cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WS-Policy configuration in SOAMANAGER

Go to solution
former_member253880
Participant

on ‎03-11-2011 8:11 AM

0 Kudos

Hello Web Service experts,

System: NW 701/SP6

we are trying to consume a WebService which requires UsernameToken authentication and XML signature of the ds:SignedInfo element. The SOAP request message from consumer, should look like the following SOAP example. Unfortunately the WebService provider is not providing the WS-Policy in the WSDL file.

For my understanding we need the WS-Policy in SOAMANAGER to create the Logical Port with the needed security settings. Without the WS-Policy the Logical Port will be created without authentication method and therefore no security header will be created in SOAP message.

Question: Can we configure the Logical Port without WSDL?

If yes how can we set the LP configuration, because we can't find them in SOAMANAGER.

If not we like to create the WS-Policy manually, but how should it looks like to fulfill the required security configuration?

-

<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header>

<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"

xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">

<wsse:UsernameToken wsu:Id="ID_USER">

<wsse:Username>XYZ</wsse:Username>

<wsse:Password Type="wsse:PasswordDigest">rbrm1yxP8Km9JXbuQna1cnaD85A=

</wsse:Password>

<wsse:Nonce>512587878178554348718655381255</wsse:Nonce>

<wsu:Created>2010-03-08T08:17:24Z</wsu:Created>

</wsse:UsernameToken>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod

Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<ds:Reference URI="#ID_USER">

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>Uk1YjsnUmk9D+3SjUbs6dHRs2SM=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>Kc92Y7ORwb/u2026 u2026 u2026=</ds:SignatureValue>

</ds:Signature>

</wsse:Security>

</soapenv:Header>

<soapenv:Body>

<n0:searchByBirthDate>

<input>

<birthDate>01/05/1978</birthDate>

<lastName>RO</lastName>

</input>

</n0:searchByBirthDate>

</soapenv:Body>

</soapenv:Envelope>

-

Thank you very much in advance....

Kind regards

Axel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-12-2014 6:27 PM
0 Kudos

Hi Axel,

have you been able to solve the issue in the meanwhile?

I am facing the exact same problem, not being able to set up the UsernameToken policy manually in SOAMANAGER.

Is it really necessary to do a setup of the SOAP header in the ABAP coding?

Regards, Martin

Show replies
Show replies
former_member253880
Participant
‎05-13-2014 5:07 PM
0 Kudos

Hi Martin,

uff, its a long time ago 😉

Not directly, I created an Implicit Enhancement Spot at the end of method APPLY() (class CL_ST_USERNAME10).

Based on the interface name I'm reading a custom configuration table in order to define (overwrite) the username token settings in structure (instance attribute) "m_username_token".


I also opened a message at SAP, because the digest password was not calculated correctly.

The answer was the following OSS Note provided by SAP:

1587834 - wsse:UsernameToken: incorrect Password digest

I created the WS-Policy manually and attached it to the WSDL file.

This will generate the signature configuration.

It is very helpful to create a "dummy" provider service with the same WSS settings (SOAMANAGER) in order to generate a WS-Policy template.


If you need further information, don't hesitate to contact me.


Kind regards


Axel 

Former Member
‎05-19-2014 10:50 AM
0 Kudos

Thanks Axel, that sure would have solved my problem the hard way 🙂

In the meantime I also found another solution I'd like to share with SCN:

Our WS provider didn't provide the policy in the WSDL as well, so I just added it manually into the WSDL file and did the logical port generation with it.

In the WSDL, you need to:

1. Add the Policy definition (ask your provider for the configuration details, or try to use an example from https://www.oasis-open.org/, or just google "WS-SecurityPolicy Examples")

2. Add the required namespaces to the WSDL definition (xmlns:wsp, xmlns:wsu, ...)

3. Add/change the Policy-reference in the (in my case) binding-node

Then, do the logical port generation with the (fixed) WSDL file - that's how it worked for me.

m_olson
Explorer
‎09-05-2014 4:57 PM
0 Kudos

Hello Martin,

This sounds exactly what I am looking for.  Would you be so kind to share additional information on the specifics of what you modified in your Policy / binding node?

Did that change allow you to enter a username/key/token/pwd in SOAMANAGER, or did it expose something else in the Proxy for you to pass in security parameters?

Thank you very much,

Matt

Sandra_Rossi
Active Contributor
‎09-12-2014 6:47 PM
0 Kudos

Hello Martin. I also want to add manually the security settings to the WSDL (user/password, passwordDigest, it seems easy, but it's not), I tried to reproduce what I got from google, but couldn't succeed in getting the user/password appear in the port screen. They may appear only if the port is created manually (without WSDL). So I've got exactly the same questions as Matt. Thanks a lot.

m_olson
Explorer
‎09-12-2014 7:25 PM
0 Kudos

Hi Sandra,

I don't know if it helps, but I ultimately went a different direction and added the SOAP header as laid out in this post: http://scn.sap.com/thread/1706794.  I copied Marcello Urbani's code and replaced the SOAP header structure with my own (what the API provider offered as an example) and it worked perfectly.

It wasn't much work, and took the guessing out of editing the WSDL.

Answers (1)

Answers (1)

Former Member
‎03-11-2011 8:55 AM
0 Kudos

Hi,

Question: Can we configure the Logical Port without WSDL?
If yes how can we set the LP configuration, because we can't find them in SOAMANAGER. 
If not we like to create the WS-Policy manually, but how should it looks like to fulfill the required security configuration?

Yes you can. In SOAMANAGER when you create logical port chose option "manual" and you will be able to see all the required tabs.

Now come to your specific need regarding SOAP request provided, I am not sure if you can achieve it using standard SAP configuration. When you create proxy SOAP header information is ignored by SAP SOAP framework and no object available for SOAP header which can be used for configuration.

While calling proxy you need to setup SOAP header manually in ABAP program which is big pain (I guess given service is developed in .Net).

However I'll again look into it to see if I can find some additional help.

Regards,

Gourav

Show replies
Show replies
former_member253880
Participant
‎03-11-2011 10:44 AM
0 Kudos

Hi Gourav,

thanks for the quick reply.

The service is developed in J2EE framework.

I already tried to create the LP manually, but I don't know how to set the authentication method like "UsernameToken".

Or can I set this parameter in tab "Operation specific" with the section "Transport Security"?

Signed Message Elements:

Encrypted Message Elements:

Signed Message Elements:

Encrypted Message Elements:

So far I'm able to create a SOAP request header with "UsernameToken" and Digest Passwort using the WS-Policy in WSDL.

But do you think I need to create the "Signature" part manually in ABAP program? That will be a real big pain

Thanks,

Kind regards

Axel

Ask a Question