cancel
Showing results for 
Search instead for 
Did you mean: 

SAP MI7.1 / WS-Security and X.509 certificates

Former Member
0 Kudos

Dear experts,

We are currently implementing a custom .NET application (.NET CF 3.5) connected to SAP MI7.1 but we are facing the following issue at this stage:

1) the end-user must enter his PIN-code to open his PDA

2) the end-user must entre his AD passwork to get connected to the APN

3) the end-user must enter his SAP Logon/Password to get connected to SAP MI.7.1

4) the custom protocole includes a login step which requires the key Device ID + User Logon

Actually, MI7.1 gets connected to the backend using trusted connections and most of our SAP servers are connected using SSO. We are not interested by using SSO Mobile but we would like to avoid the last tow authentication steps.

Our idea then consists of exchanging X.509 certifcates during synchronization. In fact, we do communicate with SAP MI7.1 via SOAP 1.1 and I believe that using WS-Security could solve our issue. The question is the following:

- Did you face such as an issue?

- How did you solve it?

- Do you think using WS-Security could help us?

- Did you manage to store X.509 certificates in the SIM card you could send via Web Services?

Thanks in advance and Best Regards,

Ludovic

Accepted Solutions (0)

Answers (4)

Answers (4)

anesh_kumar
Active Participant
0 Kudos

Hi

How can we connect the custom .net application with mobile 7.1

Actually we are planning to create a custom .net application for asset tracking

but we have no idea on how to move the .net app to the hand held and maintain syn settings etc..

could you please help me out

thanks

Former Member
0 Kudos

Thanks to both of you.

I will try to implement a mock-up to validate this strategy.

Kind Regards,

Ludovic

Former Member
0 Kudos

Dear Ramanath.,

Assurelly, I do not want to bypass those two steps without any secure alternative. I was probably not clear in my previous message. In the meantime, I didn't work on security for a while.

In theory, that is what I'd like to do: let's forget about step 1 which is very generic (although is it very important).

Step 2 guarantees the access to our secure area where different servers might be accessible. Only registered MI users can access to the server. Usually, at our company, we do use SAP CUA to guarantee SAP Logon.

At this stage, either the AD can send back a ticket to the MI Client to get connected to MI 7.1 without any additional user authentication (in the meantime, I think the AD informs the SAP system about this ticket) or once, the application can access to the APN, it can add an X.509 certificate to the SOAP envelope - Exchanging certificates between the application and the server must guarantee to each of them they do communicate safetely. I am more confident with this second approach since I do not know how to manage tickets between AD, SAP and my application although I have to identify the user himself. This is Step 3. What is the feasability of generating certificates for each mobile user?!? especially in a mass deployment approach. How to guarantee the KPI (replacing certificates / non-repudiation and rejection ...)

Finally, the custom channel protocole requires the identification of the device itself (in combination with the user). I'd like to receive the SAP Logon data from the AD instead of storing this information locally. The device ID is generated from the MAC address. This is step 4.

Hope, this explanation is better; getting advices on the implementation of such a protocole.

Kind Regards,

Ludovic

VikasLamba
Advisor
Advisor
0 Kudos

Hi Ludovic,

Your problem for authentication can be broken down into two steps when it comes to using MI 7.10.

1. Technical authentication with SAP Web AS where Mobile is running.

2. Application level authentication.

The step 1. can be performed using X.509 certificates as Mobile does not play any role at this level. Mobile uses the standard ICM of SAP Web AS and is configured to use all communication mechanisms. Thus your device should be ablet o authenticate itself with this approach.

But the challenge I see in this approach would be distributing the certiticates within your infrastructure to each device as the authentication would require the device to have the certificates and no one can break the rules here. If you have solved this then your problem will be solved.

For step 2 the authentications at application level is purely about sending the deviceID and Physical ID which should be taken care at application level. The SOAP messages that you sent can be designed to exchange this information and then extract and reuse it for passing to the application on the server's end.

Regards,

Vikas

Former Member
0 Kudos

Hi Ludovic,

SAP Logon/password step is there to authentic the user who is trying to access/exchange the "business critical" data with the MI 7.1 server. And the device id validation is needed to make sure that correct device is communicating with the DOE and the information being exchanged is valid.

Are you really sure you want to "avoid" these two important steps? I would recommend to have these steps in your implementation to ensure the integrity of the data in your system.

Regards,

Ramanath.