on 03-24-2015 8:56 AM
Dear Experts/Friends,
I need your valuable and immediate help securing digital signature for
synchronous webservice call on SAP PI 7.3(dual stack). I will try to
explain the requirement
Scenario
Can I use Soap adapter with webservice security profile?
Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.
Please provide pointers on implementing this in PI7.3 dual stack.
SOAP header template as provided by MSB
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" … … >
<soapenv:Header
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsa:Action>http://EMRX.........../InitiateService</wsa:Action>
<wsa:To>
</wsa:To>
<wsse:Security
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-12920412"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
ADSADEFVgAwIBVDSVSDVSD
BgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJTRzEoMCYGA1UEChMfTmV0cnVzdCBDZXJ0aWZpY2F0ZSBB
… … … …
+I/4/8fZ6z6dcS/4jBibmGqDFVXKq1T/zcC5EVSDVVVIkjow==
</wsse:BinarySecurityToken>
<ds:Signature
Id="Signature-470236280"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference
URI="#id-1204288632">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue>JCNAKJCUA2WII72DIJOJDLIDJD=</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="#CertId-12920412">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>CSJDKJCHSDKCVNKSDCNKJSDNCK=</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="#STRId-314276984">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>CdSDVCSDVSVSDVSDVSDVSDAVEWR=</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="#Timestamp-1168931960">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>VZSDVSZDVSDVSD/VSDVSSVDSVVV=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-1205533816">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>VSDVSADVSDAVSDREREREJETJTJJ=</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="#id-1205402744">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>CSASDAVCSDVDVCEWJTRRKRTKUKK=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
HDSVSDVSDVZSKDVNKSMLjkhlkjlkjklkshdLJNCLSAJMNLCALKNLKNLKnlnlkLKNLVMKJDSLV08h
GHKuLCASCASCSAKJCHKUASJKNCASCASCASCSAKJCKJSANCASNCLKASNLCKNASLCNASCASCASCSAC
ACSASCSDCVSDCSAEWGVV=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-310213752">
<wsse:SecurityTokenReference wsu:Id="STRId-314276984"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-12920412"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
wsu:Id="Timestamp-1168931960" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2007-10-01T06:33:12.484Z</wsu:Created>
<wsu:Expires>2007-10-01T07:03:12.484Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
Hello Sapna,
Apparently your scenario is supported using the Standard security features from PI.
On your Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".
On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.
On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.
Your example also shows that it is required to set the timestamp and the expiration date. To do so, please select the "Set Time Stamp" checkbox and also the "Set Expiry Date" checkbox, informing the required "Validity Period (Secs)" in the textbox (30 for 30 seconds).
+info: Security Settings for the Receiver SOAP Adapter - Integration Directory - SAP Library
Then, you're done.
Best regards,
JN
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Jose
I did the same config but getting error as specified below. Can you suggest where I need to install my PI system certs. I am using the one from WebServiceSecurity keystore view to sign the request.
Certs received from webservice provider I have installed in trustedCA.
It looks request is not even signed.
I am on PI 7.3 dual stack
Message was edited by: Sapna Malhotra
Hello Sapna,
Your certificate should be installed in NWA -> Configuration -> Certificates and Keys. Here you can import your certificate (.pfx or .p12 file) to an existing view or add a new one. This certificate should contain a private key.
On your Receiver Agreement/ICO, you should select the client certificate View/Entry.
If the receiver service provided a .CER file, probably it is the CA public key, that you should import into TrustedCAs view of your system, in order to establish a secure connection.
Best regards,
JN
As I mentioned I have installed the PI certs along with private key in NWA -> Configuration -> Certificates and Keys-> WebServiceSecurity Keystore view. These certs I am using for signing the request.
I have also installed the certs from webservice provider under TrustedCA's view in NWA. These certs I used for validating the response.
Please see the Receiver Agreement screenshot.
Hi Jose
As you can see in my error screen it looks it's not finding cert to sign the request it self.
can you please suggest what I might have missed?
Error While Sending Message: Additional error
text from response:
com.sap.engine.interfaces.messaging.api.exception.MessagingException:
com.sap.aii.security.lib.exception.SecurityException: SecurityException in
method: verify( Message, byte[], CPALookupObject ). Message: SecurityException
in method: verify( Message, byte[], CPALookupObject ). WSSEThread-Exception:
SecurityException in method: run(). Message: [com.sap.ASJ.wssec.030217] The part
/soap:Envelope/soap:Body was required to be signed by the policy with the
transformations [{Algorithm:http://www.w3.org/2001/10/xml-exc-c14n#}], but the
signature was not accepted. (Info: number of valid signatures: 0, number of
accepted signer certificates: 0.).. To-String:
com.sap.security.core.policy.exceptions.VerifyException:
[com.sap.ASJ.wssec.030217]
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.