XI3.0: Soap Sender with HTTPS

I have enabled HTTPS on our J2EE stack.
We have a soap sender which works fine using http and username/password authentication.
When I switch "HTTP Security level" on the SOAP sender to "HTTPS without client authentication" and sends the SOAP request to the HTTPS port XI (j2ee) returns a HTTP errorcode 403 Forbidden. No explanation, and I can't find any traces in the logs.
Please help/advise!
-AD

The solution was very simple!
The client accessing XI was using a .NET application which picked up Internet explorer's proxy settings, even if the .NET application it self activly set NO proxy!,...and that proxy did not allow https
Nothing to do with XI at all. Everything worked as soon as we got rid of that.
-AD

Similar Messages

  • SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

    Hi All,
    I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
    Testing simple HTTP and XI user name/password works fine.
    Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
    But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
    I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
    Please advise.
    Thanks,
    Nataliya

    Hi Nataliya,
    Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
    One more thing HTTP Security level option is always available in Sender Adapter.
    For more clarity about HTTPS find below link.
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
    To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
    security. Then go to sender agreement there you need to give key store entry.

  • Need Help for  SOAP sender with HTTPS protocol

    Hi Team
    We have a scenario where the sender is a 3P system and they will be sending the message using web service.They will send the data using SSL ( HTTPS) using certificates.
    In the sender soap adapter , I have two options
    1. HTTPS with client Authorization
    2. HTTPS without client Authorization
    I think I need to use the first option. But I have doubt regarding certificates
    1. Who is going to provide the certificate? is it PI Team or the third party team.
    2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.

    Hi Indrajit,
    Krupa already shared a valuable resource on how to set up on Double Stack PI, so I'll focus on what's left to deal with / open questions.
    Indrajit Sarkar wrote:
    In the sender soap adapter , I have two options
    1. HTTPS with client Authorization
    2. HTTPS without client Authorization
    I think I need to use the first option. But I have doubt regarding certificates
    1. HTTPS with client authorization means that the 3rd party would not give username / password to authenticate to your PI but present a certificate you are trusting. You can think of this as an admission ticket to communicate with your PI server
    2. HTTPS without client authorization means they will authenticate with username password.
    In both cases the caller (3rd party) would need to trust your PI server. Most commonly this trust is established by not trusting your PI server's explicit certificate but in trusting the CA that issued your PI server's certificate. This CA can very well be a company internal CA. That way, if you happen to need changing the hostname of the server some time in the future, trust situation is still valid.
    In case of 1. (HTTPS with client authorization) your PI server in turn would also need to trust the 3rd party caller. This is often done in such ways that the interal CA on your side issues a client certificate with the CN of the caller. The caller presents this certificate to your server upon making a call (see here for a picture https://help.sap.com/saphelp_nw74/helpdata/en/43/dc1fa58048070ee10000000a422035/content.htm). You will also need to back up this process on your PI server by mapping the certificate to a specific user.
    --> Option 2 is the more polished one with ability to withdraw a certificate and the like. However it does result in some overhead setting it up so I personally would go with Option 1 if there's no business need / security policy enforcing so.
    HTH
    Cheers Jens

  • IDoc_02_Error passing data to port-Communication error when  sending with HTTP

    Hello All,
    We are receiving the error "02_Error passing data to port-Communication error when  sending with HTTP", when sending the idoc to PI from ECC system.
    Observation:
    1. Some idocs are failing and immediately after sometime the same type of  idocs with different idoc numbers are getting successful.
    Eg: Orders. One purchase order is failing at one point of time. later another purchase order is getting successful after some time to the same partner.
    2. If i perform the reset of idoc, then it is getting delivered during next scheduled job run.
    please help me in resolving the issue.
    Regards,
    Ch. Venkat.

    status 02 is     Error passing data to port ...it simply means your port setting has some problem. do configure your port setting and also in partner profile
    Thanx and Regards
    Arpan Maheshwari

  • Sender SOAP Adapter with Https

    Hi,
    can any one give me information on  how my Sender SOAP adapter to be configured with HTTPS port.
    please give me the what are all different ways to make my Sender SOAP Adapter secure and give me the steps to achieve the functionality.
    Thank You,
    Madhav

    check this section:
    http://help.sap.com/saphelp_nw70/helpdata/EN/14/ef2940cbf2195de10000000a1550b0/frameset.htm
    Also some help from SAP note:
    https://service.sap.com/sap/support/notes/891877
    Regards,
    Abhishek.
    Edited by: abhishek salvi on May 29, 2009 1:59 PM

  • Only HTTPS requests are working for SOAP Sender and HTTP not working

    wHi Experts,
    We have enabled our HTTPS port ( SSL ) in NWA -- >> Security -- >> SSL and Key stores. So understanding is HTTPS port is now enabled on top of HTTP. So PI should be able to cater requests at both ports.
    Now, we have developed a synchronous SOAP to RFC scenario and downloaded WSDL file. This file has both links -
    a. http:<host>:<port>
    b. https:<host>:<port>
    We intend to make a PI system where both ports can work. Now questions.
    1. When we test web service exposed from PI using SOAPUI tool, only HTTPS works fine and gets the response back. If we try HTTP URL, an error is encountered - HTTTPS scheme is required.
    2. Is this whole understanding that both ports  ( HTTP, HTTPS ) should be able to operate simultaneously correct ? Or this is not at all possible ?
    3. In SOAP Sender, we tried selecting all 3 options - 1. HTTP 2. HTTPS without client authentication 3. HTTPS with client authentication.
       None of the options have any effect on testing, Each time, only HTTPS request works and HTTP doesn't.
    Can anyone please provide some hints for troubleshooting ?
    Thanks..
    regards,
    Rajagopal.

    The error "HTTPS scheme is required" is normally returned when the HTTP Security Level on the SOAP adapter is not set to "HTTP". I can see you have mentioned you have tried all these, maybe a cache refresh has gone wrong? Could try recreating the channel with just HTTP specified as security level and this should allow HTTP or HTTPS
    I assume you are using a different port number for  your HTTP and HTTPS requests from SOAP UI. Normally the HTTPS port is the same as the HTTP port number but the final zero changed to a 1 i.e. https://<host>:50001 instead of http://<host>:50000.
    You should be able to confirm both HTTP and HTTPS work OK by loading some of the system webpages in a browser over HTTP and over HTTPS i.e. http://<host>:<port>/nwa and https://<host>:<port>/nwa
    Chris

  • SOAP Sender with additional header: Interface determination error

    Hello Experts,
    I need to implement a scenario where in sender will add custom header fields and in PI, the values needs to captured. Second step: Based on the custom header value, the receiver needs to be determined.
    Scenario: SOAP Sender -> PI -> SOAP Receiver
    Request Message:
    <RequestMsg>
         <request>
              <Field 1>...</Field 1>
              <Field 2>...</Field 2>
              <Field 3>...</Field 3>
         </request>
    </RequestMsg>
    Without any custom SOAP header, I have created Request / Response Message, Message Mapping, Service Interfaces (Inbound & Outbound) and Operation Mapping and tested the scenario by triggering call through SOAP UI, it works fine. SOAP Request XML looks like below:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:v1="http://www.test.abc.com/v1">
        <soapenv:Header />
        <soapenv:Body>
          <v1:RequestMsg>
             <request>
                  <Field 1>1</Field 1> 
                   <Field 2>2</Field 2>
                   <Field 3>3</Field 3>
             </request>
          </v1:RequestMsg>
       </soapenv:Body>
    </soapenv:Envelope>
    To use customer fields in SOAP Header, I have checked the option "Do Not Use SOAP Envelope" in the SOAP Sender CC and added "&nosoap=true" to url. SOAP Request XML looks like below:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:v1="http://www.test.abc.com/v1">
        <soapenv:Header >
              <id>REC1</id>
         </soapenv:Header >
        <soapenv:Body>
          <v1:RequestMsg>
             <request>
                  <Field 1>1</Field 1> 
                   <Field 2>2</Field 2>
                   <Field 3>3</Field 3>
             </request>
          </v1:RequestMsg>
       </soapenv:Body>
    </soapenv:Envelope>
    Now, when I invoke the url, I see that the message reaches PI but it throws error: RoutingException: InterfaceDetermination did not yield any actual interface
    Please note that I have added a Java Mapping before main message mapping to read the soap header and pass only the request message to the next message mapping.
    I am sure, I am missing important steps in the configuration. Please help me in reolving the issue.
    Thanks & Regards,
    Ankit Srivastava

    Hello Hareesh,
    Bingo! The second option suggested by Nicolas worked like a charm. I am just copying the same here:
    -----In ESR, you set the attribute "Interface Pattern" of the outbound service interface as "Stateless (XI30-compatible)", which does not use operations.----
    Thanks a lot. Now, I will be able to concentrate on the next steps.
    Regards,
    Ankit Srivastava

  • Sender SOAP Adapter with HTTPs call

    Hello,
    Our scenarion is ..  we will have a sender SOAP adater .. but it needs to be called using HTTPs(SSL).
    Now considering we have the certificate generated and installed ..and that integration server is HTTPs enabled....What URL should the sending system call..?
    For normal HTTP call the inbound address for inbound Adapter is: http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel
    For the case of HTTPs just changing the htttp to https and the port number in in the calling system will suffice? Or is there other configurations that needs to be done??
    Thanks and Regards,
    Himadri

    Hi Himadri,
    Firstly as suggested by others you can call using https and give the https port in the soap adapter servler URL. Secondly you need to do the following configurations:
    1) If its PI 7.0/3.0, deploy the latest version of the SAP Java cryptography toolkit.
    2) Configure SAP PI as the server for HTTPS calls. In short
          Using the SSL Provider service:
                                a.      Select whether the J2EE Engine should:
                                   ■      Request (but not require) that the user presents a client certificate for authentication.
                                   ■      Require that client certificates are to be used for authentication.
                                b.      Import the CAu2019s root certificate into the Trusted Certification Authorities list. (Choose Add.) using the following For all the steps, link is mentioned below for XI 3.0, you can find similar ones for PI 7.0
    http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/content.htm
    3) If you want to enable client authentication then you would need to add the client certificate in the TrustedCA keystore view of the SAP J2EE engine.
    4) In the SOAP Adapter sender channel, configure Inbound Security level as HTTPS or HTTPs with client authentication based on your scenario.
    Best Regards,
    Pratik

  • SOAP Receiver with HTTPS(without certificate)

    Hi experts
    Receiver system not using any certificate.  Without certificate How PI can send message through HTTPS using SOAP.
    How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
    Here I am using PI7.1 EHP1.
    I configured Receiver SOAP CC as
    Transport protocol as HTTP
    Taget Url https://api-demo.e-xact.com/transaction
    It will work? if not how to enable Https in SOAP receiver
    but I am getting below error In adapter
    Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    Thank you
    Srini

    Hi Srini,
    The main reasons for this error "Peer certificate rejected..." be appearing are the following:
    1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
    Security Configuration at Message Level
    http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
    2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
    3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
    order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
    Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
    4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
    (This certificate is the one which is sent to Server for Client authentication)
    As a resource, you may need to create a new SSL Server key.
    The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
    In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
    Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
    In any other case the SSL communication will not work.
    Regards,
    Caio

  • Issue when receiving SOAP message with HTTPS on non-central adapter engine

    Hi,
    we have a central XI system (PI 7.1 EHP1 SP03) and a non-central adapter engine (XI 3.0) in the DMZ, both systems on HP-UX.
    In the affected configuration scenario, a business partner is sending us IDocs (INVOIC.INVOIC01) over HTTPS with Certificate Authentication and without SOAP Envelope.
    The configuration and security settings seem to be correct, because we've already received several messages successfully over this connection. Now, since several weeks no message arrives anymore in our system, while the business partner always gets a HTTP_OK_200 response. So the messages seem to be accepted by our system, but nothing is shown, neither in the MessageMonitoring or CommunicationChannelMonitoring of the Runtime Workbench, nor in the in the traces/logs of the NetweaverAdministrator (trace level = DEBUG for "com.sap.aii.adapter.soap").
    I also removed the assigned user in the sender agreement which should cause a HTTP_500_error on sender side, but our business partner still got a "OK_200" notification and we didn't find any information in the trace of our system.
    When using TCPGateway to trace the communication, I can see an arriving message and the response, but it's encrypted because of HTTPS.
    1) Did anyone have similiar issues yet?
    2) Are there any further possibilities to check if an incoming message at the SOAP adapter fails?
    3) Which further trace settings can be done, to get most detailed informations about the soap traffic?
    4) Is there a way to decrypt the message of the TCPGateway (e.g. with private key of server)?
    I'm looking forward for any helpful hints or information!
    Regards,
    Juergen

    Issue solved by SAP note 1115650 "J2EE Engine kernel.sda SP20 cumulative patch"

  • R/3 to R/3 IDOC Sending with HTTP

    Hello everybody,
    I'm trying to send an Idoc from one R/3 System to another, I'm trying to use the function module IDOCS_OUTPUT_VIA_XML_HTTP and it requires an XML HTTP port in we21, now I'm trying to create an HTTP RFC connection but I'm lost with the path refix parameter, can anyone tell me what should be in that field?
    Regards,
    Julio

    hi,
    problem with path prefix conform with u r basis guy he will help u .the path may like this /AdobeDocumentServices/Config?style=rpc.
    if any queries let me know .
    ~linganna

  • Error in SOAP Receiver Adapter with HTTPS

    Dear All,
    I am developing a SOAP to SOAP scenario with HTTPS i.e. client without authentication and I am facing an issue with the receiver adapter. Few messages fails in the receiver side while rest are successful.
    Error - Delivery of the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    Please let me know what can be the reason for the error.
    Thanks and Regards,
    Rana Brata De

    Hi Rana,
    Check the certificates sequence as well the certificates end dates in STRUST in SAP PI system. if, deployed in NWA level check over there.
    One more :: sending the data to web server or web page. make sure, PI is pointing to which server.
    Regards,
    Kesava.

  • SOAP Axis sender with CSV file attachment

    Hi Experts,
    I have a requirement where I receive a CSV file attachment from a Web Service post ( i.e a SOAP sender with attachment). I decided to use SOAP with Servlet(Axis) protocol, since standard SOAP sender does not allow modules to be used.
    I am able to test this interface through SOAPUI with attachment to the point where I can get the attachment payload as my main payload in IE, but it fails in mapping since CSV needs to be converted to XML. I have following queries for proceeding ahead with this scenario:
    1. How do I convert the CSV attachment to XML inorder for mapping to be used in IE. Is there a standard axis handler available for this ???? Also where should this handler be called in the sequence of Axis modules ???
    2. Can I use MessageTransformationBean for converting plain to XML ??? If yes where should this module be called in the sequence of Axis modules. I tried using this module between the CallSapAdapter and the first AdapterBean but it returns exception in SOAPUI saying " Messaging exception: No Main"
    3. Is there a blog available which illustrates about using additional modules/handlers in Axis. I have had a look at the FAQ note of Axis but it just gives the overview.
    Thanks.
    Siddhesh S.Tawate

    Solved :).
    1     AF_Adapters/axis/HandlerBean                     Local Enterprise Bean                              xireq
    2     AF_Adapters/axis/AFAdapterBean                     Local Enterprise Bean                              afreq
    3     localejbs/AF_Modules/MessageTransformBean    Local Enterprise Bean                     Plain2XML
    4     CallSapAdapter                                          Local Enterprise Bean                              sap
    5     AF_Adapters/axis/AFAdapterBean                    Local Enterprise Bean                             afresp
    6     AF_Adapters/axis/HandlerBean                    Local Enterprise Bean                             xires
    Above sequence worked. I guess I was missing some parameter in content conversion earlier.
    Thanks.

  • SOAP adapter using HTTPS

    We need to using SSL over HTTP for our web service defined in PI, basically using HTTPS in our SOAP adatper. I did a lot of research on this, seems like it's not an easy job to enable SSL. However I am only interested in making it work from an application developer point of view, enabling SSL, generating/installing certificate is a job for basis people.
    So I created an sender CC with SOAP adapter with HTTPS with client authentication. (BTW, what is HTTPS without client authentication, does it mean HTTPs with server authentication where the server certificate is to be installed at the client side?), to my understanding, the client certificate should be installed in NWA (We have PI 7.1, not 7.0 -) and somewhere in ID (like sender agreement) we need to specify which client certificate should be used to authenticate the client who calls our service. However nowhere in ID I can specify which client certificate should be used for the defined sender CC. So how would it work in runtime? When my web service is called, which client certificate does PI use to authenticate the client?
    It'd very much appreciated if you could give more information about how HTTPS for SOAP adapter works? I've done lot of research on this, but still confused.
    Thanks

    Hi,
    for transport level security you should assign the HTTPS connection created in SM59 to the SOAP communication channel.
    The HTTPS connection should use the certificates imported in t-code STRUST.
    1. You have to dounload the SAP cryoptographic librariers.
    2. Set the specific paramerts in RZ10
    3. Maintain the enviornmental variables & you need to keep the logon tickets too in some specific directory.
    4. Import the client & server certificates into STRUST.
    You can find some documents on ABAP ssl configuration from the SDN library .... I don't have a link now
    Regards
    Sunil.

  • Problem between SOAP Sender and JDBC Receiver

    Hi,
    I have a asynchronous scenary between SOAP Sender and JDBC Receiver.
    The idea is sending an ID for updating one register.
    Table structure is:
    TABLE AS_PERSONA
        (P_RUT                         VARCHAR2(10) NOT NULL,
        P_NOMBRE                       VARCHAR2(50),
        P_APELLIDO                     VARCHAR2(50))
    The ID is the P_RUT field.
    The structure of message that I send by SOAP, is the following:
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
         <SOAP-ENV:Body>
              <m:MT_CONS_SOAP xmlns:m="urn:prueba:voliva">
                   <CONSULTA>
                        <P_RUT>15445</P_RUT>
                   </CONSULTA>
              </m:MT_CONS_SOAP>
         </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    The JDBC receiver structure is:
    <?xml version="1.0" encoding="UTF-8"?>
    <ns0:MT_CONS_PERSONA xmlns:ns0="urn:prueba:voliva">
         <Statement>
              <AS_PERSONA action="UPDATE">
                   <table>AS_PERSONA</table>
                   <access>
                        <P_NOMBRE>DELETE_BY_XI</P_NOMBRE>
                        <P_APELLIDO>DELETE_BY_XI</P_APELLIDO>
                   </access>
                   <key>
                        <P_RUT>15445</P_RUT>
                   </key>
              </AS_PERSONA>
         </Statement>
    </ns0:MT_CONS_PERSONA>
    When I do a call to SOAP by XMLspy, it returns a message without data, that means succesfull reply.
    I see message monitor and see the succesfull flag. But in the database it doesn't update the register.
    This scenario was proved using the File Sender and same JDBC Receiver, then result was succesfull.
    I proved SOAP Sender with a File Receiver, storing information from SOAP sender in an archive, and works well.
    Then I imagine that exist some problem between SOAP and JDBC. what could be happening ?
    Thanks.

    Hi,
    Looks like the problem is with the JDBC receiver...try updating the value in the table by using a File-JDBC scenario..does it work..check the adapter monitor in RWB..
    Regards,
    Sushumna

Maybe you are looking for