Web Service authentication and PROXY Issue

Similar Messages

• How to get original message in web service implementation and proxy

  Hi,
  We have a java web service and its client (proxy) generated from WSDL by JDev wizards. All the parameters are mapped to classes, but we need a way to get the original message we send and receive in order to log it.
  Is there any way to get the SOAP message that is being sent/received?
  Thank you

  If you are using 10.1.3 or later releases, you can use the JAX-RPC handler to gain access to the message. Your SOAP payload can then been manipulated using the SAAJ APIs. You have also the option to log messages directly from OWSM.
  Best,
  -Eric

• WS-Security, WSE, Web Services, Authentication and Flex 2

  Hey All,
  I've been working hard on getting Flex to communicate with a
  Microsoft .NET 2.0 Web Services project enabled with WSE 3.0
  WS-Security. I can't seem to get the headers into the SOAP request
  that I need.
  For example, I can get a SOAP header into the message like
  so:
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Header>
  <ns0:Security xmlns:ns0="
  http://tempuri.org/">
  <ns0:password>pass</ns0:password>
  <ns0:username>DOMAIN\Administrator</ns0:username>
  </ns0:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  .. but, this isn't what my WSE, WS-Security enabled service
  expects. Which is:
  <soap:Envelope xmlns:soap="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:wsa="
  http://schemas.xmlsoap.org/ws/2004/08/addressing"
  xmlns:wsse="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soap:Header>
  <wsa:Action>
  http://tempuri.org/HelloWorld</wsa:Action>
  <wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
  <wsa:ReplyTo>
  <wsa:Address>
  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
  </wsa:ReplyTo>
  <wsa:To>
  http://localhost/CampaignMojoAPI.asmx</wsa:To>
  <wsse:Security soap:mustUnderstand="1">
  <wsu:Timestamp
  wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  <wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:UsernameToken xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
  <wsse:Username>DOMAIN\Administrator</wsse:Username>
  <wsse:Password Type="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
  <wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </soap:Body>
  </soap:Envelope>
  I've tried "addSimpleHeader" and "addHeader", but both seem
  to inject nested xml elements. Can anyone help me shape this WS
  call into the format I need it in? Would it be possible to call
  this WS manually via a direct HTTP post from Flex 2?
  Thanks!,
  Sean

  Yeah,
  Hey guys - thanks for the responses. I looked into this and
  it seems no one uses WS-Security from the browser. That's why even
  Google's APIs use alternative key logins, etc. I read from one user
  that in the next version of Microsoft's AJAX platform that they
  might support it, but that's about it. For now, it looks like
  there's not even an AJAX/Javascript way to do this. If we could do
  it via Javascript, then we could use the FABridge. I don't think
  Flex supports it. I've tried to manipulate the headers into place
  via Flex classes and I don't think enough control is there to get
  the output in the form that's needed.
  I think it's possible to write it in Javascript. But right
  now my time budget just doesn't allow for it. I already spent two
  whole days re-writing how Flex makes Web Service calls so they're
  synchronous with timeouts instead of this massive amount of
  asynchronous code they want you to write, so no more
  re-writing/extending of components for me for a while.
  But if anyone wants to work together to support it via
  AJAX/Javascript, I would invest money into developing it.
  I would like a public WS-Security AJAX/Javascript framework
  for making these calls via WS-Security so I can offer customers a
  standard way of accessing/authenticating against our public API
  set. It would also make it possible for Flex to access standard web
  services with WS-Security enabled.
  Let me know what you guys think, or if anyone else has any
  good suggestions/software.
  Thanks much,
  S.

• RWB - Integration Engine self test - web service security and proxy

  Hi,
  I am working with a new installation of PI 7.0. In the runtime workbench, under self test for integration engine, there is this error/warning:
  ""Details for 'Is Web service security available?'
  Communication error: Proxy calls are not permitted on sender or receiver side on the IS (client)""
  What exactly is the problem? Is there any additional configuration needed within PI to use proxies? We do not have the cryptographic toolkit installed. Is that nesseccary to work with proxies? We have done several other scenarios with RFC, MAIL, HTTP, etc and they work fine. If anyone else had this problem and managed to fix it, please let me know..
  Thanks,
  Lasya

  You can ignore this error. It is  simply a warning that says message level security has not been configured. Without message security too, you can do proxy communication.
  But, if you want to configure messag level security, go through XI Config guide section 12.4.
  Message was edited by: Jay

• MDM Web Service authentication issue. How to use ?

  Hi,
  I' am a Microsoft technology person I' am working on integrating SAP MDM 7.1 to SharePoint 2010 using MDM Web Services interface and consuming the same in .NET custom component.
  I tried the WS with "None" authentication and it worked great.
  I' am having issues understanding how HTTPAuthentication with SAP Logon ticket authentication works in MDM.
  Created the authentication enabled web service and while testing in NetWeaver WS Navigator, it throws me exception, not able to establish session with repository for user XYZ.
  Please help me with the following queries I have:
  1) How to test a authentication enabled web service in NetWeaver WS Navigator ? Do the user id/password needs to be set in the "Invocation Parameters" ? Link to any article etc will be appreciated.
  2) How to pass the MDM user credentials (or just the username) in the MDM web service in .NET code. I didn't see any parameter in the Client class constructor to pass the same, nothing related to that found in the code that gets generated on adding the service reference.
  As per the documentation on the MDM security, looks like a trust relationship also needs to be configured on MDM - allow.ip file entries.
  However first I want to understand how to pass this information in Web Services through code.
  SharePoint   -
  (1)--> SAP PI  -(2)--
  > SAP MDM                                             
  (integrated with Active Directory                        (Where Web services are deployed     (have its own user accounts)
  so logged in user is already authenticated)          and have its own user accounts)
  The trust relationship configuration could solve the problem of authentication marked in second hop (2) by registering the IP address of PI server.
  Please help me understand how would it work to solve the first hop (1) problem and what needs to be done.
  Thanks,
  Parvinder

  Thanks Gaurav.
  The link talks about setting up the Trust with MDM server.
  The code sample provided there has the following step where user name is being set and passed to MDM:
  Use  command to authenticate user session on trusted connection
         TrustedUserSessionCommand  tuscTrustedUser =
         new TrustedUserSessionCommand(mySimpleConnection);
         //  Set the user name to use
         tuscTrustedUser.setUserName(UsernameAsString);
         tuscTrustedUser.setSession(session);
         tuscTrustedUser.execute();
         session =  tuscTrustedUser.getSession();
  I want to understand how to do that for MDM Web Services.
  I didn't see any method accepting this user name while calling the web service method / creating client object.
  So that link is still missing.
  Appreciate if anyone can help me with that.
  This is for MDM 7.1
  Thanks,
  Parvinder

• LDAP security provider and web service authentication

  Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
  We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
  Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
  Thanks in advance!
  Julia

  Hi,
  Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
  @RolesAllowed({
  @SecurityRole(role="test")
  @Policy(
  uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
  attachToWsdl=true)
  Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken>
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>

• SOAP Web Service Authentication configuration

  Hello,
  I've got a little problem with Web Service authentication configuration.
  I'm working on the SAP NetWeaver CE EHP1 7.11. I also have a XMII application deployed on the server and there are some SOAP Web Services(over XMII Transactions) that require basic authentication.
  I use all Web Services in the EJB layer. So, I've generated proxy using SAP NetWeaver as a Web Service Runtime for generation. And Iuse an injection mechanism to get a service implementation:
  @WebServiceRef(name="GetBatchListService")
  private XacuteWS batchListWS;
  In this case I could use Single Service Administration application in the NetWeaver Administrator@SOA Management@Application and Scenario Communication to configure basic authentication for EVERY Web Service. And this configuration disappears after every redeploy.
  The question is how and where could I configure authentication for all web services?
  I've read a lot of documentation, but, unfortunately, I haven't found needed one. I could see 2 direction of searching now, it might help:
  1) Destination: Configure HTTP Destination or Web Service Template Destination and use it in all Web Services proxies somehow.
  2) Find Configuration way: Create a configuration group or anything else to configure all services from one screen.
  Best Regards,
  Dmitry

  Dimtris,
  If your WSDL url is pointing to the URL of the Adapter Engine as shownin the Hot to Use the SOAP adapter there is no option. You cannot add it to the SOAP Url.
  But, if you change the SOAP Url to the Url shown in this blog by Stefan Grube then you can add the user id and pasword to the url by adding sap- user=userid and sap-password = password.
  The optin shown ion the blog by Grube can be used as long as you do not have to use SOAP attachments and in this  case you would not need both sender SOAP adapter and a sender agreement.
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  Regards
  Bhavesh
  Regards
  Bhavesh

• External Web Service - User and password in HTTP header

  Hi!
  How is it possible to add user and password in the HTTP header in a external web service call? 
  I have created a "Portal Service from WSDL file - Client side" with the wizard in SAP Developer Studio.  I following the Java Development Guide - Web Service Security, and use the <i>secured service connection</i>.  I have also created a new <i>System Landscape</i>, but should the new system be based on HTTP, my own PAR or what?
  How can I check that the user and password is added to the HTTP header or the SOAP envelope? Do I have to scan http traffic with a proxy as Paros or can I find the request sent from SAP EP in the logs?
  Cheers
  Asle

  Hello All,
  I have been struggling a bit while putting a reasonable security framework on a jax-rpc style web service. I'm using JWSDP1.2 to set up the webservice. I've tried to outline my problem below. Please correct me where I'm wrong.
  I've been through the Sun's WS tutorials, but they are not really clear on security. However, from them I surmised that there are two decent authentication techniques. HTTP Basic and mutual authentication (MA) . Both have their drawbacks though. HTTP Basic suffers from poor encryption while MA is a bit difficult to set up on both client and server sides. Another problem with MA is that there is no central repository for users/passwords.
  OK, what I would really like to do is use my own user database to verify users/passwords i.e. use a HTTP Basic like authentication (but at application level) but run it over SSL for encryption. It seems simple, but is it possible?
  Also, I have noted that when I use HTTP Basic on the service side, and use a java client, then setting username/password has no effect. In other words, I can always access the web-service, even with wrong username/password.
  Sorry for the long post. Hope someone can help. Thanks.

• X.509 Web Service Authentication for ABAP AS Web Service Interaction

  We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?

  >
  Connie Begovich wrote:
  > We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  >
  > Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  >
  > Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  >
  > When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  >
  > Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?
  I think that the problem is in Service Authentication (in transaction sicf). You have to consume web-service, transmitting user-password for access.

• Visual Composer - access Web Services using http proxy

  Hi,
  I want to use an external web service in the Visual Composer. I set up the service in NWA -> SOA Management -> Destination Template Management.
  I defined the http proxy in System Global Settings. The proxy requires authentication so I provided username and password.
  When I want to access the web service in the Visual Composer the log file shows this:
  com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (407) Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  ). The requested URL was:"myWSURL"
  It seems that authentication is not performed although I provided the correct credentials. Using (internal) web services without the proxy works fine with the visual composer.
  Any ideas? Thanks, Kevin

  Hi Kevin
  I have used the cglobal weather,get cities by country and Currency converter webservices in VC for CE 7.1
  The pdf in the link below was of immense help..
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90f8a753-f03d-2a10-5fb0-f14b085b4cb2
  Hope this helps.

• Security of Web Services, Agents and Sequantial Calling of Web Services

  I want to ask about the secure invocation of web services and the role of agents.
  Suppose that I have greet() web service:
  public String greet() {
  String S1=sayHello(); // A web service, actually its proxy
  String S2=sayGoodMorning(); // A web service, actually its proxy
  return S1+" "+S2;
  It calls two other webservices and they return "HELLO" and "Good Morning". Also assume that I need to secure all my web services but I need these calls to work!
  I put an agent in front of those two web services and require them to check a SAML token. I also attach an agent to greet() to authenticate the inbound and sign and add SAML token for outbound.
  But I think these two calls fail because the SAML is not created on each call. (Is it?)
  How can I make those two calls, secure each web service and at the same time keep the security code out of business code, in other words keep my web service security agnostic?
  Thank you in advance.
  Best Regards
  Farbod

  Any Comments on this?

• Difference between Web Service URL and Report Manager URL

  What is the difference between Web Service URL and Report Manager URL in Reporting Service configuration manager in SQl Server 2008 Reporting Setrvices

  Another way to put it is the Web Service URL is just that, its used for services that are connecting to issue API calls.  The Report Manager URL is the nice GUI that users should use.  If you click the links, you should see the difference.  I
  am sure you have likely done that, but functionally one is for programmatic purposes and the other to be the front end graphical user interface.
  Sometimes pictures help as well...
  http://bretstateham.com/reporting-services-architecture-diagram%E2%80%A6/

• Difference between Direct binding ,  Web service Adapter and HTTP Binding

  Can any one help what is the differnce between
  *1) Direct binding*
  *2) Webservice Adapter*
  *3) HTTP Binding*
  I am trying to use the above service adapters as references in BPEL.
  I had invoked a web service hosted in OSB from BPEL via web service adapter and was successful
  On going through few docs came through the other two service adapters but was not able to figure out what exactly is the differnce .
  I learnt +"*Direct binding*"+ can be used to call OSB+ . How does it vary from Webservice Adapter+

  hi Eric ,
  Thanks for clarification ..
  OSB does not generate WSDL and web service adapter in BPEL mandates WSDL .
  I had to create WSDL separately and then feed into Web service adapter in BPEL to call OSB Proxy service. Though successful , felt its not an better approach.
  Please advice is there any way thatWSDL is generated in OSB itself . .if i try to create webservice on Proxy service the wsdl resulted from it has only binding and porty type .
  Is it the same case for ++Direct binding++ .I assume it should not be the case

• Web services (eprint and Apps) could not be enabled

  just opened my new HP officejet pro 8600 and trying to enable web service and I received the following error: web services (eprint and Apps) could not be enabled.  I have no idea how to debug this issue.
  Any help out there?

  They are the same, however be advised that anything that is pending in the queue will be gone, as well as your current custom email address. You will have to readd the printer with a new info page, and use a different custom email address.
  Jon-W
  I work on behalf of HP
  Please click “Accept as Solution ” on the post that solves your issue to help others find the solution.
  Click the KUDOS STAR on the left to say “Thanks” for helping!

• Entering values in Web Services ID and Description, for External Catalog

  Hi,
  I am trying to connect to an external Vendor Catalog from ERP. Pl note that we just have ERP ECC 6.0 and no SRM. I went to SPRO and followed menu path 'Materials Management >> Purchasing >> Web Services: ID and Description'. I am not sure what to enter in 1) Seq. Number  2) Name of Parameter for Web Service and 3) Call Structure COLUMNS.
  I have URL from Vendor, User Name and Password. I need to know what values are mandatory here so I can successfully connect to external Catalog. If someone can give me sample values, I can try.
  Any help is appreciated,
  Niranjan

  Update on 08/23/2011.
  We are able to connect to Vendor Catalog, select items in Cart. When I press 'Place Order' button, I see all items populated in SAP PO ME21N screen. We can then add other information and create PO. This is working great. We have another question. Heard that with ERP ECC 6.0, we can only connect 1 vendor catalog. But with SRM, we can connect more than  1 vendor catalog. Is there a BAPI or change SAP code to connect more than 1 vendor catalog from ECC 6.0 ?