SOAP Receiver with HTTPS(without certificate)

Similar Messages

• XI3.0: Soap Sender with HTTPS

  I have enabled HTTPS on our J2EE stack.
  We have a soap sender which works fine using http and username/password authentication.
  When I switch "HTTP Security level" on the SOAP sender to "HTTPS without client authentication" and sends the SOAP request to the HTTPS port XI (j2ee) returns a HTTP errorcode 403 Forbidden. No explanation, and I can't find any traces in the logs.
  Please help/advise!
  -AD

  The solution was very simple!
  The client accessing XI was using a .NET application which picked up Internet explorer's proxy settings, even if the .NET application it self activly set NO proxy!,...and that proxy did not allow https
  Nothing to do with XI at all. Everything worked as soon as we got rid of that.
  -AD

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• SOAP receiver: error HTTP 302 (Moved Temporarily)

  Dear all,
  I configured scenario where SOAP web service is consumed from SAP ABAP system via PI. The problem is in communication with the web service: the error observed in communication channels monitor for the configured SOAP receiver channel is:
  Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: invalid content type for SOAP: TEXT/HTML; HTTP 302 Moved Temporarily: java.io.IOException: invalid content type for SOAP: TEXT/HTML; HTTP 302 Moved Temporarily
  The consumed web service is based on the function module developed in SAP NetWeaver 7.00 system. Endpoint for the service was then created via SOAMANAGER, generated binding's address was used as a target URL in the SOAP receiver channel.
  If the service is consumed not via PI, but tested directly from external SOAP client (I used soapUI) with the same WSDL and endpoint, the response is fine and error-free.
  Please advise possible root cause of the issue.
  My regards,
  Vadim

  Hi,
  I am working on a similar scenario where I my consuming an external web service using https protocol from PI.
  I have configured a soap receiver channel to call the target url of this web service as https://portal.xyz.org.uk/webservice_alt.
  I am getting an error HTTP 302 suggesting that PI is not able to follow the re-direction to the target URL as the service resides not on that URL but on https://portal1.xyz.org.uk/webservice_alt or https://portal2.xyz.org.uk/webservice_alt.
  This is their server fail over handling mechanism which is very common. But PI 7.0 is not able to handle this.
  So if I change the target URL on the SOAP receiver channel to  https://portal1.xyz.org.uk/web service  or  https://portal2.xyz.org.uk/webservice_alt , PI works fine without errors . But this is not the right approach because, every time the web service provider takes one of these systems down for upgrade/patching etc, they inform us and then I manually go and change the target URL to the available server on my production PI system config.
  My problem is I want to resolve this redirection error in PI. I have tried raising a call with SAP itself and they pointed out to use Axis adapter which is still not working.
  So I am here asking for help. any suggestions please from the experts?
  Thanks
  Jhansi.

• ** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie

  Hi Friends,
  In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error. 
  SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  In the SOAP CC, we use HTTP protocol.  In the target URL, it starts with https://...... and soapAction is mentioned.
  Previously, this channel was working fine. No issues.
  For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
  Friends, could you tell me why the above error is coming now ?
  Kind regards,
  Jegathees P.

  Hi,
  https service is running?
  Check: SMICM -> Services
  Also check  with the named SAP note inside.
  Cheers,
  André
  Edited by: André Schillack on Apr 28, 2010 5:37 PM

• SOAP Receiver Success / HTTP Receiver Error

  Hello,
  we have to connect to a http server (HTTP with user authentication). I have tried both a HTTP receiver channel as well as a SOAP receiver channel (option "Do Not Use SOAP Envelope").
  Connection using the SOAP receiver works without problem. If we switch to plain HTTP receiver (same connection details) we get the following error:
  "HTTP client code 400 reason ICM_HTTP_CONNECTION_FAILED".
  What could the reason for this? Probably related to the ABAP Stack?
  Edited by: Florian Guppenberger on Jan 26, 2010 3:12 PM

  Hi,
  >>>What could the reason for this? Probably related to the ABAP Stack?
  check the log on ABAP for RFC dest from SM59
  there you might see some more info
  BTW
  does PI/XI have access to this http sever ? (no firewalls etc?)
  Regards,
  Michal Krawczyk

• SOAP Receiver over SSL - server certificate troubles

  Hello all,
  I have a scenario with SOAP receiver communication channel with comunnication over SSL. In the URL there is a IP address for a reason I will not mention ... simply there must be IP address in URL and not a host name.
  When I access the SOAP server with internet browser it gives me a server certificate with HOST NAME in CN. I placed this certificate to the "trusted container" in J2EEVisAdmin - Key Storage.
  Now you might already suspect the trouble: the certificate CN doesn't match with URL. This is obvios error we got many times on the internet (even in e-banking sector .. but we are able to skip it with our internet browsers' possibilities.
  Could I set up something in J2EE server as same as in internet browser ???
  Thank you in advance.
  Rgds
  Tom

  Got it,
  SAP Note : 791655
  HTTPS/SSL Properties
  Property Name = [default]
  messaging.ssl.httpsHandler=iaik.protocol.https.Handler
  messaging.ssl.securityProvider=iaik.security.provider.IAIK
  messaging.ssl.trustedCACerts.viewName=TrustedCAs
  messaging.ssl.serverNameCheck=false
  Description:
  The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
  The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
  Regards,
  Bhavesh

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• Need Help for  SOAP sender with HTTPS protocol

  Hi Team
  We have a scenario where the sender is a 3P system and they will be sending the message using web service.They will send the data using SSL ( HTTPS) using certificates.
  In the sender soap adapter , I have two options
  1. HTTPS with client Authorization
  2. HTTPS without client Authorization
  I think I need to use the first option. But I have doubt regarding certificates
  1. Who is going to provide the certificate? is it PI Team or the third party team.
  2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.

  Hi Indrajit,
  Krupa already shared a valuable resource on how to set up on Double Stack PI, so I'll focus on what's left to deal with / open questions.
  Indrajit Sarkar wrote:
  In the sender soap adapter , I have two options
  1. HTTPS with client Authorization
  2. HTTPS without client Authorization
  I think I need to use the first option. But I have doubt regarding certificates
  1. HTTPS with client authorization means that the 3rd party would not give username / password to authenticate to your PI but present a certificate you are trusting. You can think of this as an admission ticket to communicate with your PI server
  2. HTTPS without client authorization means they will authenticate with username password.
  In both cases the caller (3rd party) would need to trust your PI server. Most commonly this trust is established by not trusting your PI server's explicit certificate but in trusting the CA that issued your PI server's certificate. This CA can very well be a company internal CA. That way, if you happen to need changing the hostname of the server some time in the future, trust situation is still valid.
  In case of 1. (HTTPS with client authorization) your PI server in turn would also need to trust the 3rd party caller. This is often done in such ways that the interal CA on your side issues a client certificate with the CN of the caller. The caller presents this certificate to your server upon making a call (see here for a picture https://help.sap.com/saphelp_nw74/helpdata/en/43/dc1fa58048070ee10000000a422035/content.htm). You will also need to back up this process on your PI server by mapping the certificate to a specific user.
  --> Option 2 is the more polished one with ability to withdraw a certificate and the like. However it does result in some overhead setting it up so I personally would go with Option 1 if there's no business need / security policy enforcing so.
  HTH
  Cheers Jens

• SOAP Receiver error - HTTP 500 Internal Server Error

  Hi,
  We have a FILE to SOAP Asynchronous scenario to send data from our PI to customer PI.
  We are sending PGP encrypted file as the payload. So, foll settings have been maintained:
  Do not use SOAP envelope in Sender and Receiver SOAP
  nosoap=true in the URL.
  Message transform bean in the SOAP channels.
  File is successfully sent and received through SOAP protocol.
  But, both the SOAP Receiver and Sender channels are in error:
  SOAP Receiver error:
  SOAP: response message contains an error XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error.
  As, this is a asynch scenario, we are not expecting the response.
  SOAP sender at customer PI is in error. Error text is not mentioned. It just displays: error occured.
  At both the ends, we do not have Repository objects as there is no mapping.
  Kindly help...
  Thanks,
  Pratibha.

  Hi All,
  For the same scenario, we need to Sign the data using the WebServices Security.
  (We are sending PGP encrypted data as SOAP payload using MTB, i have ticked "Do not use SOAP envelope")
  I have selected WebServicesSecurity as the security profile in the SOAP Receiver and selected "Sign" in the Receiver agreement, have provided our private cert.
  Tried sending a message. Communication channel audit Log shows the message:
  Success MP: Processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
  Success SOAP: request message entering the adapter with user J2EE_GUEST
  Success SOAP: Web Services Security processing...
  Success SOAP: Web Services Security processing skiped. Empty body...
  Success SOAP: completed the processing
  Please suggest how I can apply the WSS..
  Thanks,
  Pratibha.

• Soap Receiver adpater: HTTP 20 OK, canu2019t parse the document

  Hi Everyone,
  The scenario is SAP ECC -> PI -> server (third party remote server).
  Here the PI has to post the message (payload) which is coming from the SAP ECC to the third party remote server.
  We have the soap receiver adapter to send the payload to the remote client system.
  When we do the end-to-end testing, in RWB the soap receiver adapter is throwing an error
  HTTP 20 OK, canu2019t parse the document
  Any idea what might the error or any configuration we missed out.
  Thanks,
  Lalitkumar.

  Hi Stefan,
  You mentioned that PI will be waiting response ,
  The Web service has to respond an empty SOAP envelope, but it does not return anything.
  Itu2019s fine if it is waiting for the response.
  But when we logon to the server using different link (that the portal of the server) to which we submit the payload, none of the invoices is seen whenever we submit.
  just a basic question, can we use the soap receiver adapter to post the invoices to external server (async scenario)
  i had tried with the HTTP receiver adapter too, with that also facing the same problem.
  kindly reply to that thread also...
  [unable to post the payload|successfully configured http receiver adapter, unable to post the payload;
  Thanks,
  Lalitkumar.

• Sender SOAP Adapter with Https

  Hi,
  can any one give me information on  how my Sender SOAP adapter to be configured with HTTPS port.
  please give me the what are all different ways to make my Sender SOAP Adapter secure and give me the steps to achieve the functionality.
  Thank You,
  Madhav

  check this section:
  http://help.sap.com/saphelp_nw70/helpdata/EN/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  Also some help from SAP note:
  https://service.sap.com/sap/support/notes/891877
  Regards,
  Abhishek.
  Edited by: abhishek salvi on May 29, 2009 1:59 PM

• SOAP Receiver Error: HTTP Error response for SOAP Request

  Hi gurus,
  I'm facing a weird error in File --> PI 7.31 java only --> soap receiver proxy.
  The other interfaces runs well. just one get the the following error:
  Exception caught by adapter framework: java.io.IOException: Error receiving or parsing request message: java.io.IOException: HTTP Error response for SOAP request or invalid content-type.
  I check the payload and test in the inbound proxy. on error.
  Any hints?
  Thanks a lot!
  regards
  Christine

  Hello Christine,
  I faced the same issue,
  You can use the beans below to overcome the error.
  And charset should be utf-8

• Issue when receiving SOAP message with HTTPS on non-central adapter engine

  Hi,
  we have a central XI system (PI 7.1 EHP1 SP03) and a non-central adapter engine (XI 3.0) in the DMZ, both systems on HP-UX.
  In the affected configuration scenario, a business partner is sending us IDocs (INVOIC.INVOIC01) over HTTPS with Certificate Authentication and without SOAP Envelope.
  The configuration and security settings seem to be correct, because we've already received several messages successfully over this connection. Now, since several weeks no message arrives anymore in our system, while the business partner always gets a HTTP_OK_200 response. So the messages seem to be accepted by our system, but nothing is shown, neither in the MessageMonitoring or CommunicationChannelMonitoring of the Runtime Workbench, nor in the in the traces/logs of the NetweaverAdministrator (trace level = DEBUG for "com.sap.aii.adapter.soap").
  I also removed the assigned user in the sender agreement which should cause a HTTP_500_error on sender side, but our business partner still got a "OK_200" notification and we didn't find any information in the trace of our system.
  When using TCPGateway to trace the communication, I can see an arriving message and the response, but it's encrypted because of HTTPS.
  1) Did anyone have similiar issues yet?
  2) Are there any further possibilities to check if an incoming message at the SOAP adapter fails?
  3) Which further trace settings can be done, to get most detailed informations about the soap traffic?
  4) Is there a way to decrypt the message of the TCPGateway (e.g. with private key of server)?
  I'm looking forward for any helpful hints or information!
  Regards,
  Juergen

  Issue solved by SAP note 1115650 "J2EE Engine kernel.sda SP20 cumulative patch"

• HTTPS without certificates in SOAP sender adapter

  Hi,
  I am using SOAP to PROXY sync scenario.
  The HTTP security level at the sender SOAP adapter has been chosen as "HTTPS with client authentication" and the SELECT SECURITY PROFILE parameter is uncheck.(No certificates has been referred)
  The interface is working fine in PRODUCTION.
  But when I am trying to develop the same kind of interface in DEV using "HTTPS with client authentication" the webservice is not executed, However when I change the SECURITY LEVEL to "HTTP" It is working fine.
  Please suggest me how to resolve it.
  Please note that no certificates has been used in the PRODUCTION.
  I have also referred help.sap, but unable to find the solution.
  Thanks,
  Nitin

  Nitin,
  Could u please suggest me where do I need to maintain the userID and PAssword in PI server.
  It is maintained in the ABAP stack - su01.
  The userID I am using to invoke the webservice already exists in PI server.
  Do I need to maintain the userID in any specific location in PI server.
  I guess both of us are talking about the same place of maintaining the users
  Have you tried using SOAPUI (or similar tool)? Are you getting any error messages?
  regards,
  Neetesh