cancel
Showing results for 
Search instead for 
Did you mean: 

MII Web Service authorization issues

Former Member
0 Kudos

I am setting up PCo's connection to the web services for ME (not for the first time) and the username and password I use for the destination allows me to connect just fine.  I then configure everything and venture off to MII's workbench to create a simple web service call to complete an operation.  I execute the transaction and I get an authorization issue.  Since this is MII and its communication to the web service, I am posting it here.  Otherwise, I would have posted this in the ME section.  Once again, when I set the web service action block, my credentials work fine and I am able to configure it properly.  It is when I actually execute the transaction I get the error.  I reviewed the SSA section and the security appears to be set up properly.  Any thoughts?

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member196557
Active Contributor
0 Kudos

1. Which versions of PCo, ME, MII?

2. What is the topology: separate servers for PCo, ME, MII; if not what is running on which server?

It is interesting that the Account for which authentication did not succeed is Guest.

For ME Web Services, you need an authenticated user in NW that can execute web service requests and is authenticated from NW on which ME is executing.  Depending on the version of ME, you need either an ME user or both ME and NW user that has ME permissions to perform the WIP transaction (Complete).

Can you place a Catch block after the web service action block and catch the actual error returned to MII from the Web Service request?

Regards, Steve

Former Member
0 Kudos

This is a demo server and we have all software on the same server.  The versions are PCo 2.2, ME 6.0,4.0 MII 12.2.4.  When we installed the SAP MEINT we created a generic user that had rights, but I used my administrator u/p to test this and it still fails.  The funny thing is we were using this infrastructure for a client demo and the web services were working fine.  This was a few months ago and we got sidetracked.  Now, it does not work.

We had this action block and that is how we tracked it back to the security log.  The image I attached to the original msg.

msg:

[INFO] [Tracer_2]WebServiceAction:Authentication failed. For details see log entry logID=C0006DEABD098EC7000000040000135C in security log.

former_member196557
Active Contributor
0 Kudos

How are you specifying the user/password in the Web Service Action Block? Here is what I do with Web Service Action blocks:

1. Create A Credential Store object in MII with the NW user name/password that can authenticate Web Service requests (you can also use the SAP.  Note that this is a user for the ME Netweaver instance, NOT the MII NW instance. You can use the pre-defined Alias SAPMEINT_ALE_AUTH, which should contain the MESYS user name and password.  In ME, assign MESYS to the Administrators and Operators Groups in User Management.

2.  Assign the Credential Store name to the CredentialAlias element in the WS Action Block with the Expression Editor. Remove any Name/password assignments.

3. The user specified in 1 is ALSO required to be a user in ME, with permissions to perform the WIP transaction called in the Web Serivce.

Regards, Steve

Former Member
0 Kudos

We always used the MESYS user as the main user, but now that it is not connecting, I changed it to my personal account which is an admin.  Once again this is just one server and one instance of Netweaver so there is only one UME and my personal account has administrative rights.  Now, I know there are specific actions that ME requires a user to have in order to modify routes and other items.  I am wondering if you could test your MESYS user, see that it works properly and then share all of its security (groups, roles and actions) to see if something was mistakenly removed.  I know we upgraded ME and the MEINT recently from 6.0.1 to 6.0.4 but I do not know if this caused some issues.

former_member196557
Active Contributor
0 Kudos

ME 6.0.4 MESYS user on ME Netweaver:

Assigned Roles:  SAP_ME_INTEGRATOR, SAP_ME_USERS

Groups: Authenticated Users, Everyone

Do you have ME and MII installed on separate NW instances or deployed on the same instance?

Regards, Steve

Former Member
0 Kudos

same instance, but this worked before.

Former Member
0 Kudos

Also, my MESYS has the exact security as you do  The assigned action for the Integrator role has ME.Integrator.WebServices.  Is there anything else pertaining to web services I should have for this role?

Former Member
0 Kudos

So the issue is not truly an authentication issue.  We get an authentication issue when there are not enough input parameters for the web service.  What I did was take a trx that worked that connected to the Start operation and stripped it of its input parameters and I got the same error as the complete trx.  Now, I know what changed.  Someone had to have changed the inputs and then forgot about it.  The problem we have now is none of the documents for web services accurately tell us which inputs are definitely needed to be successful (Soap UI or the RDS on PCo).  Can you tell us which inputs are mandatory for the complete operation web service for ME?

former_member196557
Active Contributor
0 Kudos

OK, the authentication error you have now is because there is no UserRef/UserID assigned in the request. For ME 6.x, this must be the same user that is used to authenticate the web service request, and the user in ME must have permissions to perform the web service request activity (i.e., Start, Complete, LogNC, etc.)  If the authentication name and ME user name are not the same, you will get an Authentication fallure.

For Start and Complete requests, the following elements in the request are required:

SiteRef/Site

SfcRef/Sfc

ResourceRef/Resource

OperationRef/Operation

OperationRef/Revision (set to # for the current revision)

UserRef/UserID

If Quantity is not assigned the entire Qty of the SFC will be processed.

Recommend that your remove all other nodes in the request that do not need a value assigned.

Regards, Steve