Web Services Security using X509 certificate

Hi,
I have secured a web service using X509 certificate. i also secured the proxy of it but when i run the proxy client it says.
javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User CN=Sam, OU=Technology, O=FS, L=Dallas, ST=Texas, C=US does not exist in our system
Any idea on this. Do i need to configure the X509 certificate in the server. I am using Oracle SOA Suite and JDeveloper 10.1.3.1
Thanks

Similar Messages

Web Service Security using OpenSSO

Hi,
I have a question regarding the usage of the OpenSSO in order to secure web services.
I have read the documentation and it states the OpenSSO enables web service security.
However, in the docs the main scenario is where the WSC and WSP are protected by the agent.
In my scenario, I would like to use agents only on the WSP side, but leave the implementation of the client side open to the partners. Partners will have the interface from the OpenSSO for the authentication and saml token retrieval. The client will have to create soap by itself. This is the case since the WSC are to be standalone applications on client computers.
To set the actual question; what are web service interfaces that OpenSSO as a STS offers for authentication and saml token issuance. Is there same sort of a referential architecture for this case where only the STS and WSP can be configured and the WSC implementation of the WSS left to the partner. Any pointers and directions would be appreciated.
Thanks!

Hi
Thanks for your reply
I downloaded OC4J 10.1.2.0.2 and ran it as as a standalone server.
I read the blog you linked and made the changes to the web.xml for the webservice. All of which I was able to do using the property palette in jdev 10.1.2.1.0.
I deployed my webservice to my oc4j standalone server and it appeared as a new application. I editied the orion-web.xml for the new application manually.
When I point my browser at the webservice I get the test page which allows me to pass parameters to the webserive. I invoke the webservice (which does a HTTP GET according to the test page) and the webservice runs. No user and password is needed though.
What is the expected behaviour? I was hoping that the webservice wouldn't run until I supplied the admin user name and password
paul

Web service Security using X.509 certificate

Hi All,
I have a web service deployed on the SAP Web AS J2EE.
I want to include Authentication option in my web service
I have configured the settings for using X.509 certificate(HTTPS) in my
web service configuration and similarly I've configured my client proxy
for the same.
My question is..... from where do I get the X.509 certificate?
actually I have the .crt and .der files, which I created from
the visual administrator.
And also do I need to install anything on my SAP server
in order to use the authentication service? (Any prerequisite)
Thanks,
Talimeren

Hi Talimeren,
when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
HTH
Daniel
Message was edited by: Correct Link
Daniel Sass

Web service security with mutiple certificates

Is it possible to secure a web service on OC4J such that multiple clients can securely access the same web service. I have been trying to send messages to the same web service end point using multiple signature keys. The problem that I am getting is that if I do not use the signature key specified within OC4J to sign the message I am receiving the following error "javax.xml.rpc.soap.SOAPFaultException: Chain does not terminate with a trusted CA". Note all the certificates are present in the configure OC4J keystore.
Can anyone point me in the direction of some documentation on how to configure a web service to be securely accessed by multiple clients (certificates)
Cheers
Neil

Here is an example where we have two keystores, Bob and Alice.
Bob's Keystore:
Entry Alias: alice (Trusted Certificate) >>> No password
Entry Alias: bob (Key Pair + CA Certs) >>> password welcome1
Alice's Keystore:
Entry Alias: bob (Trusted Certificate) >>> No password
Entry Alias: Alice (Key Pair + CA Certs) >>> password welcome1
In our scheme each party on the end of the message exchange have two key-pairs one for signature and one of encryption:
In the Oracle Web Service.xml you should see something to the effect:
<key-store name="mykeystore" store-pass="welcome1"
path="META-INF/bob.jks"/>
<signature-key key-pass="welcome1" alias="bob"/>
<encryption-key key-pass="welcome1" alias="bob"/>
Later in this XML, you would see the encrypt element, here we let it know to use alice for XML Encryption:
<encrypt>
<recipient-key alias="alice"/>
<encryption-method>AES-128</encryption-method>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</encrypt>
The default behavior is to only work with one client. If you need to work with multiple, then we have a means here:
http://download-west.oracle.com/docs/cd/B31017_01/web.1013/b28976/adminasc.htm#BABFFICH

Web Services Security using JDeveloper 10.1.3.1

Hi,
I would need some tutorial to secure a web service using X.509 Digital Certificate. I could find a tutorial on Text Password but not X.509.
In fact i tried X.509 with a sample web service but getting following error. So any tutorial on this would be great helpful..Thanks
oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: An invalid token was provided
     at oracle.security.wss.interceptors.AbstractSecurityInterceptor.throwSOAPFaultException(AbstractSecurityInterceptor.java:225)
     at oracle.security.wss.interceptors.AbstractSecurityInterceptor.handleOutbound(AbstractSecurityInterceptor.java:199)
     at oracle.security.wss.interceptors.ClientInterceptor.handleRequest(ClientInterceptor.java:48)
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleRequest(InterceptorChainImpl.java:124)
     at oracle.j2ee.ws.common.mgmt.runtime.AbstractInterceptorPipeline.handleRequest(AbstractInterceptorPipeline.java:87)
     at oracle.j2ee.ws.client.StubBase._preRequestSendingHook(StubBase.java:698)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:147)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
     at helloworldproxy1.proxy.runtime.HelloWorldWebServiceSoapHttp_Stub.sayHello(HelloWorldWebServiceSoapHttp_Stub.java:77)
     at com.HelloWorldWebServiceSoapHttpPortClient.sayHello(HelloWorldWebServiceSoapHttpPortClient.java:41)
     at com.HelloWorldWebServiceSoapHttpPortClient.main(HelloWorldWebServiceSoapHttpPortClient.java:29)
Caused by: FAULT CODE: InvalidSecurity FAULT MESSAGE: An invalid token was provided
     at oracle.security.xmlsec.wss.WSSecurity.sign(Unknown Source)
     at oracle.security.wss.WSSecurity.sign(WSSecurity.java:2177)
     at oracle.security.wss.WSSecurity.build(WSSecurity.java:1903)
     at oracle.security.wss.interceptors.AbstractSecurityInterceptor.handleOutbound(AbstractSecurityInterceptor.java:189)
     ... 9 more
Caused by: oracle.security.xmlsec.dsig.SigningException
     at oracle.security.xmlsec.dsig.XSSignature.computeSignature(Unknown Source)
     at oracle.security.xmlsec.dsig.XSSignature.sign(Unknown Source)
     ... 13 more
Caused by: oracle.security.crypto.core.InvalidKeyException
     at oracle.security.crypto.core.RSAMDSignature.setPrivateKey(RSAMDSignature)
     ... 15 more

I am also having the same problem. Calling a web service inside JDeveloper 10.1.3.3 works fine. When I deploy to a jar file and include all Jars that the dependency analyzer identifies, the following error occurs:
standard type mapping initialization error: javax.xml.rpc.JAXRPCException: javax
.xml.soap.SOAPException: Unable to create SOAP Factory: Provider com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl not found
Your work around defining Java system properties does work, but why do we need to do this using the Oracle SOAP stack?
If there are alternatives to this problem please share. Thank you.

Web service security using Jdev 10.1.2.0.2

Hi
I am currently developing our first web service. It is based on a pl/sql procedure. We are using App server 10.1.2.0.2 and Jdev 10.1.2.0.2.
I found this document
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html
However it is based on JDev 10.1.3. I managed to create the webservice and set security settings in Jdev 10.1.3 however I had problems when creating an app server connection. And the web service would not deploy to our 10.1.2.0.2 app server.
Are there any security options available when creating web services in Jdev 10.1.2.0.2? Is it expected that Jdev 10.1.3 won't be able to deploy to our 10.1.2.0.2 app server?
thanks
paul schweiger
Message was edited by:
[email protected]
Message was edited by:
[email protected]

Hi
Thanks for your reply
I downloaded OC4J 10.1.2.0.2 and ran it as as a standalone server.
I read the blog you linked and made the changes to the web.xml for the webservice. All of which I was able to do using the property palette in jdev 10.1.2.1.0.
I deployed my webservice to my oc4j standalone server and it appeared as a new application. I editied the orion-web.xml for the new application manually.
When I point my browser at the webservice I get the test page which allows me to pass parameters to the webserive. I invoke the webservice (which does a HTTP GET according to the test page) and the webservice runs. No user and password is needed though.
What is the expected behaviour? I was hoping that the webservice wouldn't run until I supplied the admin user name and password
paul

Problem creating web service client using WSM Policies

Hello everyone,
I'm trying to make a simple java client to a Web Service secured using a WSM 11gR1 policy (from Soa Suite 11.1.1.2.0). The policy on the server side is oracle/wss11_x509_token_with_message_protection_service_policy which I attached via the Weblogic Admin Console. To implement the client I'm trying to follow the instructions from this documentation: http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/owsm_appendix.htm#WSSOV386 section "Policy Configuration Overrides for the Web Service Client" and also I'm using OEPE 11.1.1.3.0 (Eclipse 3.5.0) to develop the client. The only weblogic jar I've added to the build path is the weblogic.jar . Unfortunately, the oracle.wsm.security.util.SecurityConstants.ClientConstants interface (used in the example A-6) is not included in this jar and I have no idea what other libraries should I include in order to follow the example. I tried manualy adding other jars but without success. In fact I found one jar which includes this interface, the wsm-secpol.jar but it does not have the properties described in the documentation, so I guess it's not the right jar, and also I don't think this is the right procedure since there might be another dependent jars. So I would like to know what libraries exactly I should add to the build path (or some other procedure if you noticed I'm doing anything wrong)
Thank you !

Hi
I am having the same problem almost where i wrote a client to comsume a JWS server in https. Where the server is setup to require a certificate to connect to.
My code:
public static void main(String[] args) {
try {
DataBaseSyncServerImpl port = new DataBaseSyncServerImplService().getDataBaseSyncServerImplPort();
int number1 = 20;
int number2 = 10;
System.out.printf("Invoking divide method(%d, %d)\n", number1, number2);
double result = port.divide(number1, number2);
System.out.printf("The result of dividing %d and %d is %f.\n\n", number1, number2, result);
when run this code throw
run:
[java] Invoking divide method(20, 10)
[java] Exception in thread "main" javax.xml.ws.WebServiceException: HTTP transport error: javax.net.ssl.SSLHandshak
eException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCert
PathBuilderException: unable to find valid certification path to requested target
Does any one know how can I solve this problem or how can I make the client be able to use self signed certificates. Any help is greatly apprecited. Thanks

Web Service Security X509 token issue...

Hi All,
I have an issue with using X509 certificates. Please find the details attached below:-
I used the following link to create a simple keystore using 3rd party tools:-
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/CreateKeyStore_howto.htm
NOTES:
1) I think the above link creates self signed certificates.
2) The signature and encryption key for both the web service and proxy created below are the same.
As can be seen from this link, two certificates are created with aliases sam and dave. I then used the following link to secure the web service and proxy:-
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html
This link uses the OAS manager to set the keytoll related properties. These entries are already into system-jazn-data.xml. A point to note here is that the aliases of the certificates are stored in system-jazn-data.xml.
My oracle-webservices.xml has the mapping attribute of the verify-x509-token token set to CN (Common Name). Hence I changed the above entries in system-jazn-data to reflect the common names instead of the aliases.
However the standalone OC4J server still throws the following error whether I try to run the proxy with the mapping attr set to alias or CN in the jazn file:-
07/07/05 20:58:14 Oracle Containers for J2EE 10g (10.1.3.1.1) initialized
2007-07-05 20:58:39.876 ERROR Cannot authenticate X509 certificate, User CN=Sam
Cooke, OU=samDept, EMAILADDRESS=[email protected], O=samOrg, L=samCity, ST=samState
, C=US does not exist in our system
07/07/05 20:58:39 javax.security.auth.login.LoginException: Cannot authenticate
X509 certificate, User CN=Sam Cooke, OU=samDept, EMAILADDRESS=[email protected], O=
samOrg, L=samCity, ST=samState, C=US does not exist in our system
I have not exported any certificates from client to serve or vice versa.
Please could someone help out? This is urgent.
Regards,
Lester.

I had the same issue and solved it like this:
Create a signed certificate, import it into your keystore and use that as Signature Key alias in both the client as the server security. Make sure the user with the same name exists in the realm on the server.
Hope this helps,
Lonneke

SOAP Request with Web Service Security

Hi masters of XI,
the Oasis standard for web services security saids that exists three levels of security for web services, at higher level is Encryption, middle level is signature and at lower level is authentication with username and password inside the soap envelope.
I need to do a SOAP Request signed with a X.509 certificate and username and password too in SAP PI 7.0 SP11. I can sign the request with X.509 certificate without problems but i can't authenticate the request with username and password in usernametoken element like saids the Oasis standard
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
How can we send UserNameToken's elements inside SOAP web service envelope
signing with X.509 certificate also? There are any way to do it in the
receiver agreement or receiver SOAP adapter?
thanks.

Hi,
thank you very much for your answers.
I have solved the SSL comunication and i can sign with X.509 certificates. My problem is that in the SOAP envelope of resquest signed only travels the X.509 certificate and I need to send the username security token (wsse:UsernameToken) also.
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
I can't find the solution to do it. The Netweaver documentation says that Netweaver is able to sign SOAP request with X.509 certificates and is able too for using UsernameToken as part of Oasis standard for web service security. In abap stack of NW you can assign a security profile to a web service call for signing the message or authenticate it with username/password inside SOAP envelope, but in java stack of XI i think that there is no way to do it.
This is my Request:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-104309952">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-104310599">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-104377209">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
            <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
        <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
        <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
</soapenv:Header>
And this is the request I need:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-104309952">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-104310599">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-104377209">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
            <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-104312926">
        <wsse:Username>xxxxxxx</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
      </wsse:UsernameToken>

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
        <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
        <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
</soapenv:Header>

Details for 'Is Web service security available?'

Hi i am working on scenario rfc to webservice.Its as secued webserivce i need to do ssl configuration.
In component monitoring..for the integration engine its in yellow...
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
can any one please help me out..
Thanks
sriram

I have already installed certificates on the j2ee engine & i have given the paramaters for keystore entry & keystore value.Still i have the same error
In component monitoring
For integration engine
Details for 'Is Web service security available?'
Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
In message monitoring
Audit Log for Message: f614df00-e9e0-11da-95ef-0004ac577b32
Time Stamp Status Description
2006-05-22 15:18:58 Success The message was successfully received by the messaging system. Profile: XI URL: http://saptst01:51000/MessagingSystem/receive/AFW/XI
2006-05-22 15:18:58 Success Using connection AFW. Trying to put the message into the request queue.
2006-05-22 15:18:58 Success Message successfully put into the queue.
2006-05-22 15:18:58 Success The message was successfully retrieved from the request queue.
2006-05-22 15:18:58 Success The message status set to DLNG.
2006-05-22 15:18:58 Success Delivering to channel: ZCH_VERISIGNPPGR
2006-05-22 15:18:58 Success SOAP: request message entering the adapter
2006-05-22 15:18:58 Success SOAP: call failed
2006-05-22 15:18:58 Error SOAP: error occured: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter
2006-05-22 15:18:58 Error Exception caught by adapter framework: Peer sent alert: Alert Fatal: illegal parameter
Can any one please help me out.
Thanks
sriram

Is Web service security available?

Dear Experts,
In RWB, when i click on Integration Engine(in component monitoring) i get a yellow triangle next to it instead of green. Result of self test says that
Is Web service security available?
"Communication error Proxy calls are not permitted on sender or receiver side on the IS (client)".
Can u guys tell me the reason behing this.
Thanks & regards.

Hi,
Check if you have selected any security level for the WebService or may be it is across the firewall. Probably you need to install the related certificates and have to configure the SSL layer.
refer
You need to setup SSL layer for HTTPS endpoint.
Possible HTTP security levels are (in ascending order):
HTTP without SSL
HTTP with SSL (= HTTPS), but without client authentication
HTTP with SSL (= HTTPS) and with client authentication
Use transaction STRUST to set up an SAP Web AS ABAP engine as HTTPS server. If not already done, you have to import a certificate generated by a trusted CA identifying the SAP Web AS. In addition, you have to enable the HTTPS port in the ICM (Internet Communication Manager).
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Thanks
Swarup

ABAP SE37 Web Service and x.509 certificate

ECC 7.01 EPH 1
I have created a Web Service from an ABAP function module. I then created a service using SOAMANAGER and have configued it and tested it using Web Navigator. This WS uses no auththentication or username/password. It also works being consumed from a non-SAP server/application
I want to have another non-SAP server and application use this WS. Currently the non-SAP can consume it passing the user/password.
I now want to have the WS consumed using x.509 certs.
I have tried multiple methods with no success.
On the server I have imported using STRUSTS
Maintain the serveru2019s SSL server PSE.
Use the trust manager (transaction STRUST) and import the issuing CAu2019s root certificate into this PSEu2019s certificate list.
Created Web Service communication user, technical type with security roles --> zwebserviceuser
Cretaed entries in table USREXTID using transaction SM30, view VUSREXTID
external type = DN
imported non-SAP server cert into external id
user = zwebserviceuser
activated
Tthe ICM to request a client X.509 certificate. (check icm/HTTPS/verify_client profile parameter) was alreday configued
I choose tha appropriate security profile for your ABAP web service --> security HIGH
I choose in SOAMANAGER http authentication and x.509 certificate
The NON-SAP Server/application is calling the SAP WEBservice and sends the "certificate"
The RunTime error is
The request failed with HTTP status 401: Unauthorized.
Any Help would be appreciated
thank you,
Sarah

Take a kind look on SAP note 495911 to analyse ABAP logon errors.
Most likely you have forgotten to add the root certificate of the CA which has issued the SSL client certificate (of the WS consumer) to the certificate list of the SSL server PSE (of the NWAS ABAP, acting as WS provider). In that case the SSL handshake will be incomplete: the SSL client certificate will not be requested by NWAS ABAP and thus no SSL client certificate will be send by the WS consumer. That's why no credentials are there resulting in the 401 error.

Web Services Security Sample

I colud not understand that:
"9.The mail also contains links to the Root Certificate using whose key your Certificate was signed. Follow the link and click Accept. This install the root
certificate in your browser.(Use Internet Explorer)."
in the Web Services Security Sample Installation.
Is there clear info for this and "Get a Client Certificate"?
Thanks...

When you get the certificate client certificate from Verisign( or any certificate authority), you also need a root certificate from Verisign which says that this client certificate was given by Verisign.
When you provide all your info to Verisign (along with certificate request) you get the client certificate to your email address (which you gave to Verisign for sending certificate). This email address also contains the link to root address which you need to obtain in order to validate your certificate. Follow the link and do as instructed to import the root certificate in Internet Explorer. The root certificate will be imported into IE with the name "VeriSign authorized testing only.No assurances" in "Trusted Root Certificate Authorities tab"
Your Oracle Wallet manager, Internert Explorer etc will accept and use the client certificate only if the corresponding root certificate is present.
Hope this clarifies the doubt.
Chandar

How to make my Portal Web Service SECURED?

Hi Experts,
I created one portal Service and exposed it as Portal Web Service.
Everything is working fine, as i deployed my Portal Web Service on to the SAP J2EE Engine ie SAP Server.
I m able to access functions of Web Service from my StandAlone Java Application.
but the problem is my Web Service is not SECURED.
How can i make my Portal Web Service SECURED?
Please help me out.
Help will be appreciated and rewarded!!!!!

user13046122 wrote:
I have an old pl/sql "helper" package, originally written to make SOAP Web Service calls from the database - it uses UTL_HTTP to invoke the target services.
I now need to make SOAP Web Service calls - from an 8.1.7.4 database
But the version of UTL_HTTP inside 8.1.7.4 does not contain the functions needed in the helper package
Can anybody suggest a means of making SOAP Web Service calls from an 8.1.7.4 database ?I think you'll be very lucky to find anyone here who still has access to a version of Oracle that is that old.... I mean... that's like what? 15 years old at least? I'm surprised you've still got hardware that can run that.
It would probably help if you could post what code you've got and explain which function(s) it's complaining about, as I doubt people will want to guess.

Web Service Security Question

I have created a web service in the NetWeaver portal using a Portal Service. I have marked the service as requiring basic http authentication. However, when I call the web service from the Enterprise Portal Web Services Checker in NWDS it just let's me supply the params of the web service and no authentication. Any ideas?
I also noticed that my web service does not appear under the Web Services Container or Web Services Security section in Visual Administrator. Anybody have any idea why this is?
Thanks in advance.
Curtis

Hi Curtis,
My guess is that since you are logged into the Portal while calling this web service, it will use the current session cookie to authenticate automatically. I'm not sure on the second question, tried a restart?
Regards,
Raj

Web Services Security using X509 certificate

Similar Messages

Maybe you are looking for