cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security for Webservice deployed over DMZ

Former Member

on ‎05-25-2012 11:11 AM

0 Kudos

I have scenario in which a webservice created in our PI system needs to be consumed by business partner outside the network.  I have created the webservice and shared the WSDL URL with my network team. Network team have deployed it over DMZ instance and provided URL to be accessed outside the network.

We have implemented no security mechanism yet, and above URL prompts for the userid and password while accessed. Business partner do not want authentication using userid and password. Business partner have shared IP addresses from where it will be accessed.

Is it possible to validate as digital certificate?

Please suggest what all are the different possible ways to have a secure communication in this scenario.

Note: we are on PI  7.10.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

markushardank
Product and Topic Expert
Product and Topic Expert
‎05-25-2012 7:49 PM
0 Kudos

Hello,

first step is to enable secure communication via https, based on that you can than configure e.g. single sign on based on X.509 certificates. So no username and password is needed. Deactivating username and password is not a good idea - as already stated.

Some useful links for https and SSO setup - for 7.3 - but it is quite similar for 7.1

http://help.sap.com/saphelp_nw73/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/48/a9bb457e28674be10000000a421937/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/48/ca0fe42fbb5c97e10000000a42189d/frameset.htm

Hopes this helps you.

best regards,

Markus

Show replies
Show replies
former_member184681
Active Contributor
‎05-25-2012 11:50 AM
0 Kudos

Hi,

There are a few options here:

1. The sender can place the username and password in the URL. The URL changes a bit, since the call is not posted to sender SOAP adapter, but directly to Integration Engine, which is not advisable except for some unusual situations.

2. You can disable the authentication completely, but this influences the whole adapter, not just one communication channel, so it is absolutely not advisable.

If you want to keep the connection secure, getting rid of authentication isn't really the best idea... See more on this topic in my blog:

Regards,

Greg

Show replies
Show replies
Ask a Question