SOAP receiver - Message level security - Encryption

Similar Messages

• WebServices and message level security

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

• Message Level Security with SOAP Adapter

  Hi,
  I need to use Message Level Security with my SOAP Adapter. Please let me know if anyone has done the same in the past?
  What are the steps I would need to do? How can I use WSS based security in the SOAP Adapter?

  Hi,
  Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  It improves communication-level security by adding security features that are particularly important for inter-enterprise
  Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  Refer
  How to use Client Authentication with SOAP Adapter
  XML Encryption Using Web Services Security in SAP NetWeaver XI
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks
  swarup

• Message Level Security

  Hi All,
    In the PI to PI scenario i used certificates for sigining and encryption. For this i followed message level security document.
  In PI1 message is signed and encrypted, but the sign is not validated and message is not decrypted in PI2 server. Output from PI2 server is coming in  encrypted form. How to solve this issue.
  PI1 SP is 11 and PI2 SP is 06.
  Kindly suggest some solution.
  Regards
  Prakash

  Hi,
  Message-Level Security
  Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  ●      A digital signature authenticates the business partner signing the message and ensures data integrity of the business document carried by a message.
  Signatures are used in two scenarios:
  ○       Non-repudiation of origin
  The sender signs a message so that the receiver can prove that the sender actually sent the message.
  ○       Non-repudiation of receipt
  The receiver signs a receipt message back to the sender so that the original sender can prove that the receiver actually received the original message.
  ●      Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  SAP NetWeaver usage type Process Integration (PI) offers message-level security for the XI protocol itself, for the RosettaNet protocol, for the CIDX protocol, and for the SOAP and Mail adapters. The table below summarizes the message-level security features of these protocols and adapters.
  Message-Level Security Features
  XI Protocol (XI 3.0)
  Messaging components
  Integration Server and PCK
  SOAP
  Adapter Engine and PCK
  Mail
  Adapter Engine
  RNIF 2.0
  Adapter Engine
  RNIF1.1/CIDX
  Adapter Engine
  IIly
  Signature
  X
  X
  X
  X
  X
  Non-repudiation of origin
  X
  X
  (Web service security)
  X
  X
  Non-repudiation of receipt
  X
  X
  X
  Encryption
  X
  X
  X
  X
  Technology
  Web service security (XML signature)
  Signed parts are the SAP main header, the SAP manifest, and the payloads (SOAP attachments).
  Encrypted parts are the payloads (SOAP attachments).
  S/MIME or
  Web service security (XML signature)
  The SOAP body is signed.
  S/MIME
  S/MIME
  PKCS#7
  XI 3.0 is the XI protocol valid for both SAP NetWeaver ´04 and SAP NetWeaver 7.0.
  Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.
  ●      XI protocol
  ○       (s4) Integration Server to Integration Server, PCK to Integration Server
  ○       (r4) Integration Server to Integration Server, Integration Server to PCK
  ●      SOAP protocol
  ○       (s3) SOAP sender to Adapter Engine or PCK
  ○       (r3) Adapter Engine or PCK to SOAP receiver
  ●      Mail protocols
  ○       (s3) Mail server to Adapter Engine or PCK (IMAP4/POP3)
  ○       (r3) Adapter Engine or PCK to mail server (IMAP4/SMTP)
  ●      RNIF and CIDX protocol
  ○       (s3) RNIF or CIDX sender to Adapter Engine
  ○       (r3) Adapter Engine to RNIF or CIDX receiver
  You define whether and how message-level security is to be applied to messages in the Integration Directory by using sender agreements on the inbound (sender) side in scenarios (s3) and (s4) and by using receiver agreements on the outbound (receiver) side in scenarios (r3) and (r4). For more information about configuring message-level security, see Security Configuration at Message Level.
  Message-level security relies on public and private x.509 certificates maintained in the J2EE keystore, where each certificate is identified by its alias name and the keystore view where it is stored. Certificates are used in the following situations:
  ●      When signing a message, the sender signs it with its private key and attaches its certificate containing the public key to the message.
  The receiver then verifies the digital signature of the message with the senderu2019s certificate attached to the message. There are two alternative trust models to verify the authenticity of the senderu2019s public certificate:
  ○       In the direct trust model, the signeru2019s public key certificate is compared with the locally maintained, expected public key certificate of the partner. Therefore, the direct trust model requires offline exchange of public key certificates, which can be self-signed or issued by a CA.
  ○       In the hierarchical trust model, the signeru2019s public key certificate is validated by a locally maintained public certificate of the CA that issued the signeru2019s public certificate. In addition, the subject name and the issuer of the signeru2019s certificate is compared with the expected partneru2019s identity configured in a receiver agreement on the receiver side.
  Generally, the hierarchical trust model enables chains of certificates attached to the message. The XI 3.0 message format, however, does not support such chains; the certificate used for signing has to be signed by a root CA.
  In the hierarchical trust model, the sender and the receiver only need to agree upon the CA and the subject name that the sender has used in its certificate.
  The following trust models are supported:
  ○       The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust models.
  ○       The XI protocol and the SOAP adapter (with Web service security) only support a single-level hierarchical trust model.
  ○       The Mail adapter and the SOAP adapter (with S/MIME) support a multi-level hierarchical trust model.
  ●      When encrypting a message, the sender encrypts with the public key of the receiver (also verifying the correctness of the receiveru2019s certificate by using the public key of the certificateu2019s root CA).
  The receiver decrypts with its private key certificate.
  For more information about the certificate store, see Certificate Store.
  Whenever a message is signed, the receiver archives the signed messages for non-repudiation purposes. See Archiving Secured Messages.
  reg,
  suresh

• Invoking a message-level secured webservice WS Security

  I am not having any luck invoking a webservice that has been secured via message-level security. For simplicity, I have been using WS-Security Policies provided by WebLogic and applying them on my webservice via annotations. I have been testing with Wssp1.2-Wss1.0-X509-TripleDesRsa.xml. I am using soapUI to invoke the webservice. When I send a singed soap request, I get a response indicating that it wasn't able to validate the signature. I made sure that both soapUI and WebLogic server is using the same identity store. I have also made sure that the certificate in the identity store is also in the trust store for WebLogic. There could also be a problem with the structure of the soap request. I send a soap request that includes a signature of the timestamp, the initiator token (x509 in binary form), and the body.
  Anyone have luck with WebLogic webservice security and soapUI?

  Applying 'format XML' after signing it changes the message and makes the signature invalid, different content == different signature.
  You should also ask yourself why you'd like to transport blank characters (zero information) over the wire just to make it more readable for yourself? Just compare the size of the unformatted and formatted message to see the waste of bandwidth.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Message Level security : PI 7.1

  Hello All,
  We are currently evaluating the message level security options in PI in order to communicate with native ABAP systems like CRM , HR, BW etc. Does it need us to set up a PCK (Decentralized adapter engine) in order to use it  ?
  http://help.sap.com/saphelp_nwpi71/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
  The scenarios are
  SOAP - XI - Proxy
  SOAP - XI - WS Adapter
  Thanks.
  Kiran

  Thanks Marcus & Caio !! The settings listed in the link
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
  Do they have to be done on our ECC box and how do I do it for both Consumer and Provide Proxy ?
  Is ther a link to the blog available for the same with comm channel documents.
  Thanks.
  Kiran

• Message Level Security and Performance

  Hi All,
  Does the implementation of Message Level security features Like SSL and Encryption degrade the performance of the server in Processing the messages ?
  regards,
  Rahul

  Encryption related performance issue is purely related to size of messages.
  In my opinion, SSL wouldnt affect the performance for large messages. SSL will take its usual time for checking for security.
  And the volume and size could anytime affect the performance
  Regards,
  Prateek

• Message Level Security in FTPS

  Hi ,
     Did File Adapter with FTPS will provide the Message Level Security ?
  And What is the Exact  Difference Between FTPS for Control Connection and FTPS for Control and Data Connection .
  What is the Significance of Use X.509 Certificate for Client Authentication check box. If we check it what will happen r if we dont what will happen ?
  Thanks.
  Anitha.

  >
  Anitha SAP wrote:
  > Hi Rajesh,
  >
  >       I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
  > And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
  > Neccesity of Public key certificate from FTP Sever?
  >
  > Thanks.
  > Anitha.
  PI supports FTPS. you can use the File adapter for the same.
  The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
  FTPS works with Certificates and hence the need for the same

• Message Level Security in XI  7.0

  Hi,
  Have someone worked on Message level Security in XI 7.0 for transferring a file from one system to an external third party system?
  If so can u provide me with links or documents?
  Thanks
  Manjula

  Hi,
  Please Find the Required Details in the Links
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Reward Points if Helpful
  Regards
  Khanna

• SOAP receiver message failure

  Hi,
  Scenario is an async message from SAP to a third party (SOAP receiver)
  This message staus is delivered in adapter logs of RWB.
  Also there is the payload (before mapping and after mappings till technical routing also) can be seen from sxmb_moni.
  Thre problem is that the message data is not uploaded to that third party.
  The communication channel is having correct URL (tried with WSDL home page and URL pointing to WSDL file/code like with '?WSDL' ) and SOAP action is also provided (also tried without SOAP action and got an error related to SOAP action).
  These are the only 2 places (target URL & SOAP action) are maintained in communication channel. There is no any proxy/authentication required.
  What cld be the reason of this ?
  The TP web service is working fine with soapUI.
  Regards,
  Sachchidanand

  Hi Kulwant,
  Thanks for ur help.
  In sxmb_moni, message status is successful.
  As ur suggestion I just checked with soapUI message structure and found that..
  1. soapUI tool message structure contains empty header  <soapenv:Header/>  and in the <soapenv:Body> all the wsdl fields/heirarchy is there.
  2. In sxmb_moni payload (@ tech routing) there is no any header , it shows the structure like its in <soapenv:Body> of soapUI or its like message mapping heirarchy.
  And there is no any custom authentication part visible in soapUI also.
  Thanks,
  Sachchidanand

• Syncronous SOAP Receiver Message: APPLICATION_ERROR

  Hi Experts,
  I am facing a application error in SXMB_MONI for syncronous messages in a SOAP receiver scenario.
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:Category>Application</SAP:Category>
    <SAP:Code area="UNKNOWN">APPLICATION_ERROR</SAP:Code>
    <SAP:P1 />
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText>application fault</SAP:AdditionalText>
    <SAP:ApplicationFaultMessage namespace="http://xml.apache.org/axis/">hostname</SAP:ApplicationFaultMessage>
    <SAP:Stack />
    <SAP:Retry>M</SAP:Retry>
    </SAP:Error>
  In RWB the SOAP adapter shows me that the message was delivery successfully however the guys from the third party application said to me that the message didn't reach it.
  I would like to know if you have any idea where the error is.
  Have you already faced something like this?
  << Moderator message - Please do not offer points >>
  Thanks in advance,
  Daniela
  Edited by: Rob Burbank on Oct 15, 2010 4:42 PM

  Hello,
  Based on the exception, this is really not as descriptive as possible. Can you try the following:
  1. Execute the WSDL via SOAP UI and let us know of the results.
  2. Under SXI_MONITOR, can you double click the response message payload? The response message payload should more or less give an idea as to why this error occurred.
  Hope this helps,

• Message level security: difference digital signature and certificate

  Hi everybody,
  could anybody please explain the difference between <b>digital signature</b> and <b>certificate</b>?
  Thans
  Regards Mario

  Mario,
  A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
  A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
  where as
  A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
  hope it helps u.
  --Archana

• SOAP with Security (Encrypt and Decrypt)

  Hi Experts,
  Anybody can give me the basic idea of Encrypt certificates and send to receiver system, and validate those certificates and Decrypt them and sends back to sender system.
  Thanks & Regards,
  Naidu.

  Hi Naidu,
  Go through these links. They provide the detailed procedure for message level security, which includes data encryption.
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  And for these kind of questions please try using the search help of sd.
  Thanks and Regards,
  Sanjeev.

• Decrypt a SOAP response message

  Hello there,
  We have successfully configured message level security for one of B2B integration interfaces, our partner is able to receive and decrypt/validate our request, and send back the response to us. But the problem now is that the response is encrypted as well, there seems no where in XI we can configure for the decryption of the response message.
  I have reviewed this URL from help.sap.com which basically saying that there is a place in receiver agreement configuration to do this, but in our XI 3.0 system, it does not exist.
  http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/frameset.htm
  Thanks in advance for your help..
  have a nice day.
  Jerry Zhang.

  Jerry.
  You need to look into this link for the Receiver SOAP Adapter's security,
  http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
  Make sure in the Security Profile of your Receiver Agreement you select option Web Services Security andfor the decrypting key you use XI's private key.
  You partner would have encrypted the message using XI's public key.
  Regards
  Bhavesh

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash