Axis receiver - WS-SECURITY problem

Former Member · ‎12-27-2010

Hi all,

we need consume 3th party web service through AXIS adapter. This communication must be secured by certificate. We have imported certificate into keystore. Therefore there are needed WS-addressing and WS-security for SOAP request. We need use UsernameToken Timestamp and next sign following element in SOAP envelope: s:Body, o:UsernameToken, u:Timestamp, a:Action, a:ReplyTo, a:MessageID, a:To. Now we are able add UsernameToken, Timestamp and action addresing by adding modules in AXIS adapter. But we have problem sign needed elements.

Now we have following SOAP request


<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-24">
        <wsu:Created>2010-12-23T16:27:30.889Z</wsu:Created>
        <wsu:Expires>2010-12-23T16:32:30.889Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-23">
        <wsse:Username>user</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Apassword</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
    <wsa:MessageID soapenv:mustUnderstand="false">uuid:8a0e7b40-0eb1-11e0-97ac-8e95546643d1</wsa:MessageID>
    <wsa:To soapenv:mustUnderstand="false"><a href="http://www.test.iszo.sk/interfaces/MeasuredValues/Service.svc" TARGET="test_blank">http://www.test.iszo.sk/interfaces/MeasuredValues/Service.svc</a></wsa:To>
    <wsa:Action soapenv:mustUnderstand="false"><a href="http://sfera.sk/ws/xmtrade/iszo/measuredvalues/services/2008/11/01/MeasuredValuesContract/Upload" TARGET="test_blank">http://sfera.sk/ws/xmtrade/iszo/measuredvalues/services/2008/11/01/MeasuredValuesContract/Upload</a></wsa:Action>
    <wsa:From xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing" soapenv:mustUnderstand="false">
      <wsa:Address><a href="http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous" TARGET="test_blank">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a></wsa:Address>
    </wsa:From>
  </soapenv:Header>
  <soapenv:Body>
.........

But we need also add Security token to SOAP request to sign needed elements (body, UsernameToken, Timestamp, etc.) as follow:

 
<soap:Envelope xmlns:ns="http://sfera.sk/ws/xmtrade/iszo/measuredvalues/services/2008/11/01" xmlns:ns1="http://sfera.sk/ws/xmtrade/iszo/common/types/espv1r1/2008/11/01" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-17206535">MIIEgDCCA .... FJSC+w==</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-12725597">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#UsernameToken-23996530">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>TFzBLZTL5JrDmMJFc2FyJZnVJ3Q=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-12575106">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>7/RY2vugAOvUkBK8PH8zELTUCPI=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-21926836">
            <ds:Transforms>
            ...

Have anybody some idea or example to resolution this issue? Thanks a lot for your answers.

Regards, Zolo

Former Member · ‎12-27-2010

Hello Zolo, I hope you are doing wellu2026

Iu2019m sending you some info that might help you with this matter.

1)

Please check:

Advanced usage questions

1. How can I enable the WS-Security features?

Of note below:

1039369 - FAQ XI Axis Adapter

2)

Please test the SSL connection with "https://<servername>:<SSL port>".

If SSL is configured correctly, then the SAP J2EE Engineu2019s start page appears in your Web browser.

There shouldnu2019t be any "Security Alert" or warnings related with security.

3)

Please check the links below to gather further info in how to set up this scenario with certificates.

(The below links are for 7.1 systems, if you are on 7.0, just change /saphelp_nwpi71/ by /saphelp_nw70/).

Axis Framework in the SOAP adapter

http://help.sap.com/saphelp_nwpi71/helpdata/EN/45/a4f8bbdfdc0d36e10000000a114a6b/frameset.htm

Message-Level Security

http://help.sap.com/saphelp_nwpi71/helpdata/EN/a8/882a40ce93185de1000000

0a1550b0/frameset.htm

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000

0a1550b0/frameset.htm

HTTPS Configuration for Messaging

http://help.sap.com/saphelp_nwpi71/helpdata/EN/e8/1f1041a0f6f16fe1000000

0a1550b0/frameset.htm

4) go to:

http://host:port/XIAxisAdapter/MessageServlet

The page will display the versions of the deployed components, whether the required libraries are also deployed and if Axis adapter was successfully deployed in the system.

For more specific scenarios, e.g., WS-Security, WS-ReliableMessaging, it is also necessary to have the relevant optional components deployed. The page should show status OK when all the required components are available and otherwise status Error.

Cheers,

Jorge Eidelwein

Axis receiver - WS-SECURITY problem

Accepted Solutions (0)

Answers (1)

Answers (1)

Re: Mass Update a Zfield in Std Table with Split &...

Re: Deploy failed. Detail: Request failed with sta...

Re: CAP Autentication error

Re: How to make a REST "PUT" call to a dynamic url...

Re: Allocation of multiple hierarchies from parent...