SOAP sender adapter with  client authentication

Similar Messages

• SOAP sender adapter with HTTPS

  Hi All,
  We have a requirement where we need to add message security to messages sent by sender SOAP adapter.
  To achieve this, I understand that I need to the following steps:
  1. Check 'Configure Certificate Authentation'
  2. Get the SSL certifiate given by receiver system and import it into SAP, and select it in SOAP Comunication channel
  3. 'Keystore VIEW' - What should i select here?
  4. Security Parameters/Security Profile - Do I have to check this option and select a security profile?
  Please let me know IF I missed something here.
  Thanks,
  Chandra

  Hi Chandra,
  One pre-requisite would be you need to install the SAP cryptographic library for using SSL.
  In the keystore view, you will select the view of the keystorage where the SSL certificate has loaded.
  Please check the sap help below for more details, als sap note 891877.
  http://help.sap.com/saphelp_nwpi711/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  regards,
  francis

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• Disabling SOAP sender adapter authentication

  How can I disable user/password authentication in a SOAP sender adapter?

  The question was answered by Sam Raju / Hans Dumbrajs in thread Exposing anonymous WS.
  Hereafter is an even more radical method that I used with a Netweaver 2004 SP12.
  But BEWARE! this is VERY bad practice, because authentication becomes disabled for ALL web services. It must only be used on a development system. Moreover, from SP14, there are many more options that would allow to turn this on/off per web service. I used it once, just to sort out service design issues from authentication burdens and then I quickly restored a proper config as we fought with WS-security settings in a remote system that had to call a service hosted on XI.
  Here is: locate the web.xml deployment descriptor for the server at stake. You should find it on a path like:
  /usr/sap/<systemID>/DVEBMGS00/j2ee/cluster\server0/apps/sap.com
  /com.sap.aii.af.soapadapter/servlet_jsp/XISOAPAdapter/root/WEB-INF
  Then SAVE A COPY of the web.xml file.
  Edit the web.xml and remove the three sections:
  <security-constraint>, <login-config>, and <security-role>
  Login to the J2EE visual Admin console go to cluster tab, Server 0... and right-click REBOOT.
  There you are.
  Strongly recommended: learn about WS-security and upgrade to SP14 or above to get back in control of security issues.
  (the truth is that integration systems are ever-ever-ever more complex year after year...)

• SOAP Sender adapter - how to turn off authentication? PI 7.1

  Hello
  I wolud like to turn off the user authentication in the Soap Sender Adapter PI 7.1. What is the easiest way to do so?
  Regards,
  Elling Skjetlein

  Hello,
  If you mean about using Single Sign-On (SSO) for automatic login, then
  you can refer to the following links:
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/44/31370f01ae23d1e10000000a1553f7/frameset.htm
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/48/acb27f23be6200e10000000a421937/frameset.htm
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/c4/5c5ae71140bb41868f10bc7f3411db/frameset.htm
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/e5/4344b6d24a05408ca4faa94554e851/frameset.htm
  Hope that help.
  Regards,
  Caio Cagnani

• Polling with HTTPS (SOAP sender adapter)

  Hi,
  we are using SAP PI 7.1 EHP 1 and we have to set up a scenario, in which a business partner is going to send us IDocs over HTTPS.
  Now our security team has objections, that incoming messages could be too risky. So we have to figure out if it's also possible, to set up a polling over HTTPS. Unfortunately there's no availability to insert an URL in the SOAP sender adapter, so I think it's NOT possible.
  Any other ideas or agreements?
  Thanks in advance,
  Juergen

  I think SOAP sender adapter supports HTTPS (w/ and w/o client certificate) ... But you'll need to complete the security setup (root CA, etc) before, and then give the "to-be-called" URL to yout partner.
  http://help.sap.com/saphelp_nw04/helpdata/en/fc/5ad93f130f9215e10000000a155106/content.htm
  Rgds
  Chris

• Use Moduls with SOAP Sender Adapter

  Hi Experts,
  I have a question regarding the use of modules in the soap sender adapter / communication channel. Is it correct that the use of modules in the soap sender adapter is not possible?
  the background of my question is that we use modules from SEEBURGER in our Communication channels for archiving incoming and outgoing documents. the use of modules in the soap receiver adapter is possible. why not in the soap sender???
  according to the sap help it is possible to use the axis framwork in the soap adapter. then it should be possible to use modules. Is that correct? I tested it but it is not working. If I send a soap message (with the soap reveicer adapter) to the axis soap sender adapter there occure internal server errors. it is only working if I write my own modules for the axis soap sender adapter? is it not possible to use external modules like in other channels (File/FTP, soap receiver etc.)???
  thanks and best regards!
  Christopher

  we have moduls from SEEBURGER. so I have to test it. but before I need a scenario with which I can test it.
  We have a customer who sends xml-files per soap to us. these files we receive succussfully with the soap sender adapter. now we want to use some modules. so we have to use the axis soap sender adapter. I tried to send an xml file with the soap receiver adapter to the axis soap sender adapter, but this was not working. http 500 internal server errors occurred. is it possible that this scenario (soap-to-axis-soap) is not working? need I a specific configuration for this?
  thanks and regards
  Christopher

• Anonymous authentication requests via SOAP Sender adapter?

  Hi,
  Can someone please tell me whether it is possible to call the SOAP Sender adapter anonymously?
  We can set user credentials for the receiver system adapter but looking at the options in the SOAP Sender communication channel I can't see how it is possible to send messages though SAP PI without a user who has authorisations to process messages.
  Any advice greatly appreciated.
  Thanks,
  Alan

  can't see how it is possible to send messages though SAP PI without a user who has authorisations to process messages.
  The source system needs to use a user-id to send message to XI/ PI via SOAP.
  If you do not want to use any authorization there is a way to switch off the authentication for the entire SOAP adapter (i.e. for all the SOAP scenarios)....not advisable.
  This method was actually described in a discussion ages back
  Regards,
  Abhishek.

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• HTTPS with Client Authentication not available in EHP1?

  Hi Guys,
  I am not seeing this option in PI 7.1 EHP1.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  any help would be appreciated
  Thanks,
  Srini

  Hi Srinivas,
  I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  But you have an option sender agreeement for security. Please see this help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
  Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
  Regards,
  ---Satish

• HTTPS without certificates in SOAP sender adapter

  Hi,
  I am using SOAP to PROXY sync scenario.
  The HTTP security level at the sender SOAP adapter has been chosen as "HTTPS with client authentication" and the SELECT SECURITY PROFILE parameter is uncheck.(No certificates has been referred)
  The interface is working fine in PRODUCTION.
  But when I am trying to develop the same kind of interface in DEV using "HTTPS with client authentication" the webservice is not executed, However when I change the SECURITY LEVEL to "HTTP" It is working fine.
  Please suggest me how to resolve it.
  Please note that no certificates has been used in the PRODUCTION.
  I have also referred help.sap, but unable to find the solution.
  Thanks,
  Nitin

  Nitin,
  Could u please suggest me where do I need to maintain the userID and PAssword in PI server.
  It is maintained in the ABAP stack - su01.
  The userID I am using to invoke the webservice already exists in PI server.
  Do I need to maintain the userID in any specific location in PI server.
  I guess both of us are talking about the same place of maintaining the users
  Have you tried using SOAPUI (or similar tool)? Are you getting any error messages?
  regards,
  Neetesh

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• SOAP Sender Adapter gets error '(401) Unauthorized.'

  Hi all,
  we are using XI 3.0 and have a scenario with a SOAP Sender Adapter, which is using "HTTPS with Client Authentication". I have configured everything I have found on the forum at Visual Admin and Integration Directory:
  Set the UME property ume.logon.allow_cert to TRUE in 'Service-->UME Provider'
  Imported client certificate and root CA certificate to 'Service-->Keystore'
  Created user with role role SAP_XI_APPL_SERV_USER
  Assigned this user to the client certificate in 'Security Provider-->UserManagement'
  Added the user to xi_adapter_soap_message and xi_adapter_soap_help in 'Security Provider'
  Added the root CA in 'SSL Provider>Dispatcher>Client Authentication' and marked 'Request client certificate.
  Added the user to BusinessSystem at tab 'Assigned Users'
  Added the user to Sender Agreement at tab 'Assigned Users'.
  Our business partner got a certificate of our server and the according PrivateKey is added to 'SSL Provider>Dispatcher>Server Identity'
  Unfortunately, our server certificate is not verified by an root CA!!
  When the business partner now browse the URL 'https://url:port/XISOAPAdapter/MessageServlet?channel=:BS_3RD_PARTNER:SOAP_SENDER&nosoap=true' on his system, he will get a 'Message Servlet is in Status OK'.
  But when he tries to process the URL directly in his messaging system, he gets an error '(401) Unauthorized.' 
  Any hints what could be the problem between browing the URL in InternetExplorer and sending from the messaging system?
  Does it really mean that authorization was successful, when getting  'Message Servlet is in Status OK' in the Browser?
  How can I assign an user when not using ClientAuthentication?
  I would be very thankful for every help...
  Grtz, Juergen

  Hi Satish,
  could the user or password also be wrong, even if you get 'Message Servlet is in Status OK' when browsing the URL in the Internet Explorer? I would have seen this as a sign, that the user authentication works basically...
  Is there a special place to store the password in the Visual Admin, or will the password be used, which is available in the SU01 ?
  Grtz,
  Juergen