on 03-01-2011 12:15 AM
Our Partner's integration requirements are that we send them asynchronous SOAP messages, that are digitally signed, and whose HTTP headers contains 5 or 6 additional header fields, of which 3 or 4 will need to be dynamically set during the message mapping. I believe we can use the HTTP adapter for adding new fields to the HTTP header, but don't believe it supports signing. I believe that the SOAP adapter supports signing, but I'm not clear on how to use it to add fields to the HTTP header. What is the most straight-forward way to achieve both the signing of the message and the addition of the HTTP header values?
Thanks,
Kurt
>>>What is the most straight-forward way to achieve both the signing of the message and the addition of the HTTP header values?
Use Java mapping for both.
1) Signing the message
You can digitally sign the soap message using many standard api like WSS4j? or refer Java XML signature API which comes in Jdk1.6.
Refer these links
WSS4J - http://ws.apache.org/wss4j/axis.html
Java XML signature : http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/
2) >>whose HTTP headers contains 5 or 6 additional header fields, of which 3 or 4 will need to be dynamically set during the message mapping
Use Dynamic configuration API to set the additional header fields during message mapping.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
>>> So does that mean that it is impossible to do both with graphical mapping and the regular PI adapters?
Yes. If you want to digitally sign a message, PI Soap adapter does not support directly. You need to do through java mapping with apache axis open source or some standard API. I believe even you cannot do it using soap axis adapter.
> Yes. If you want to digitally sign a message, PI Soap adapter does not support directly.
Are you sure? Online help states, that you can signe the SOAP message:
http://help.sap.com/saphelp_nwpi71/helpdata/EN/02/6d5c034c182e4fbe7bfd25c2b56f9b/frameset.htm
But I have not done this by my own.
>> Are you sure? Online help states, that you can signe the SOAP message:
Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.
u25CF WS protocol
u25CB (s1) WS sender to Integration Server
u25CB (r1) Integration Server to WS receiver
u25CF SOAP protocol
u25CB (s3) SOAP sender to Advanced Adapter Engine or PCK
u25CB (r3) Advanced Adapter Engine or PCK to SOAPreceiver
>> (r3) Advanced Adapter Engine or PCK to SOAPreceiver
This bullet point seems to apply to our scenario. If that is the case than can we:
1. Use a graphical map with UDFs to call the Dynamic Configuration API to create new HTTP header values and
2. Use the PI SOAP adapter to digitally sign the message
???
We are making progress with the SOAP adapter. We are able to add HTTP header values using the variable transport bindings under adapter-specific message attributes. We are also able to sign the message, but not all of the signature related elements appear in the message. Along with the signature our partner also requires us to populate the X509Certificate element with the certificate. I believe that the element is optional in the standard, but it is required by our partner. Any idea what would be keeping if from being added to the message?
@Bhaskar
Yes. If you want to digitally sign a message, PI Soap adapter does not support directly. You need to do through java mapping with apache axis open source or some standard API. I believe even you cannot do it using soap axis adapter.
This is a strong statement and I too don't agree to it. In simple terms, Soap adapter supports signing.
Message-level security is not guaranteed across the entire communication path of a message,
Agree, but do you mean that the Java mapping you suggested overcome this?
@Kurt
What all security related configurations have you done in channel? Are you using "Select Scurity Profile" and "Configure Client Authentication" options in channel? Have you filled in corresponding received agreement details?
Regards,
Prateek
Prateek,
We have set the receiver SOAP channel to use web service security. In the receiver agreement we have selected the "sign" option and provided the keystore and keystore entry that we would like to use. I'm not sure if there is any BASIS config that needs to occur to make this work. I found something in SAP Help about "Configuring AS Java for web service security". In RWB the self-test appears to indicate that this configuration might not be complete. I find it strange though that the message is signed, but the certificate is missing if the missing configuration is our issue.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.