SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

Hi All,
I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
Testing simple HTTP and XI user name/password works fine.
Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
Please advise.
Thanks,
Nataliya

Hi Nataliya,
Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
One more thing HTTP Security level option is always available in Sender Adapter.
For more clarity about HTTPS find below link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
security. Then go to sender agreement there you need to give key store entry.

Similar Messages

  • Need Help for  SOAP sender with HTTPS protocol

    Hi Team
    We have a scenario where the sender is a 3P system and they will be sending the message using web service.They will send the data using SSL ( HTTPS) using certificates.
    In the sender soap adapter , I have two options
    1. HTTPS with client Authorization
    2. HTTPS without client Authorization
    I think I need to use the first option. But I have doubt regarding certificates
    1. Who is going to provide the certificate? is it PI Team or the third party team.
    2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.

    Hi Indrajit,
    Krupa already shared a valuable resource on how to set up on Double Stack PI, so I'll focus on what's left to deal with / open questions.
    Indrajit Sarkar wrote:
    In the sender soap adapter , I have two options
    1. HTTPS with client Authorization
    2. HTTPS without client Authorization
    I think I need to use the first option. But I have doubt regarding certificates
    1. HTTPS with client authorization means that the 3rd party would not give username / password to authenticate to your PI but present a certificate you are trusting. You can think of this as an admission ticket to communicate with your PI server
    2. HTTPS without client authorization means they will authenticate with username password.
    In both cases the caller (3rd party) would need to trust your PI server. Most commonly this trust is established by not trusting your PI server's explicit certificate but in trusting the CA that issued your PI server's certificate. This CA can very well be a company internal CA. That way, if you happen to need changing the hostname of the server some time in the future, trust situation is still valid.
    In case of 1. (HTTPS with client authorization) your PI server in turn would also need to trust the 3rd party caller. This is often done in such ways that the interal CA on your side issues a client certificate with the CN of the caller. The caller presents this certificate to your server upon making a call (see here for a picture https://help.sap.com/saphelp_nw74/helpdata/en/43/dc1fa58048070ee10000000a422035/content.htm). You will also need to back up this process on your PI server by mapping the certificate to a specific user.
    --> Option 2 is the more polished one with ability to withdraw a certificate and the like. However it does result in some overhead setting it up so I personally would go with Option 1 if there's no business need / security policy enforcing so.
    HTH
    Cheers Jens

  • XI3.0: Soap Sender with HTTPS

    I have enabled HTTPS on our J2EE stack.
    We have a soap sender which works fine using http and username/password authentication.
    When I switch "HTTP Security level" on the SOAP sender to "HTTPS without client authentication" and sends the SOAP request to the HTTPS port XI (j2ee) returns a HTTP errorcode 403 Forbidden. No explanation, and I can't find any traces in the logs.
    Please help/advise!
    -AD

    The solution was very simple!
    The client accessing XI was using a .NET application which picked up Internet explorer's proxy settings, even if the .NET application it self activly set NO proxy!,...and that proxy did not allow https
    Nothing to do with XI at all. Everything worked as soon as we got rid of that.
    -AD

  • Set up https SOAP Sender adapter

    Hello, I am doing the Webservice -- XI --   RFC
    I have successfully configured the whole scenerio and it works when the SOAP Sender adapter is set to HTTP security
    But when I set it to HTTPS without client auth or with I can not get it to work, I redid the wsdl entering in a url of https and get the following error
    Wed Feb 27 11:02:56 PST 2008:ERROR:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
       javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
            at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
            at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
    via soapui
    Does anyone have any suggestions or documentation or success in successfully setting up the SOAP adapter to use https?
    I also always reward points
    Cheers
    Devlin

    have you checked that:
    https://service.sap.com/sap/support/notes/891877
    https://service.sap.com/sap/support/notes/856597
    * Q: Can I use SSL for my sender adapter?
               A: Yes. Normally, the SOAP adapter servlet runs on the engines HTTP port. But you can activate the engine's HTTPS port so that this servlet can receive messages sent to the HTTPS port. See the documentation about the J2EE engine's security configuration.
    /wg

  • HTTP Call to SOAP Sender Adapter

    Hi All,
    I'm working on a scenario where i plan to use SOAP Sender Adapter for receiving Plain HTTP Calls from the client.
    The purpose behind this exercise is to have control over the message flow in case of sender HTTP protocol in XI.
    I configured a SOAP channel and used the option 'DO Not Use SOAP Envelope'. But when i post  the message to the adapter engine using a HTTP client, it fails.
    Can somebody guide me in this case.
    Regards,
    Anurag

    Hi,
    >>>But when i post the message to the adapter engine using a HTTP client, it fails.
    with which error ?
    Regards,
    Michal Krawczyk

  • SAP PI SOAP Sender Adatper using HTTPS Without Authentification

    Dears experts,
    I have a requirement where i need to implement the next flow:
    POS (Java code to web service soap) ---> (SOAP HTTPS - SAP PI - XI) --->ECC (XI)
    So, have configured my SOAP sender adapter as:
    Transport protocol: HTTP
    Message protocol: SOAP 1.1
    HTTP Security Level: HTTPS without Client Authentication
    But as i have read i see that Basis team should configure this to permit HTTPS into PI, but i would like to do it by my self...
    Following a lot of forums, manuals, etc... I have configured the transaction STRUST importing the certificated that i attached to you (PRTG Demo Certificate), succesfully in my server... and i tried to find how to configure netweaver but in this i didnt find it...
    Then i tried again using SOAP UI but when i sent the message to HTTPS://www.piserver.com:50001 i still getting error without connection...
    Wed Jun 25 18:27:13 CDT 2014:ERROR:An error occurred [Connection to https://piserver:50001 refused], see error log for details
    Can you help me to end this, please?...
    Best regards,
    Azael

    Hi,
    The certificates should be installed under TrustedCA's in NWA (Netweaver Administrator). Aside from that, you should be posting to either:
    https://host:port/XISOAPAdapter/MessageServlet?channel=p:s:c where p=party, s=service and c=channel
    or
    https://host:port/XISOAPAdapter/MessageServlet?senderParty=FP&sen
    derService=FS&interface=IF&receiverParty=TP&receiverService=TS&in
    terfaceNamespace=IFNamespace
    Hope this helps,
    Mark

  • SOAP Sender Adapter gets error '(401) Unauthorized.'

    Hi all,
    we are using XI 3.0 and have a scenario with a SOAP Sender Adapter, which is using "HTTPS with Client Authentication". I have configured everything I have found on the forum at Visual Admin and Integration Directory:
    Set the UME property ume.logon.allow_cert to TRUE in 'Service-->UME Provider'
    Imported client certificate and root CA certificate to 'Service-->Keystore'
    Created user with role role SAP_XI_APPL_SERV_USER
    Assigned this user to the client certificate in 'Security Provider-->UserManagement'
    Added the user to xi_adapter_soap_message and xi_adapter_soap_help in 'Security Provider'
    Added the root CA in 'SSL Provider>Dispatcher>Client Authentication' and marked 'Request client certificate.
    Added the user to BusinessSystem at tab 'Assigned Users'
    Added the user to Sender Agreement at tab 'Assigned Users'.
    Our business partner got a certificate of our server and the according PrivateKey is added to 'SSL Provider>Dispatcher>Server Identity'
    Unfortunately, our server certificate is not verified by an root CA!!
    When the business partner now browse the URL 'https://url:port/XISOAPAdapter/MessageServlet?channel=:BS_3RD_PARTNER:SOAP_SENDER&nosoap=true' on his system, he will get a 'Message Servlet is in Status OK'.
    But when he tries to process the URL directly in his messaging system, he gets an error '(401) Unauthorized.' 
    Any hints what could be the problem between browing the URL in InternetExplorer and sending from the messaging system?
    Does it really mean that authorization was successful, when getting  'Message Servlet is in Status OK' in the Browser?
    How can I assign an user when not using ClientAuthentication?
    I would be very thankful for every help...
    Grtz, Juergen

    Hi Satish,
    could the user or password also be wrong, even if you get 'Message Servlet is in Status OK' when browsing the URL in the Internet Explorer? I would have seen this as a sign, that the user authentication works basically...
    Is there a special place to store the password in the Visual Admin, or will the password be used, which is available in the SU01 ?
    Grtz,
    Juergen

  • Using SOAP Sender adapter in PI 7.1

    Hi Guys,
    I've created a sync scenario with SOAP sender adapter, but I have troubles with calling it.
    I use following URL: http://<host>:50000/XISOAPAdapter/MessageServlet?channel=:BS_Bus_Sys:CC_SOAP_Test as I did in XI 3.0, but I'm getting error HTTP 400 Bad Request. I'm using the request generated from the IR Configuration.
    Has something changed in 7.1 for this type of scenario?
    Thanks guys,
    Olian

    Hi! Olian,
    I think u r going in a wrong way. The above given URL is wrong and incomplete one.
    The above url comes only after generating the WSDL. You ill gives that URL to ur source team to post their data at which this URL itselfs acts as an Gateway to enter into SAP XI/PI.
    The generated WSDL contains URL like this>>
    "http:// Host:Port/XISOAPAdapter/MessageServlet?senderParty=&amp;senderService=Business Service&amp;receiverParty=&amp;receiverService=&amp;interface=SenderInterfaceI&amp;interfaceNamespace=http://XXXXXXXX" />
    Also follow the below procedure for generating the WSDL.
    Except generating WSDL remaining all development steps are same as creating File to Proxy Scenario.
    CREATING THE WEBSERVICE IN XI :
    1) In Integration Directory, go to Tools tab --> Define Web Services.
    2) Now one Wizard window will opens and follow the below steps:
    Here donu2019t go for the u2018 Proposed URLu2019, instead specify the URL as::
    http://<host>:<j2ee-port>/XISOAPAdapter/MessageServlet?channel=:<service>:<channel>
    If there is party then ::
    http://host:port/XISOAPAdapter/MessageServlet?channel=<party>:<service>:<channel>.
    3) Specify the Source Messageu2019s Message Interface.and remaining other input parameters.
    4) Specify the Sender Business Serviceu2019s details:
    5) Here, Cross check the details displayed and then click on u2018Finishu2019 button to create the Web Service
    document(WSDL)
    6) Now Save the WSDL code to the local system. At the bottom u ill get URL based on the above input
    URl:
    Note: Here in XI there is no XML Testing tool or SOAP client tool to test SOAP messages. That is why most of the people prefer either ALTOVA XML SPY Tool or SOAP CLIENT TOOL or INFO PATH.
    If your working on PI 7.1 means::
    1) Simply after creating Sender Agreement go to options above to that sender agreement instead of tools menu... and there you can observe 2 options at the bottom side.
    a) PUBLISH in SR
    b) Generate WSDL.
    2) Once after activating your ID componenets just Press or go for option Publish in SR. Then automatically it will generate WSDL and publish that WSDL in the SERVICE REGISTRY. which is latest concept in PI 7.1.
    3) Now by entering authentification details you can able to enter into service registry.
    There are 4 tabs::
    a) Service definitions
    b) Publish
    c) classifications
    d) Manage.
    Go for Service definitions::
    4) Enter your sender SOAP interface and press GO or enter.
    5) Select your interface and then at the bottom u can observe again 4 tabs:
    a) General b) End Points c) classifications d) System Details.
    6) In the general you can able to see your WSDL URL by again entering Authentification details.
    7) Now Click End Points>Test Button>Enter Authentification details-->Seelct your Interface
    Note:: Now you can test your scenario in this WEB SERVICE NAVIGATOR.
    8) There you can enter you can pass your Input data parameters in your SOAP interface and execute or test your scenario here itself without any using of external tool like Altova XML or SOAP client tool.
    I hope the above information will give you a detailed information in generating and testing webservice right.
    Regards::
    Amar Srinivas Eli

  • HTTPS without client authentication

    Hi Friends,
    In SOAP adapter, we have three options for HTTP
    HTTP without SSL
    HTTP with SSL (= HTTPS) without client authentication
    HTTP with SSL (= HTTPS) with client authentication
    Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity of Message level Security?
    Please answer only if you are confident. No guess please!!!
    Thanks,
    Sandeep Maurya

    Hi,
    Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity or Message level Security?
    HTTPS is used to encrypt the traffic between the client and the Web server. SSL encrypt the segments of network connections at the Transport Layer end-to-end.
    Don't get confused with the Client Authentication (with / without), as SSL is already being used in both the forms and the network is secured.
    Regards,
    Neetesh

  • Question: Application error when using SOAP sender

    Hi,
    I got the following error when calling SOAP sender:
    - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
      <SAP:Category>Application</SAP:Category>
      <SAP:Code area="UNKNOWN">APPLICATION_ERROR</SAP:Code>
      <SAP:P1 />
      <SAP:P2 />
      <SAP:P3 />
      <SAP:P4 />
      <SAP:AdditionalText>application fault</SAP:AdditionalText>
      <SAP:ApplicationFaultMessage namespace="http://xml.apache.org/axis/">hostname</SAP:ApplicationFaultMessage>
      <SAP:Stack />
      <SAP:Retry>M</SAP:Retry>
      </SAP:Error>
    The return message is:
      <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    - <!--  Call Adapter
      -->
      <ns2:hostname xmlns:ns2="http://xml.apache.org/axis/">gdcn-admin</ns2:hostname>
    From the runtime monitor, it shows:
    SOAP: response message contains an error Application/UNKNOWN/APPLICATION_ERROR - application fault
    Actually I maintained the host name in file hosts. And with XMLSpy, I can directly connect the Webservice successfully, but with XI, it stops me at this point. It seems the connection has been established, because if the WebService is stopped, I will get error HTTP 0 Null, If it's started, I get the above problem.
    Could you please provide the hints.
    Thanks a lot!
    Best Regards
    Yuedong

    Hi,
    I found the problem:
    It's because of the wrong format of message. the message is created with a WSDL file generated by external development system, but it's not correctly explained by XI. I manually created the messge (request & response), then it worked.
    Actually the error has nothing to do with hostname. it means the host returns application error (but unfortunately there is no detailed information).
    Thanks a lot for your kindly help!
    Best Regards
    Yuedong
    By the way, how can I reward the point?
    Message was edited by: Yuedong Chen

  • Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

    Hello All,
    We are currently building up a HTTPS message exchange with an external client.
    Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
    The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
    Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
    Now we have to configure the addtional Client Authentication.
    At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
    But what are the next steps to get this scenario successfully in place?
    Many thanks in advance!
    Jochen

    Hi Colleagues,
    following Steps still have to be done:
    - Mapping public key to technical user at Java Stack
      As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
    - Be sure CA root certivicate at Database under STRUSTSSO2
    - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
    - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
    Many thanks to all for support!
    Regards,
    Jochen

  • HTTPS with Client Authentication in SOAP sender Adapter

    Hi All,
    In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
    But when I tried with “HTTPS with Client Authentication” option its giving error
    “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
    Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
    Regards

    Rohan,
    With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
    You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
    So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
    Regards
    Ravi Raman

  • HTTP Error 501 with SOAP Sender channel

    Hello,
    i've am simple Question:
    I want to call the following SAP XI SOAP Sender channel "MySoapSenderChannel":
    XI-Parameters:
    namespace: <myInterfaceNamespace>
    Interface:   <myAsynchInterface>
    QoS: Exactly Once in Order
    Queue: MY_QUEUE
    We do not care about the Response - so the processing is asynchron.
    Thus my interface mapping maps to asynch interfaces. The desitnation
    is an ABAP Proxy. The configuration has been done and tested.
    Here my question:
    according the documentation, the URL has the following syntax:
    http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel.
    In our case:
    http://<myHost>:8002/XISOAPAdapter/MessageServlet?channel=:MyService:MySoapSenderChannel.
    But when i generate a WSDL for the interface out of the Configuration, the address is:
    <soap:address location="http://<myHost>:8002/sap/xi/engine?type=entry&amp;version=3.0&amp;Sender.Service=MyService&amp;Interface=...
    and so forth.
    But was is the difference between these 2 possibilities?
    Why do i get HTTP Error 501 when i use the URL from the documentation (the first one)?
    Thanx in advance
    Gunnar

    Gunnar,
    I will suggest you to go through it once to check all your connection.
    /people/vijaya.kumari2/blog/2006/01/26/how-do-you-activate-abap-proxies
    Regards,
    Sarvesh

  • Polling with HTTPS (SOAP sender adapter)

    Hi,
    we are using SAP PI 7.1 EHP 1 and we have to set up a scenario, in which a business partner is going to send us IDocs over HTTPS.
    Now our security team has objections, that incoming messages could be too risky. So we have to figure out if it's also possible, to set up a polling over HTTPS. Unfortunately there's no availability to insert an URL in the SOAP sender adapter, so I think it's NOT possible.
    Any other ideas or agreements?
    Thanks in advance,
    Juergen

    I think SOAP sender adapter supports HTTPS (w/ and w/o client certificate) ... But you'll need to complete the security setup (root CA, etc) before, and then give the "to-be-called" URL to yout partner.
    http://help.sap.com/saphelp_nw04/helpdata/en/fc/5ad93f130f9215e10000000a155106/content.htm
    Rgds
    Chris

  • WSRM Adapter replaced with soap in PO7.4. Getting error "Response message contains an errorXIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error"

    Hello All,
    We have scenario proxy->pi->webservice. In older versions of PI system they used wsrm adapter at receiver side and it's working fine.
    Receiver interface is asynchronous. So no response structute is present and receiver service is business component(since receiver is a third party).
    During migration, we have replaced the receiver adapter with SOAP adapter and used message protocol as SOAP 1.1 but the message is failing and in communication channel it is showing error "Response message contains an errorXIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error". In this case the receiver interface is stateless xi 3.0 compatible(re using the old), after changing it to just stateless also issue persists.
    In target url field if i prefix the url with "http" then above mentioned error is occurring otherwise if i use the hostname:port/path.. then it is giving error
    "soap: Call failed: com.sap.aii.af.sdk.xi.srt.BubbleException: Unsupported protocol". So maintaing the url as http://hostname:port/pat.....
    As in old channel wsrm channel there is no userid and password, i haven't given any userid/pwd in receiver channel.
    used the bean sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean with  parameters
    Module Key  =  soap
      Parameter Name  =  noSOAPMakeSysErrFromResponseFault
    Parameter Value  =  false
    and
    xmbws.No SOAPIgnoreStatus = true
    but not successful.
    Please help me. I got stcuk here.

    Hello Jannus,
    The connectivity is working fine. Network team has confirmed it. I doubt that any strucutre(header) difference might be present in message when sending with wsrm adapter compared to sending with soap adapter.
    Please let me know the exact difference between soap and wsrm functionality in receiving end.
    By considering the structure issue, i have checked the "do not use soap envelope" check box, then i got error "Response message contains an errorXIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 415 Unsupported Media Type"
    Then i used message transform bean, but not successful.
    Regards,
    Ch.Venkat.

Maybe you are looking for

  • OBIEE 11g - Dashboard Prompts - Radio Buttons

    I have a report where I need to run 3 different ways based on the same filter with different values. Each way has multiple values. I was hoping to create a Dashboard prompt as a radion button to allow the user to select which variation of the report

  • How to add icon field in the alv grid output

    Hi Experts, i need to add one icom column in the alvgrid.That icon if the contract is inacitve then it should shows inactive symbol.if the contract is account assignment lock then it should show that lock symbol.Please send me the any code or approac

  • Nokia N80 startup problem

    hello everyone. i have recently bought a nokia n80. i have been uploading new themes on my cellphone and one of the themes messed up the screen. so i turned off and on my cellphone and this message pops up. it says "Phone start-up failed. Contact the

  • Aperture deleting mess

    Hi there everybody, I am afraid I messed up with my Aperture library after migrating from iPhoto.. I have organized the photos in Albums, and I refer to them when I open Aperture and look for pics or when I import new ones from my camera. But I know

  • A problem when WebHelp launched in IE7.0

    We got a very serious problem when WebHelp was launched in IE7.0. We connected to the appointed locations in our applications by using bookmark of WebHelp. The computer code which we used in out applications such as : "C:\Program Files\Internet Explo