lang.SecurityException: Exception in Method: VerifySMIME.run(). LocalizedMessage: SecurityException in method: verifySMIME( MessageContext, CPALookupObject ). Message: IllegalArgumentException in method: verifyEnvelopedData( ISsfProfile ). Wrong Content-Type: text/xml;charset=UTF-8. *Expected Content-Type: application/pkcs7-mime or application/x-pkcs7-mime*. Please verify your configuration and partner agreement
  PROBLEM --> I really don't know what the SOAP sender channel is expecting when SMIME is activated. I've tried to send the binary file encripted as an attachment and also directly, but the soap adapter complains.
  Thanks

  HI,
  for XI EP
  Please see the below links so that you can have clear Idea..
  /people/saravanakumar.kuppusamy2/blog/2005/02/07/interfacing-to-xi-from-webdynpro
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/java/integrating%20web%20dynpro%20and%20sap%20xi%20using%20jaxb%20part%20ii.article
  Consuming XI Web Services using Web Dynpro – Part II-/people/riyaz.sayyad/blog/2006/05/08/consuming-xi-web-services-using-web-dynpro-150-part-ii
  Consuming XI Web Services using Web Dynpro – Part I -/people/riyaz.sayyad/blog/2006/05/07/consuming-xi-web-services-using-web-dynpro-150-part-i
  /people/sap.user72/blog/2005/09/15/creating-a-web-service-and-consuming-it-in-web-dynpro
  /people/sap.user72/blog/2005/09/15/connecting-to-xi-server-from-web-dynpro
  Regards
  Chilla..

• How to use Basis Authentication in Sender SOAP Adapter

  We implemented one Sender SOAP Adapter and we had to implement the modified WEB.XML method to remove the security specification.  We have now asked the developer to correct this situation so we can remove this modification.  The Interface developer would like to use Basic Authentication. If you have an automated interface sending in a SOAP Message, how do you do Basic Authentication? 
  I've tried using:
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  When I do this, I still get the Authentication Pop-Up Window.
  How does the Sending Interface either supply the ID and Password on the incoming SOAP Message or respond to the Authentication Pop-Up?
  Thanks,
  Anne

  By Defualt the web service exposed by you will use Basic Authentication mode only.
  But the way you do Basic Authentication in the web client is platfrom dependent.
  This is not the way to do Basic authentication
  http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
  I am providing you a code snippet on how to Basic Authentication in Java when making the Web Service Call.
  If the client is on some other platform just look for the corresponding api.
  Please award points if you find this answer useful.
  Code Snippet
  URL url = new URL(URL);
  URLConnection connection = url.openConnection();
  if( connection instanceof HttpURLConnection )
  ((HttpURLConnection)connection).setRequestMethod("POST");
       //connection.setRequestProperty("Content-Length",Integer.toString(content.length()) );
       connection.setRequestProperty("Content-Type","text/xml");
       connection.setDoOutput(true);
       String password = User + ":" + Password ;
        //Where con is a URLConnection 
       connection.setRequestProperty ("Authorization", "Basic " + encode(User + ":"+ Password));
       connection.connect();
  Encode Method
  public static String encode (String source) {
  BASE64Encoder enc = new sun.misc.BASE64Encoder();
  return(enc.encode(source.getBytes()));

• Failed in Message Mapping for Sender SOAP Adapter

  I am using a synchronous Sender SOAP adapter for sending SOAP messages using HTTP security protocol. I am trying to send SOAP messages to XI and then to RFC-R/3. And Responses back from RFC to XI and then to SOAP. I am getting an error for failed in message mapping in SXMB_MONI for converting SOAP messages to RFC. When I debug it in Message Mapping in Integration Repository, it works fine.
  Any help is appreciated.
  Thanks in advance!
  Mrudula

  Hi,
  try to do a full cache refresh
  regards,
  Jakub

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• SOAP message size limitation for sender soap adapter

  Hi All,
  We are facing critical production issue in case of sender SOAP Adapter,
  If the sender soap message is having 114359 Bytes than the Third party is getting exception and SOAP request is not reaching XI.
  If the message size is less then 100kbytes then no exception will come.
  Is this a limitation that SOAP message size should not exceed 100kbyte?
  Thnaks in advance
  Best Regards,
  Harleen Kaur Chadha

  Hi ,
  Thanks for your inputs,Could you please tell me which hardware configurations are you talking about?
  Are you people talking about harware configurations for XI?
  Best Regards,
  Harleen Kaur Chadha

• Sender SOAP Adapter, inconsistent behavior

  Hi,
  We are using XI 3.0 SP17. We have noticed some inconsitent behavior with the sender SOAP adapter:
  When sending a valid SOAP message to the adapter, it will reply with:
  <SOAP:Envelope xmlns:SOAP='http://schemas.xmlsoap.org/soap/envelope/'><SOAP:Header/><SOAP:Body/></SOAP:Envelope>
  To me this seems errornous, becuase it is missing "<?xml version='1.0'?>" in the beginning, and thus is not valid XML. This leads to errors on the Client that is sending messages to the Sender SOAP adapter.
  When sending an errornous SOAP message from the client to the XI Sender SOAP adapter, the error message does include the "<?xml version='1.0'?>" + the corresponding error message, so the behavior seems inconsitent and errournous.
  Can someone tell me how the get the Sender SOAP Adapter to include "<?xml version='1.0'?>" in the reply for valid SOAP messages?
  Thanks for any help on this subject!
  -Hans
  PS: Here is an example of an error message from the Sender SOAP adapter, that does include the xml header:
  <?xml version="1.0"?>
  <!-- see the documentation -->
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
       <SOAP:Body>
            <SOAP:Fault>
                 <faultcode>SOAP:Server</faultcode>
                 <faultstring>Server Error</faultstring>
                 <detail>
                      <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                           <context>XIAdapter</context>
                           <code>MalformedMessageException</code>
                           <text><![CDATA[Unexpected content in SOAP:Body; nested exception caused by: com.sap.aii.messaging.util.XMLScanException: Unexpected content in SOAP:Body\tat com.sap.aii.messaging.mo.Message.reparseRootDocument(Message.java:1014)\tat com.sap.aii.messaging.net.MIMEInputSource.readSOAPPart(MIMEInputSource.java:619)\tat com.sap.aii.messaging.net.MIMEInputSource.decodePart(MIMEInputSource.java:611)\tat com.sap.aii.messaging.net.MIMEInputSource.readBody(MIMEInputSource.java:379)\tat com.sap.aii.messaging.net.MIMEServletInputSource.parse(MIMEServletInputSource.java:58)\tat com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:378)\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:760)\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:853)\tat com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)\tat com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)\tat com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)\tat com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)\tat com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)\tat com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)\tat com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)\tat java.security.AccessController.doPrivileged(AccessController.java:180)\tat com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)\tat com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)          ]]></text>
                      </s:SystemError>
                 </detail>
            </SOAP:Fault>
       </SOAP:Body>
  </SOAP:Envelope>

  Hi,
  "Do not use SOAP Envelope" is not really an option for us.
  From help.sap.com:
  If the indicator is set, the adapter expects a message without a SOAP envelope.
  If you have set the indicator, you must also enter nosoap=true in the URL.
  The adapter then puts the whole message in the XI payloads
  So this also requires heavy changes to the client side. It would almost make more sense to use the plain HTTP adapter in that case..
  -Hans

• Sender Soap Adapter communication channel  error

  Dear Experts,
  When i see Sender soap adapter status in Communication channel monitoring.I am getting the status as:
  "Processing Errors in the Last 50 Minutes"
  Thanx in advance

  Aamir,
  My other interface is working fine by giving the following url:
  http://kpmgvm015:8001/XISOAPAdapter/MessageServlet?channel=:KPMG_AU_ALL:RetrieveOpportunityRecord_SOAP_Sender
  I am not using the propsed url.
  Moreover when  i try to give this url in the browser . It is asking of user id and password.
  I am  giving user as : PIAPPLUSER.It gives message servelet is ok.
  In my communication channel monitoring the corresponsing communication channel:
  RetrieveclientRecord_SOAP_Sender is in Red - Processing Errors In the Last 40 Minutes
  Error meesage in Webclient:
    java.security.AccessControlException: PIAPPLUSER has no permission for accessing binding com.sap.aii.af.service.cpa.Binding@d046043a

• Sender SOAP adapter error 401

  Hello All,
  Here the scenario is SOAP -> XI -> SAP ECC.
  When the webservice is seding the message I am getting error in Sender SOAP channel.
  Message is not going to Integration Engine.
  Its failing with 401Un Authorized in sender soap adapter channel.My sender soap channel is plain channel with no authentication check and certificated etc.When webservice is seding request to XI its sending wit some usernmae which was there on XI box.I am facing this issue in Quality Env. The same is working fine in Dev box.
  Please give me the list of points that I need to check here.
  Thanks,
  Regards,
  Naresh

  Hi,
  I am facing this issue in Quality Env. The same is working fine in Dev box.
  Once the scenario is transported from Dev to QA the location where the Webservice is hosted will also change
  Hence you will have to change the target URL .....just the HostName / IP address and the port for all the webservices (that you transported to QA)
  Once you are in QA and with no change to the URL the sender (which I suppose is also in QA env) will be still trying to ping the same old Dev-URL....in such situation the sender is bound to get UnAuthorized error....
  So one in all change the URL in your WebService to point to QA and then test....
  Same logic applicable to QA --> PROD
  Regards,
  Abhishek.

• Sender SOAP adapter in inactive status

  Hi guys,
  I have a problem with my sender SOAP adapter.
  In Int Directory, the channel is ACTIVE but in RWB, CC monitoring (soap adapter), this status is INACTIVE OR UNINITIALIZED.
  I have changed this value and activated the change lists, and refreshed CPACache as well with no success.
  Could you please help me on this?
  Thanks in advance
  David

  Hi David !
  check these two threads , wi9ll solve the issue , discuss the same
  Inactive Status for a SOAP Adapter not working
  SOAP Adapter - Channel started but inactive
  Thanks!!

• HTTPS sender soap adapter

  Hi,
  I want to use HTTPS port for one of our SOAP -->RFC sync interface .
  currently we are using  http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel this url and its working fine,
  Here  we want to use  HTTPS  ( HTTPS with client authentication as security level) ,but in our current PI system ( 7.31) is  not enabled https/ports.
  Please let me know how we can enable  HTTPS  port ,let me know the process.
  once HTTPS port is enabled  please let me know the process to use  HTTPS with client authentication as security level)
  Thanks
  Surya

  Hi Surya,
  Base on your requirement ports like 433, 4022 etc as per availability to Trading partners.
  Port mapping should be done in the firewall configuration as your web dispatcher port(This information can be obtained from your basis team / will be managed at the installation time / netweaver administration.)
  80* series is for ABAP ports and 50* series i sfor JAVA port.
  Also check the below link for more information.
  http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/09/20/sender-soap-adapter-https-with-client-authentication
  Thanks and Regards,
  Naveen