cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML - signature issue

Go to solution
Former Member

on ‎08-23-2010 2:20 PM

0 Kudos

Hi,<br/>

<br/>

Im trying to get a scenario going doing 3rd part --> PI 7.11 SPS 04 --> SAP ECC 6.0

<br/>

1) The sender (3rd part) sends a sync request containing a SAML assertion in the header. This message is signed using a X.509 certificate.

<br/>

2) PI is to receive the request using WS adapter and pretty much just pass the request along to receiver using WS receiver adapter (also using SAML).

<br/>

3) The receiver (R3) receives request and returns a response.

<br/><br/>

The following lists the prereq done:<br/>

1) SAP crypto lib is installed on both PI and R3 system.<br/>

2) All PSE's are created on both PI and R3 system in STRUST<br/>

3) Report WSS_SETUP has been executed in both PI and R3 system<br/>

4) Trust:<br/>

4.1) On PI system the PSE cert has been exported from STRUST and imported into the STRUSTSSO2 PSE on the R3 system (this includes adding it to ACL and certificate list)<br/>

4.2) On R3 system the PSE cert has been exported from STRUST and imported into STRUSTSSO2 PSE on the PI system (this includes adding it to ACL and certificate list)<br/>

4.3) The public X.509 key certificate of 3rd party has been imported into STRUSTSSO2 on PI system in the stores 'WS Security keys', 'WS Security standard' and added to certificate list.<br/>

5) Principal propagation has been enabled on both PI and R3 integration engines.<br/>

6) No user mapping is setup since the authenticationAssertion will contain a native SAP user.<br/>

7) Report WSS_INFO has been executed on both PI and R3 system.<br/>

<br/><br/>

😎 SSL is not currently enabled - so far testing is performed stricly using HTTP

<br/><br/><br/>

The actual issue at hand:<br/>

When 3rd party calls PI the following error is given:<br/>

<br/><br/>

CL_SOAP_MESSAGE IF_SOAP_MESSAGE_PART~DESERIALIZE_BODY SOAP Message CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48 .

<br/><br/><br/>

CL_SOAP_RUNTIME_SERVER EXECUTE_PROCESSING SOAP Runtime CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48

<br/><br/><br/>

CL_SOAP_RUNTIME_SERVER EXECUTE_PROCESSING SOAP Runtime A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 )

<br/><br/><br/>

CL_SOAP_RUNTIME_ERROR map_core_exception_to_fault SOAP Runtime Invalid XML signature

<br/><br/><br/>

The message processing thus fails due to a certificate issue when initially receiver by PI.

The question is why do I get this error? I'm well aware of the following post which does not have any impact in my case.

<br/><br/><br/>

Thanks in advance,<br/>

Daniel

<br/><br/>

Edited by: Daniel Engsig-Karup on Aug 23, 2010 3:20 PM

Edited by: Daniel Engsig-Karup on Aug 23, 2010 3:25 PM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

VijayKonam
Active Contributor
‎08-23-2010 3:59 PM
0 Kudos

Is your 3rd party application making a call using web services? Does it support Web Service Reliable Protocol? Typically WS adapters are used between the systems supporting Web Service Reliable Messaging protocol.

Looks like your client is not producing the XML in the required format for SAML. As far I know, and up to now, two SAP systems can use WS RM adapter for communication as they support WS-RM protocol. Check if your client supports it.

VJ

Show replies
Show replies
Former Member
‎08-24-2010 1:58 PM
0 Kudos

Thanks for your reply.

Some changes have now been made on the client side calling PI. The error now is:

CX_WS_SECURITY_FAULT : Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) | program: CL_WSSE_CONTEXT===============CP include: CL_WSSE_CONTEXT===============CM00K line: 196

CX_WS_SECURITY_FAULT : Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) | program: CL_WSSE_CONTEXT===============CP include: CL_WSSE_CONTEXT===============CM00K line: 196

A SOAP Runtime Core Exception occurred in method CL_WSSE_CONTEXT===============CM00K of class CL_WSSE_CONTEXT===============CP at position id 196 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) (fault location is 1 )

CX_SY_NO_HANDLER : An exception with the type CX_SY_REF_IS_INITIAL occurred, but was neither handled locally, nor declared in a RAISING clause | program: CL_ST_SAML10==================CP include: CL_ST_SAML10==================CM004 line: 1

CX_SY_REF_IS_INITIAL : Dereferencing the NULL reference | program: CL_ST_SAML10==================CP include: CL_ST_SAML10==================CM004 line: 47

Question is what that means - if its progression or regression.

Any ideas?

Best Regards,

Daniel

Former Member
‎03-31-2011 8:36 PM
0 Kudos

Hi,

Time to close this oldie. The main problem was indeed with the client. This is all sorted now and all works as it should.

/Daniel

Former Member
‎01-09-2014 6:56 PM
0 Kudos

Hi Daniel,

We are having the same issue, getting the invalid XML signature error. We are testing the webservice through SOAP UI. Can you please tell us how you were able to resolve the error?

I have also posted a new thread with little more info. http://scn.sap.com/thread/3483030

Thank you.

Regards,

Pranith

Answers (0)

Ask a Question