Sender SOAP Adapter Security Issue
Hi All,
We are building a SOAP to proxy scenario. The sender is a SOAP Adapter and the receiver is Proxy. The SOAP WSDL and URL is provided to the legacy system. When the legacy system is trying to send the data using the WSDL and the URL provided, they are receiving a dialog box to enter the user name and password. We can create a system user and provide those credentials to the legacy system. However, the legacy folks are not interested in including this in their web service.
Could you please suggest, if there is a way to create the web service such that it wouldn't request for user credentials? Something like no authorizations in the web service?
Thanks,
Manohar Dubbaka.
Hi Preeti,
Thanks for the response. Since we are on PI 7.0, I believe the setting that you are referring to should be on Visual Admin. Could you please let us know the parameter or the setting that needs to be changed in VA?
I am not sure, how we can make use of SSO to prevent them from entering the user credentials. Your help in this regard would be much appreciated.
Thanks,
Manohar Dubbaka.
Similar Messages
-
Sender SOAP Adapter Authentication issue
All,
We have a SOAP-XI-RFC scenario. We exported the wsdl from the Integration Directory. When we try to call the web service using webservice studio client. We get the following error. We are using a user that has (SAP_XI_ADMINISTRATOR role on it).
ResponseCode: 401 (Unauthorized)
Connection:close
Pragma:no-cache
Content-Length:1790
Cache-Control:no-cache
Content-Type:text/html
Date:Fri, 30 Nov 2007 20:01:23 GMT
Expires:0
Server:SAP J2EE Engine/7.00
WWW-Authenticate:Basic realm="XISOAPApps"
Any thoughts?
Thanks.hi thezone ,
<i>ResponseCode: 401 (Unauthorized)</i>
as per this specific error try checking that
1.check the wsdl url format
http://<server>:<port>/XISOAPADAPTER/MESSAGESERVLET?channel=:<Service>:<Channel>
2. test the wsdl by putting the url in internet explorer and see if you are getting a dialog box for user name and password, also in this step you will confirm the working status of message servlets of web service.
3. by step 2 IE will send a message to XI, now you check your adapter
4. test ur xml instance in your soap tester, go to its properties and make sure that you had given correct user name and password over there on specified fields.
regarding your soap communication channel it will be activated after receiving first message. you can detect any problem in connection only after receiving first message.
Regards,
Mandeep Virk
reward points if helpful -
Sender SOAP Adapter with Https
Hi,
can any one give me information on how my Sender SOAP adapter to be configured with HTTPS port.
please give me the what are all different ways to make my Sender SOAP Adapter secure and give me the steps to achieve the functionality.
Thank You,
Madhavcheck this section:
http://help.sap.com/saphelp_nw70/helpdata/EN/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Also some help from SAP note:
https://service.sap.com/sap/support/notes/891877
Regards,
Abhishek.
Edited by: abhishek salvi on May 29, 2009 1:59 PM -
SEcurity settings for sender SOAP adapter
Hey guys
i m implemeting some security features in sender SOAP adapter by taking help frm www.help.sap.com,i have checked the message security box in sender Communication channel but in sender agreement i dont see any options for Decryt or Validate,i only see Keystore,Issuer and subject.
i m on SP9 and XI 3.0
where can i find these options of Decrypt etc?
thanx
ahmadHi,
Please see below links
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/a3229d73-170d-42b7-bab9-12ae5f2d0fa7.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/BTS06CoreDocs/html/f869bd82-df93-45e1-b747-b538820253fb.asp
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/121b053d-0401-0010-539f-f9295efb7bad
Document security option in webservices
And also check,
Launch Visual administrator and navigate to Server->Services->Security Provider. In 'Policy Configurations' tab page, select the component 'sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter'. Then click on the tab page 'Security Roles' and select 'xi_adapter_soap_message'. You will find the groups (equivalent to roles in PFCG) to which this security role (xi_adapter_soap_message) is assigned to. Make sure you assign the PFCG role listed here to the user.
regards
Chilla.. -
Sender SOAP Adapter issue with webservices for authorization.
Hi All
Issue:
As we are developing a Web Service to fetch account balance from SAP(upon receiving the account no from client) and have given the wsdl file to J2EE application to call or make use of the service. But as a part of that service they expect userid/password to be entered manually from client pop-up. At this point of time, we don't want to enter userid/password manually but we want this to be hardcoded/embedded in Webservice so that there is no need of manual intervention upon calling this service.
Actual Requirement:
From Webservices to R/3-ECC6.0-IS-Banking-RFC (Synchronous Interface)
Sender: SOAP Adapter synchronous
Receiver: RFC Adapter synchronous
Note: Requesting a account number and getting response from RFC is account Balance and Date to webservice
Regards
Kiran kumar.sHi praveen,
Thanks for ur reply.What you said is exactly right but for time being i have to make the client not get the authorization(password--Username and password(pop-up)) when he invokes the WSDL into webservice for that u told that to write some hardcode in J2EE application,but i don't know that where to write and what to write.so, if possible can u give me the code and procedure.
This is the URL:
http://hcl3sap:50000/XISOAPAdapter/MessageServlet?channel=:BS_WEBSERVICE:CC_SOAPSENDER
Regards,
kiran kumar. -
Hi,
I'd like to know the proper format of the POST request to a sender soap adapter with SMIME activated. I've found almost no documentation about it.
I'm trying to send a document ciphered to PI via soap adapter (HTTP POST). I've done the following steps
1. I activate SMIME in the sender soap adapter, and I specify "Decrypt" as the security procedure in the sender agreement. I also incorporate the private key in the keystore DEFAULT and reference to it in the sender agreement.
2. I use OpenSSL to cipher an xml document like this (I use the public certificate associated to the previous private key) :
--> openssl smime -encrypt -in fich.txt -out fich_encrypted.txt certTesting.pem
What I get is:
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64
MIIC....[base64 content of the file encrypted]
3. I use CURL to send the HTTP POST request to PI. Previously I get the binary file from the base64 content.
> POST /XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_1[...]
> Authorization: Basic c2U[...]
> Host: pi.[...].com:50000
> Accept: /
> Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=fich_encrypted.der
> User-Agent: Jakarta Commons-HttpClient/3.1
> Accept-Encoding: text/xml
> Content-Disposition: attachment; filename=fich_encrypted.der
> Content-Length: 620
> Expect: 100-continue
but I get this error from the SOAP Adapter:
--> java.io.IOException: invalid content type for SOAP: APPLICATION/PKCS7-MIME.
I also get the same error if I remove the header Content-Disposition.
4. If I send the xml file without ciphering (header Content-Type: text/xml;charset=UTF-8) I get the error:
com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: call failed: java.lang.SecurityException: Exception in Method: VerifySMIME.run(). LocalizedMessage: SecurityException in method: verifySMIME( MessageContext, CPALookupObject ). Message: IllegalArgumentException in method: verifyEnvelopedData( ISsfProfile ). Wrong Content-Type: text/xml;charset=UTF-8. *Expected Content-Type: application/pkcs7-mime or application/x-pkcs7-mime*. Please verify your configuration and partner agreement
PROBLEM --> I really don't know what the SOAP sender channel is expecting when SMIME is activated. I've tried to send the binary file encripted as an attachment and also directly, but the soap adapter complains.
ThanksHI,
for XI EP
Please see the below links so that you can have clear Idea..
/people/saravanakumar.kuppusamy2/blog/2005/02/07/interfacing-to-xi-from-webdynpro
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/java/integrating%20web%20dynpro%20and%20sap%20xi%20using%20jaxb%20part%20ii.article
Consuming XI Web Services using Web Dynpro Part II-/people/riyaz.sayyad/blog/2006/05/08/consuming-xi-web-services-using-web-dynpro-150-part-ii
Consuming XI Web Services using Web Dynpro Part I -/people/riyaz.sayyad/blog/2006/05/07/consuming-xi-web-services-using-web-dynpro-150-part-i
/people/sap.user72/blog/2005/09/15/creating-a-web-service-and-consuming-it-in-web-dynpro
/people/sap.user72/blog/2005/09/15/connecting-to-xi-server-from-web-dynpro
Regards
Chilla.. -
How to use Basis Authentication in Sender SOAP Adapter
We implemented one Sender SOAP Adapter and we had to implement the modified WEB.XML method to remove the security specification. We have now asked the developer to correct this situation so we can remove this modification. The Interface developer would like to use Basic Authentication. If you have an automated interface sending in a SOAP Message, how do you do Basic Authentication?
I've tried using:
http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
When I do this, I still get the Authentication Pop-Up Window.
How does the Sending Interface either supply the ID and Password on the incoming SOAP Message or respond to the Authentication Pop-Up?
Thanks,
AnneBy Defualt the web service exposed by you will use Basic Authentication mode only.
But the way you do Basic Authentication in the web client is platfrom dependent.
This is not the way to do Basic authentication
http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
I am providing you a code snippet on how to Basic Authentication in Java when making the Web Service Call.
If the client is on some other platform just look for the corresponding api.
Please award points if you find this answer useful.
Code Snippet
URL url = new URL(URL);
URLConnection connection = url.openConnection();
if( connection instanceof HttpURLConnection )
((HttpURLConnection)connection).setRequestMethod("POST");
//connection.setRequestProperty("Content-Length",Integer.toString(content.length()) );
connection.setRequestProperty("Content-Type","text/xml");
connection.setDoOutput(true);
String password = User + ":" + Password ;
//Where con is a URLConnection
connection.setRequestProperty ("Authorization", "Basic " + encode(User + ":"+ Password));
connection.connect();
Encode Method
public static String encode (String source) {
BASE64Encoder enc = new sun.misc.BASE64Encoder();
return(enc.encode(source.getBytes())); -
Failed in Message Mapping for Sender SOAP Adapter
I am using a synchronous Sender SOAP adapter for sending SOAP messages using HTTP security protocol. I am trying to send SOAP messages to XI and then to RFC-R/3. And Responses back from RFC to XI and then to SOAP. I am getting an error for failed in message mapping in SXMB_MONI for converting SOAP messages to RFC. When I debug it in Message Mapping in Integration Repository, it works fine.
Any help is appreciated.
Thanks in advance!
MrudulaHi,
try to do a full cache refresh
regards,
Jakub -
Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1
Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
JochenHi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen -
SOAP message size limitation for sender soap adapter
Hi All,
We are facing critical production issue in case of sender SOAP Adapter,
If the sender soap message is having 114359 Bytes than the Third party is getting exception and SOAP request is not reaching XI.
If the message size is less then 100kbytes then no exception will come.
Is this a limitation that SOAP message size should not exceed 100kbyte?
Thnaks in advance
Best Regards,
Harleen Kaur ChadhaHi ,
Thanks for your inputs,Could you please tell me which hardware configurations are you talking about?
Are you people talking about harware configurations for XI?
Best Regards,
Harleen Kaur Chadha -
Sender SOAP Adapter, inconsistent behavior
Hi,
We are using XI 3.0 SP17. We have noticed some inconsitent behavior with the sender SOAP adapter:
When sending a valid SOAP message to the adapter, it will reply with:
<SOAP:Envelope xmlns:SOAP='http://schemas.xmlsoap.org/soap/envelope/'><SOAP:Header/><SOAP:Body/></SOAP:Envelope>
To me this seems errornous, becuase it is missing "<?xml version='1.0'?>" in the beginning, and thus is not valid XML. This leads to errors on the Client that is sending messages to the Sender SOAP adapter.
When sending an errornous SOAP message from the client to the XI Sender SOAP adapter, the error message does include the "<?xml version='1.0'?>" + the corresponding error message, so the behavior seems inconsitent and errournous.
Can someone tell me how the get the Sender SOAP Adapter to include "<?xml version='1.0'?>" in the reply for valid SOAP messages?
Thanks for any help on this subject!
-Hans
PS: Here is an example of an error message from the Sender SOAP adapter, that does include the xml header:
<?xml version="1.0"?>
<!-- see the documentation -->
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP:Body>
<SOAP:Fault>
<faultcode>SOAP:Server</faultcode>
<faultstring>Server Error</faultstring>
<detail>
<s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
<context>XIAdapter</context>
<code>MalformedMessageException</code>
<text><![CDATA[Unexpected content in SOAP:Body; nested exception caused by: com.sap.aii.messaging.util.XMLScanException: Unexpected content in SOAP:Body\tat com.sap.aii.messaging.mo.Message.reparseRootDocument(Message.java:1014)\tat com.sap.aii.messaging.net.MIMEInputSource.readSOAPPart(MIMEInputSource.java:619)\tat com.sap.aii.messaging.net.MIMEInputSource.decodePart(MIMEInputSource.java:611)\tat com.sap.aii.messaging.net.MIMEInputSource.readBody(MIMEInputSource.java:379)\tat com.sap.aii.messaging.net.MIMEServletInputSource.parse(MIMEServletInputSource.java:58)\tat com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:378)\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:760)\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:853)\tat com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)\tat com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)\tat com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)\tat com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)\tat com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)\tat com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)\tat com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)\tat com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)\tat java.security.AccessController.doPrivileged(AccessController.java:180)\tat com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)\tat com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170) ]]></text>
</s:SystemError>
</detail>
</SOAP:Fault>
</SOAP:Body>
</SOAP:Envelope>Hi,
"Do not use SOAP Envelope" is not really an option for us.
From help.sap.com:
If the indicator is set, the adapter expects a message without a SOAP envelope.
If you have set the indicator, you must also enter nosoap=true in the URL.
The adapter then puts the whole message in the XI payloads
So this also requires heavy changes to the client side. It would almost make more sense to use the plain HTTP adapter in that case..
-Hans -
Sender Soap Adapter communication channel error
Dear Experts,
When i see Sender soap adapter status in Communication channel monitoring.I am getting the status as:
"Processing Errors in the Last 50 Minutes"
Thanx in advanceAamir,
My other interface is working fine by giving the following url:
http://kpmgvm015:8001/XISOAPAdapter/MessageServlet?channel=:KPMG_AU_ALL:RetrieveOpportunityRecord_SOAP_Sender
I am not using the propsed url.
Moreover when i try to give this url in the browser . It is asking of user id and password.
I am giving user as : PIAPPLUSER.It gives message servelet is ok.
In my communication channel monitoring the corresponsing communication channel:
RetrieveclientRecord_SOAP_Sender is in Red - Processing Errors In the Last 40 Minutes
Error meesage in Webclient:
java.security.AccessControlException: PIAPPLUSER has no permission for accessing binding com.sap.aii.af.service.cpa.Binding@d046043a -
Hello All,
Here the scenario is SOAP -> XI -> SAP ECC.
When the webservice is seding the message I am getting error in Sender SOAP channel.
Message is not going to Integration Engine.
Its failing with 401Un Authorized in sender soap adapter channel.My sender soap channel is plain channel with no authentication check and certificated etc.When webservice is seding request to XI its sending wit some usernmae which was there on XI box.I am facing this issue in Quality Env. The same is working fine in Dev box.
Please give me the list of points that I need to check here.
Thanks,
Regards,
NareshHi,
I am facing this issue in Quality Env. The same is working fine in Dev box.
Once the scenario is transported from Dev to QA the location where the Webservice is hosted will also change
Hence you will have to change the target URL .....just the HostName / IP address and the port for all the webservices (that you transported to QA)
Once you are in QA and with no change to the URL the sender (which I suppose is also in QA env) will be still trying to ping the same old Dev-URL....in such situation the sender is bound to get UnAuthorized error....
So one in all change the URL in your WebService to point to QA and then test....
Same logic applicable to QA --> PROD
Regards,
Abhishek. -
Sender SOAP adapter in inactive status
Hi guys,
I have a problem with my sender SOAP adapter.
In Int Directory, the channel is ACTIVE but in RWB, CC monitoring (soap adapter), this status is INACTIVE OR UNINITIALIZED.
I have changed this value and activated the change lists, and refreshed CPACache as well with no success.
Could you please help me on this?
Thanks in advance
DavidHi David !
check these two threads , wi9ll solve the issue , discuss the same
Inactive Status for a SOAP Adapter not working
SOAP Adapter - Channel started but inactive
Thanks!! -
Hi,
I want to use HTTPS port for one of our SOAP -->RFC sync interface .
currently we are using http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel this url and its working fine,
Here we want to use HTTPS ( HTTPS with client authentication as security level) ,but in our current PI system ( 7.31) is not enabled https/ports.
Please let me know how we can enable HTTPS port ,let me know the process.
once HTTPS port is enabled please let me know the process to use HTTPS with client authentication as security level)
Thanks
SuryaHi Surya,
Base on your requirement ports like 433, 4022 etc as per availability to Trading partners.
Port mapping should be done in the firewall configuration as your web dispatcher port(This information can be obtained from your basis team / will be managed at the installation time / netweaver administration.)
80* series is for ABAP ports and 50* series i sfor JAVA port.
Also check the below link for more information.
http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/09/20/sender-soap-adapter-https-with-client-authentication
Thanks and Regards,
Naveen
Maybe you are looking for
-
For a target based production creation of Number of planned orders reg
For a target based production, can anybody explain as to how the planned orders created/altered. The main question is the system generated planned orders can be altered, suppose the system generates 10 planned orders can we alter to 8 planned orders
-
The OnCommand API Services 1.0 is now GA.
To learn more OnCommand API Services, read http://community.netapp.com/t5/Technology/Too-Many-Management-Tools-Giving-You-A-Headache-OnCommand-API-Services-Might-Be/ba-p/103125 on the NetApp Technology blog. For more details on this GA release, read
-
I posted two or three weeks ago about my PC not working on wireless and was advised to buy a wireless USB adapter - which I did - and all was fine...until yesterday when the same symptons re-emerged...all other equipment working fine but limited or n
-
Surface 3 Pro Wireless Display Adapter
Hello, I have 2 Surface Pro 3's with Windows 8.1 on both. I also have the new Microsoft Wireless Display Adapter plugged into my TV. 1 Surface Pro 3 works fine on the Wireless Display Adapter, and 1 doesn't. For the one that doesn't, I can con
-
Magic Move on Power Point?
Does the Magic Move feature on Keynote work on Power Point? I am going to get the Trial for 1 school project and i wanted to use Keynote because of its cool Magic Move feature (and a couple other stuff) but i have to present it useing PP and i dont w