cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Implementing digital signature and validation for sync webservice

Former Member

on ‎03-24-2015 8:56 AM

0 Kudos

Dear Experts/Friends,

 
I need your valuable and immediate help securing digital signature for
synchronous webservice call on  SAP PI 7.3(dual stack). I will try to
explain the requirement

Scenario

  1. SAP PI makes a request to the MSB , it would digitally
    sign it’s request using it’s own organization X509 certs according to
    WS-Security standards.
  2. The MSB would then validate the digital signature of incoming request to ensure it’s
    coming from authentic organization.
  3. The MSB would than perform all the necessary processing on the received request and
    signs the response using the x509cert before sending it back to requesting
    organization.
  4. The requesting organization would then validate the digital signature of the
    response to ensure it comes from authentic MSB.
  5. The soap header, body, timestamp  are all to be signed.

 

Can I use Soap adapter with webservice security profile?

Or Do I have to go for  java mapping. Can I please get the sample code to implement digital signature.

 

Please provide pointers on implementing this in PI7.3 dual stack.

SOAP header template as provided by MSB

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" … … >

<soapenv:Header
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">

<wsa:Action>http://EMRX.........../InitiateService</wsa:Action>

<wsa:To>

http://extranet......../MEDINET_BIZTALK/EMRX_WEBSERVICE/SERVICEINTERCHANGEENGINE2013S/RequestAdapter...

</wsa:To>

<wsse:Security
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-12920412"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

ADSADEFVgAwIBVDSVSDVSD

BgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJTRzEoMCYGA1UEChMfTmV0cnVzdCBDZXJ0aWZpY2F0ZSBB

… … … …

+I/4/8fZ6z6dcS/4jBibmGqDFVXKq1T/zcC5EVSDVVVIkjow==

</wsse:BinarySecurityToken>

<ds:Signature
Id="Signature-470236280"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<ds:Reference
URI="#id-1204288632">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>

<ds:DigestValue>JCNAKJCUA2WII72DIJOJDLIDJD=</ds:DigestValue>

</ds:Reference>

<ds:Reference
URI="#CertId-12920412">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>CSJDKJCHSDKCVNKSDCNKJSDNCK=</ds:DigestValue>

</ds:Reference>

<ds:Reference
URI="#STRId-314276984">

<ds:Transforms>

<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

<wsse:TransformationParameters>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</wsse:TransformationParameters>

</ds:Transform>

</ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>CdSDVCSDVSVSDVSDVSDVSDAVEWR=</ds:DigestValue>

</ds:Reference>

<ds:Reference
URI="#Timestamp-1168931960">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>VZSDVSZDVSDVSD/VSDVSSVDSVVV=</ds:DigestValue>

</ds:Reference>

<ds:Reference URI="#id-1205533816">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>VSDVSADVSDAVSDREREREJETJTJJ=</ds:DigestValue>

</ds:Reference>

<ds:Reference
URI="#id-1205402744">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>CSASDAVCSDVDVCEWJTRRKRTKUKK=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

HDSVSDVSDVZSKDVNKSMLjkhlkjlkjklkshdLJNCLSAJMNLCALKNLKNLKnlnlkLKNLVMKJDSLV08h

GHKuLCASCASCSAKJCHKUASJKNCASCASCASCSAKJCKJSANCASNCLKASNLCKNASLCNASCASCASCSAC

ACSASCSDCVSDCSAEWGVV=

</ds:SignatureValue>


<ds:KeyInfo Id="KeyId-310213752">

<wsse:SecurityTokenReference wsu:Id="STRId-314276984"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:Reference URI="#CertId-12920412"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

<wsu:Timestamp
wsu:Id="Timestamp-1168931960" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsu:Created>2007-10-01T06:33:12.484Z</wsu:Created>

<wsu:Expires>2007-10-01T07:03:12.484Z</wsu:Expires>

</wsu:Timestamp>

</wsse:Security>

</soapenv:Header>

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member182503
Active Contributor
‎03-24-2015 12:12 PM
0 Kudos

Hello Sapna,

Apparently your scenario is supported using the Standard security features from PI.

On your Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".

On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.

On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.

Your example also shows that it is required to set the timestamp and the expiration date. To do so, please select the "Set Time Stamp" checkbox and also the "Set Expiry Date" checkbox, informing the required "Validity Period (Secs)" in the textbox (30 for 30 seconds).

+info: Security Settings for the Receiver SOAP Adapter - Integration Directory - SAP Library

Then, you're done.

Best regards,

JN

Show replies
Show replies
Former Member
‎03-24-2015 3:25 PM
0 Kudos

Thanks Jose

I did the same config but getting error as specified below. Can you suggest where I need to install my PI system certs. I am using the one from WebServiceSecurity keystore view to sign the request.

Certs received from webservice provider I have installed in trustedCA.

It looks request is not even signed.

I am on PI 7.3 dual stack

Message was edited by: Sapna Malhotra

former_member182503
Active Contributor
‎03-24-2015 5:05 PM
0 Kudos

Hello Sapna,

Your certificate should be installed in NWA -> Configuration -> Certificates and Keys. Here you can import your certificate (.pfx or .p12 file) to an existing view or add a new one. This certificate should contain a private key.

On your Receiver Agreement/ICO, you should select the client certificate View/Entry.

If the receiver service provided a .CER file, probably it is the CA public key, that you should import into TrustedCAs view of your system, in order to establish a secure connection.

Best regards,

JN

Former Member
‎03-25-2015 4:12 AM
0 Kudos


As I mentioned I have installed the PI certs along with private key in NWA -> Configuration -> Certificates and Keys-> WebServiceSecurity Keystore view. These certs I am using for signing the request.

I have also installed the certs from webservice provider under TrustedCA's view in NWA. These certs I used for validating the response.

Please see the Receiver Agreement screenshot.

former_member182503
Active Contributor
‎03-25-2015 8:51 PM
0 Kudos

Sapna,

Can you check if the payload is being signed or if the response, in case it exists, is signed? I ask this because your configuration seems to be right and the exception points out to the verify method.

Best regards,

IJ

Former Member
‎03-30-2015 6:04 AM
0 Kudos


Hi Jose

As you can see in my error screen it looks it's not finding cert to sign the request it self.

can you please suggest what I might have missed?

Error While Sending Message: Additional error
text from response:
com.sap.engine.interfaces.messaging.api.exception.MessagingException:
com.sap.aii.security.lib.exception.SecurityException: SecurityException in
method: verify( Message, byte[], CPALookupObject ). Message: SecurityException
in method: verify( Message, byte[], CPALookupObject ). WSSEThread-Exception:
SecurityException in method: run(). Message: [com.sap.ASJ.wssec.030217] The part
/soap:Envelope/soap:Body was required to be signed by the policy with the
transformations [{Algorithm:http://www.w3.org/2001/10/xml-exc-c14n#}], but the
signature was not accepted. (Info: number of valid signatures: 0, number of
accepted signer certificates: 0.).. To-String:
com.sap.security.core.policy.exceptions.VerifyException:
[com.sap.ASJ.wssec.030217]


Former Member
‎03-31-2015 9:35 AM
0 Kudos

Dear Experts

I am stuck with this error and not getting any clue to resolve this.

Any pointers would be really appreciated.

Thanks

Sapna

former_member403110
Discoverer
‎12-21-2015 2:02 PM
0 Kudos

Hello Sapna,

Did you get any solution to this problem. I am facing the same issue, it is not throwing error but giving the following message. Please help.

Regards,

Rahul

Ask a Question