on 06-30-2010 8:02 AM
Dear Experts,
I am planning to create a few enterprise services using an inside out approach (using FMs) with an intention of consuming it in a .NET WPF application (protoyping).
These web services would then be consumed by a third party application which is outside our system landscape, in the near future. This 3rd application would thus have access to our data exposed through the interface.
My question is, first of all, is it possible to achieve this kind of communication without any mappings??
Secondly, how safe is it to provide such interfaces externally and will the user authentication settings be enough to assure safe integration? WIll the firewall settings affect this kind of 3rd party communication over the internet?
Are there any problems that you all foresee?
Any comments on this would be great as I plan to start really soon..
Thanks a lot in advance,
Amith
>My question is, first of all, is it possible to achieve this kind of communication without any mappings??
yes once service is created then any .Net application can consume it by using wsdl.
>Secondly, how safe is it to provide such interfaces externally and will the user authentication settings be enough to assure safe integration?
user/password with limited authorization is safe enough but for extra security you probably use certificates.
>WIll the firewall settings affect this kind of 3rd party communication over the internet?
No, if your landscape is open for http communication then firewall will be unable to block any soap communication as it is plain text.
>Are there any problems that you all foresee?
First see what are your security risk appetite then check who will be user, selective partners or anyone who want to use it. For selective users you can create license or certificate key which need to be used to authenticate by calling application. Always create different endpoint for different partners or user so that you can selectively turn on/off the communication and will be able to trace who is doing what?
Hope this helps you.
Regards,
Gourav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Gourav for your swift response....
> user/password with limited authorization is safe enough
Do we need to create a new role for such a user?
So you are saying that the firewall will not block any SOAP calls to the network and all I have to make sure is that the HTTP configuration is done by the Basis colleagues.... And any services created by me will accessible to anyone with the wsdl.. right?
Any docs or links on the required HTTP settings would be of great help..
> First see what are your security risk appetite then check who will be user, selective partners or anyone who want to use it. For selective users you can create license or certificate key which need to be used to authenticate by calling application.
Can you please share some documentation where this has been covered?? I want to know how this is done technically...
Thank you so much.
Regards,
Amith
Hi Amith,
For additional security you could also consider SAML assertions with USER-ID propagation. Then would create a SAML endpoint binding. That works together with the user authorizations you setup for the user-id in the backend & would lock things down nicely with message level encryption.
Regards, Trevor
>Do we need to create a new role for such a user?
That would be better, these roles must have selective authorizations (like only to create SalesOrder).
>And any services created by me will accessible to anyone with the wsdl.. right?
Yes, regarding opening http communication contact your basis team, It is something very standard and they should know this.
Regards,
Gourav
Thanks Gourav,
So I can safely assume that a web service created by me in my SAP system can be accessed by a third party vendor within his system landscape without any issues in his application, irrespective of what platform it is on (.NET/JAVA).. All that is needed is the service created and its runtime configuration maintained..
Is this a scenario that you have implemented before?
Also, can the reverse process work without any hiccups i.e consuming third party web service by using the WSDL and creating logical port in SOAMANAGER? Your inputs would be really helpful here
So basically, to sum up, this kind of service based communication across networks can happen without using XI and just function modules exposed as web services..
Please let me know if you faced any issues when implementing such a scenario..
Thanks a lot in advance...
Amith
Edited by: Amith Menezes on Jul 8, 2010 9:58 AM
> irrespective of what platform it is on (.NET/JAVA)
Yes, as long as consuming application can understand SOAP (objective of WS is to allow interoperability).
>All that is needed is the service created and its runtime configuration maintained..
Yes, in short wsdl url should be accessible from consumer landscape.
>Is this a scenario that you have implemented before?
Yes, and lots of example available on SDN and MSDN for intercommunication between SAP and .Net
>Also, can the reverse process work without any hiccups
Here is the catch, SAP SOAP RUNTIME do not support everything which can be developed by .Net and Java application, for example .Net WS allow you to pass user/password as part of SOAP header which is not understood by SAP and you endup doing workaround in ABAP to call such service. But most of things are supported.
>service based communication across networks can happen without using XI and just function modules exposed as web services..
For service based communication you don't need XI/PI unless you want to take advantage of PI functioanlity like routing and transformation (mapping).
Regards,
Gourav
Hi,
>So are there any situations where it wont be accesible??
Yes when system is NOT available on internet (inside LAN) or purposely made secured behind firewall which block unwanted access, such issues can be solved with the help of BASIS teams. Only thing is need to remember is that wsdl url (or system) should be accessible from consumer landscape (inside or outside LAN). For example your comapnies SAP systems are not reachable from my companies systems so if we want to communicate we need to make them accessible without compromising overall security. your basis and network team will take your of this and this is totally transparent for you.
>Do I have to publish this web service somehwere (UDDI) to make it accessible in the consumer landcape?
No. UDDI service registry do not play any role during runtime. They are just yellow page/directory of web services.
Regards,
Gourav
Hello Gourav,
Sorry for the delayed update.. I was held up with other work.
I now have a WS in ABAP which is fully functional when consumed in ABAP (using a report) but when I tried to test it using a SOA testing app (SOAPUI), I get a 'No logon data provided' error.
I provided the authentication to load the WSDL but when the service is called, I do not get a chance for authentication. If I now have to consume this service in .NET, where would I provide the User credentials?? Would they be part of the import parameters or the SOAP header? Please let me know..
Thank in advance, Regards,
Amith
Oh, regarding .NET,
although I don't use .NET, if you use HTTP authentication the credentials are a HTTP setting of your consumer object, and have nothing to do with the payload itself. so, you usually pass that credentials on object instanciation or in a visual IDE in some dialog, tab for setting those parameters.
hope it helps,
anton
Hi,
For calling WS with user/password please use (from SAP help):
>ICredentials cred = new NetworkCredential( ²svc.Credentials = cred;
On role related issue can you check if your userid has necessary authorization to execute business transactions in backend (for example Create SalesOrder etc)? since you already has all WS related authorization so I think this issue is related to function which this webservice is performing.
Regards,
Gourav
On role related issue can you check if your userid has necessary authorization to execute business transactions in backend
Thanks Gourav for the link.....
My userID has all the authorizations needed. But on the other hand, this web service does not touch any backend tables/transactions because it is just a test web service (does a temperature conversion). I am not able to figure out the reason for this error.
Do you have any other thought?
Regards,
Amith
Edited by: Amith Menezes on Oct 11, 2010 7:13 AM
Hi Amith,
SAP_BC_WEBSERVICE_CONSUMER should have worked for you, I'm not sure why it isn't working if this is just a test web service.
Try turning on the authorisation trace in TCode ST01, then send through your request & check the trace. It will tell you what authorisation is missing. Remember to turn the trace off again.
Have you activated your web service in TCode SICF?
Regards, Trevor
Hi Trevor,
I debugged the class 'CL_WS_SECURITY_PROTOCOL' s 'AUTHORITY_CHECK' method.
The check is failing for the authorization object 'S_SERVICE'.
This check is not against the user but is for the service itself. The Function Moodule 'AUTH_TRACE_INTERN_HASH' returns a hash code for every service and this is then checked for the auth object 'S_SERVICE'. this is the cause for the failure.
Any clue as to what this object is????
Kind regards,
Amith
Hi Amith,
The S_SERVICE should form part of the SAP_BC_WEBSERVICE_CONSUMER role, that's why I couldn't understand why it wasn't working for you. Check the authorisation objects listing for role SAP_BC_WEBSERVICE_CONSUMER in TCode PFCG & if you have red lights in the authorisations & user tabs you could try re-generating the SAP_BC_WEBSERVICE_CONSUMER role see if that helps.
Alternatively, just while you're testing you could also use the SAP_BC_WEBSERVICE_ADMIN role & that should get things working temporarily for you. You might also need to have a look at SAP note 1120760 & see if it's relevant for you but I think if you're already on EHP4 then you should be okay.
Regards, Trevor
Hi Trevor Naidoo,
Once again greetings.... I have also had same problem. Then I followed ur instruction. I mean in Authorization tab of services (S_SERVICE, SAP_BC_WEBSERVICE_CONSUMER) in tcode PFCG.
now it turned red to green light after i saved. But still my Web Service Navigator is not working.it says as follows.
what can i do now?
-Janaraja
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.