I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI. Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/.... with correct user should work and this scenario shouldn't need any certificates.
However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
Any comments on why would it be happening ? In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
Is below understanding right ?
-- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
2) At the time of Key Generation definitely it shall ask for a password. You remember that.
3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
Here follows the major part
4) Open NWA and go to Configuration Management->Authentication
5) Go to Properties Taband click Modify
6) Under Logon Application select the check box "
Flag: Optional
9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
==>Name: Rule1.getUserFrom
value : wholeCert
10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
and edit it.
11) Under the Authentication stack select the template client_cert against the used template label. and save it
12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
13) Now in NWA navigate to Operation management->Identity Management
14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
20) Before you execute the scenario make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
3rd Party --> PI --> SAP SRM (SOAP to Proxy scenario).
The 3rd Party does not want to have UserID based authentication. When 3rd party data hits PI system it should simply get through PI without checking for UserId and Password.
Were you able to achieve this using Certificate based Auth (without any user Id auth?). Does Certificate based Auth also requires a Valid PI User ID for SOAP to PI data transfer?
Also in our case the User is not unique, but there can be multiple Users who can trigger this Webservice.
Please share the steps/link you did to achieve this.
I think your requirement is different from what we were trying to do. Our case was basically SSL error.
However I guess you are looking for SAML token based authentication where PI would validate third party once without ID / Pwd but based on certificate.
In case this is what you are looking for, can you please have a look at the below link ?
Just to clarify a bit further ..yes..all the steps to configure SSL / HTTPS are in place. But issue is this-
In SOAP Sender when I choose the option of HTTPS without client authentication, do I need to share some certificate with sender third party ? ( which in this case is SOAPUI for testing.) .
Or certificates are to be shared only for - HTTPS With Client Authentication ?
I tried downloading private key and uploading it to SOAPUI Keystore but the error persists - Client Certificate Required. This is where I am confused as to what exactly should be shared.
In NWA -->> Certificate and Keys -->> ICM_SSL_XXXXX, I can see 2 lines Private Key and Certificate.
I guess by public key you mean I should download Certificate right ? ( By export entry )
But while downloading it doesn't ask me ID / Password. Now when I try to upload this into SOAPUI, it doesn't accept this certificate and shows error. ( <java entry: Can not read private certificate etc.). Also, even if I post message error shows up.
Is it the right place I am downloading certificates from ? Or am I missing something ?
Also just to emphasize this is our DEV system and we have simply generated certificate in NWA. This certificate has not been sent to and signed by any CA. Is that ok ?
I went to the path NWA-->>Certificate and Keys -->>Service_SSL and I can find 2 entries in the detail.
1. PRIVATE KEY
2. CERTIFICATE.
I guess by public key you mean I should download CERTIFICATE right ?
SO I downloaded it and trying to upload into SOAPUI and test. First of all SOAPUI asks for Password ( which I dont have) and secodnly error remains same.
Am I downloading public key from right place ?
Do you think it is the issue with SOAPUI tool or is there anything wrong with SSL configuration ?
Ok so you download 2. Certificate. and not the private key.
So if SOAPUI asks for a username and password just provide your SAP PI username and password. If you have the correct auth then you should be able to trigger the SOAP call.
Yes, you are downloading the public key from the right place, but i am not sure if your SSL was setup correctly. Because that can be a very difficult area.
SOAPUI should be fine. So i think it is the way the cert might have been applied.
Have you tried HTTP? Just to test if it is working?
I have downloaded the certificate and gave my credentials to SOAPUI keystore.
First of all SOAPUI throws an error - >> PrivatekeymissingBadpassword>. If I still go and post the request same error - Client Certificate required.
But I observed a strange thing -
If I download WSDL via tool-->>Display WSDL it created URL in format - https://<host>:port/sap/xi/engine?type=entry&version3.0&Sedner.Service=**
This URL WOKRS.!! It fetches response for both HTTP and HTTPS.
The trouble arises when I try creating WSDL from Sender agreement and test it from SOAPUI URL format is - https://<host>:<port>:XISOAPAdapter/MessageServlet .....
Now this URL throws exception that client certificate is required.
In both URL cases, I can see SOAPUI has fetched server's SSL.
Any clues based on this observation ? And any means as to how to check if SSL is set up properly ?
Did a bit of reading last night. But unfortunately could not find that answer.
What I did find is that with SOAP HTTPS without client auth you do NOT need a certificate. My guess would be that you only need a username and password for that.
Ask the security team to create a system user for you that you are able to use with the webservice.
Make sure all your objects have been activated and check that you config is 100%. Might just be something small.
But have you been able to send a message successfully?
So let me understand where you are now. You have exposed the WSDL in SOAPUI and have entered the username and password at the Auth table. The correct values have been added in SOAPUI and you trigger the webservice?
I am correct in saying that?
Next step would be after you have trigger the message to go to NWA on your java stack and search logs.
Please go to log overview and check if you cannot see an error message at the time you triggered SOAPUI to call PI.
1. Created synchronous SOAP to RFC interface with SOAP CC and Agreement for it. ( So basically exposed WS from PI )
2. Downloaded WSDL from Sender agreement and uploaded it to SOAPUI
3. URL is HTTPS:<host>:<port>:XISOAPAdapter?MessageServlet etc..
4. Entered Credentials and sent the request.
5. I receive empty SOAP Response
I see in the logs in SXMB_MONI and NWA....A strange thing:
Even tough I have Best Effort configured in my SOAP CC, in NWA, log says Asynchronous message passed to RFC.
Also, in SXMB_MONI, I see the QoS column as EO (not BE) and no response .
Now I changed URL of web service to hit to Integration Engine instead of Adapter engine. And now I can get the response. ( https:<host>:<port>/sap/xi/engine/......)
So the issue is whenever message passes from Adapter engine to Integration engine, somehow sync calls are getting converted to async calls .
_40.jpg){kind=link}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.