cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Securing SOAP sender channels

Go to solution
Former Member

on ‎05-01-2013 3:39 PM

0 Kudos

Hello Everyone,

We have to implement a scenario (SOAP -> PI -> RFC) and secure the requests coming on  SOAP sender channel. I have created all the artifacts required for the configuration scenario and created the WSDL through Sender Agreement.

For Security I have implemented

When I try to invoke the "https" URL from SOAP UI I get the error

I am able to invoke the "http" URL successfully from SOAP UI, after changing the security level to HTTP in the Sender Channel.

What are the parameters that I need to change in SOAP UI/PI to ensure that the communication happens successfully?

Regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-06-2013 3:35 PM
0 Kudos

Thanks Everyone,

One question though,

For the option of "HTTPS without Client Authentication", do I need to export the Public Certificate from the PI box and import it to the Client Machine?

The reason why I am asking this is, I removed the certificate from my local machine and tried to hit the URL (HTTPS) from SOAP UI and I am still able to do so without any problem.

Regards

Show replies
Show replies
Shabarish_Nair
Active Contributor
‎05-06-2013 9:55 PM
0 Kudos

The reason why I am asking this is, I removed the certificate from my local machine and tried to hit the URL (HTTPS) from SOAP UI and I am still able to do so without any problem.

>>>

i think thats a cached version active!

JaySchwendemann
Active Contributor
‎05-07-2013 12:43 PM
0 Kudos

Hi Upendra,

please beware of mixing up "HTTPs without client authentication" with trusting the servers certificate.

If you do HTTPS then the client has to trust the servers (your PI's) certificate. If the certificate is self signed you will have to establish trust within client configuration. If you think as soapUI as a client, I think soapUI itself doesn't force trust so it accepts self signed certificates. Other clients however might be more restrictive. Thats when you would need to "export" any certificate from your server and establish trust with your client.

This however has nothing to do with the client authentication itself. Simply put: You can do HTTPS with a username and password. You do this all the time when logging on to some internet sites like your webmail. But you can also do HTTPS with a certificate that identifies yourself (the client) to the server. Think of it like a passport (client certificate) that is issued by a country (your server or a external CA like VeriSign) and allows you to "enter".

To get back to your question:

Upendra Patil wrote:
Thanks Everyone,
One question though,
For the option of "HTTPS without Client Authentication", do I need to export the Public Certificate from the PI box and import it to the Client Machine?
The reason why I am asking this is, I removed the certificate from my local machine and tried to hit the URL (HTTPS) from SOAP UI and I am still able to do so without any problem.
Regards

--> You don't need to export the certificate from PI

--> If communication still works you either have a caching problem, you already specified the username and password for basic authentication (e.g. in soapUI in Tab "Aut") or you deactivated authentication for the whole SOAP adapter but that's unlikely because you would have needed to deep dive into configuration of PI to do this (probably not done accidentally)

HTH

Cheers

Jens

Former Member
‎05-07-2013 2:07 PM
0 Kudos

Thanks a lot Jens.

Answers (4)

Answers (4)

Former Member
‎05-02-2013 12:44 PM
0 Kudos

Have you installed the SSL certificate on your local machine??

Show replies
Show replies
Former Member
‎05-02-2013 3:11 PM
0 Kudos

Here is what I have done

  1. Exported the Public Certificate from the PI server.
  2. Imported it in my local machine into Trusted Root Certification Authorities/Certificates folder
  3. Imported it into the Java Key Store on my local machine
  4. Created Keystores and Outgoing WS-Security Configurations in SOAP UI tool.
  5. Created Encryption with the PI Server public certificate as shown below.

    

Selected the profile in the "Aut" tab of SOAP UI while triggering the request.

I am facing the error mentioned above, when I trigger the request.

Regards

JaySchwendemann
Active Contributor
‎05-02-2013 6:37 PM
0 Kudos

I don't think you would need to import the certificate from PI to soapUI. Please check in soapUI if...

  • You used Authorisation Type "Preemptive" instead of "Global HTTP Settings" in "Aut" tab of Request
  • You also filled in username and password of a authorized user as Allamudi already pointed out
  • you checked the proxy settings in soapUI and set up to your needs
  • checked SSL settings. In my settings "requires client authentication" is not selected
  • make sure you use the right endpoint URL with the correct port. for https this is a default endpoint URL https://<host>:51<SID>1/XISOAPAdapter/MessageServlet?channel=<party>:<service>:<communication channel>
  • have definitely set the security level to "HTTPS without client authentication" in sender communication channel

HTH

Cheers

Jens

Former Member
‎05-02-2013 9:12 PM
0 Kudos

Thanks Jens,

I have configured this, the traffic is flowing through. While checking the HTTPS traffic through Fiddler,

When, I configure Fiddler, Proxy Settings - Host to 127.0.0.1 and Port to 8888

I am getting the error

How do I check the HTTPs traffic flowing

Regards

JaySchwendemann
Active Contributor
‎05-03-2013 3:27 AM
0 Kudos

Ok, so you are using fiddler to have some "man in the middle" scenario in order to tamper HTTPS data? If so, I might not be the best person to ask. I always just relied on what I was sending out from fiddler / soapUI is what is coming into SAP PI.

If you actually use soapUI I would suggest deactivating (that is, checking the hooks fiddler is placing in your proxy settings and deactivating them in necessary) fiddler. Then go ahead and try to test with soapUI.

Anyways, there might be some way to start request with soapUI and then tamper data with fiddler, maybe someone else might be of help here 🙂

Cheers

Jens

Former Member
‎05-06-2013 3:35 PM
0 Kudos

Thanks Jens

Former Member
‎05-02-2013 12:27 PM
0 Kudos

Apologies, I should have explained better.

I am trying to implement the SSL security "HTTPS with no Client Authentication" option selected in the drop down as shown in the attached figure 1. This is for Sender Channel.

I am getting the error shown in the figure 2.

My question is what steps do I need to follow for the configuration so that scenario works correctly.

REgards

Show replies
Show replies
allamudi_loordh
Active Participant
‎05-02-2013 6:12 AM
0 Kudos

Hi upendra,

please pass the authentication as well (use PI credentials).

just right click on the source message to check validation & format. after that execute.

Show replies
Show replies
rajasekhar_reddy14
Active Contributor
‎05-02-2013 3:49 AM
0 Kudos

Secure request means? are you using certificates to exchange message processing? if you are using SSL then make sure that everything configured correctly.

Show replies
Show replies
Ask a Question