cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to send a signed SOAP message with additional HTTP Header fields

former_member74203
Explorer

on ‎03-01-2011 12:15 AM

0 Kudos

Our Partner's integration requirements are that we send them asynchronous SOAP messages, that are digitally signed, and whose HTTP headers contains 5 or 6 additional header fields, of which 3 or 4 will need to be dynamically set during the message mapping. I believe we can use the HTTP adapter for adding new fields to the HTTP header, but don't believe it supports signing. I believe that the SOAP adapter supports signing, but I'm not clear on how to use it to add fields to the HTTP header. What is the most straight-forward way to achieve both the signing of the message and the addition of the HTTP header values?

Thanks,

Kurt

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

baskar_gopalakrishnan2
Active Contributor
‎03-01-2011 12:38 AM
0 Kudos

>>>What is the most straight-forward way to achieve both the signing of the message and the addition of the HTTP header values?

Use Java mapping for both.

1) Signing the message

You can digitally sign the soap message using many standard api like WSS4j? or refer Java XML signature API which comes in Jdk1.6.

Refer these links

WSS4J - http://ws.apache.org/wss4j/axis.html

Java XML signature : http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/

2) >>whose HTTP headers contains 5 or 6 additional header fields, of which 3 or 4 will need to be dynamically set during the message mapping

Use Dynamic configuration API to set the additional header fields during message mapping.

Show replies
Show replies
former_member74203
Explorer
‎03-01-2011 3:13 AM
0 Kudos

Thank you for your reply. So does that mean that it is impossible to do both with graphical mapping and the regular PI adapters?

baskar_gopalakrishnan2
Active Contributor
‎03-01-2011 3:30 AM
0 Kudos

>>> So does that mean that it is impossible to do both with graphical mapping and the regular PI adapters?

Yes. If you want to digitally sign a message, PI Soap adapter does not support directly. You need to do through java mapping with apache axis open source or some standard API. I believe even you cannot do it using soap axis adapter.

stefan_grube
Active Contributor
‎03-01-2011 8:19 AM
0 Kudos

> Yes. If you want to digitally sign a message, PI Soap adapter does not support directly.

Are you sure? Online help states, that you can signe the SOAP message:

http://help.sap.com/saphelp_nwpi71/helpdata/EN/02/6d5c034c182e4fbe7bfd25c2b56f9b/frameset.htm

But I have not done this by my own.

baskar_gopalakrishnan2
Active Contributor
‎03-01-2011 5:06 PM
0 Kudos

>> Are you sure? Online help states, that you can signe the SOAP message:

Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.

u25CF      WS protocol

u25CB       (s1) WS sender to Integration Server

u25CB       (r1) Integration Server to WS receiver

u25CF      SOAP protocol

u25CB       (s3) SOAP sender to Advanced Adapter Engine or PCK

u25CB       (r3) Advanced Adapter Engine or PCK to SOAPreceiver

former_member74203
Explorer
‎03-01-2011 5:31 PM
0 Kudos

>> (r3) Advanced Adapter Engine or PCK to SOAPreceiver

This bullet point seems to apply to our scenario. If that is the case than can we:

1. Use a graphical map with UDFs to call the Dynamic Configuration API to create new HTTP header values and

2. Use the PI SOAP adapter to digitally sign the message

???

baskar_gopalakrishnan2
Active Contributor
‎03-01-2011 5:39 PM
0 Kudos

If you don't route your message to external target systems and you are good with Soap adapter itself. Intially you dont specify your exact interface communication details.

former_member74203
Explorer
‎03-04-2011 10:32 PM
0 Kudos

We are making progress with the SOAP adapter. We are able to add HTTP header values using the variable transport bindings under adapter-specific message attributes. We are also able to sign the message, but not all of the signature related elements appear in the message. Along with the signature our partner also requires us to populate the X509Certificate element with the certificate. I believe that the element is optional in the standard, but it is required by our partner. Any idea what would be keeping if from being added to the message?

prateek
Active Contributor
‎03-05-2011 11:19 AM
0 Kudos

@Bhaskar

Yes. If you want to digitally sign a message, PI Soap adapter does not support directly. You need to do through java mapping with apache axis open source or some standard API. I believe even you cannot do it using soap axis adapter.

This is a strong statement and I too don't agree to it. In simple terms, Soap adapter supports signing.

Message-level security is not guaranteed across the entire communication path of a message,

Agree, but do you mean that the Java mapping you suggested overcome this?

@Kurt

What all security related configurations have you done in channel? Are you using "Select Scurity Profile" and "Configure Client Authentication" options in channel? Have you filled in corresponding received agreement details?

Regards,

Prateek

former_member74203
Explorer
‎03-07-2011 5:10 AM
0 Kudos

Prateek,

We have set the receiver SOAP channel to use web service security. In the receiver agreement we have selected the "sign" option and provided the keystore and keystore entry that we would like to use. I'm not sure if there is any BASIS config that needs to occur to make this work. I found something in SAP Help about "Configuring AS Java for web service security". In RWB the self-test appears to indicate that this configuration might not be complete. I find it strange though that the message is signed, but the certificate is missing if the missing configuration is our issue.

Ask a Question