on 04-30-2007 9:28 PM
Our SAP R/3 Enterprise is sending messages to XI which then forwards them to third party applications withing our corporate firewall.
One of these applications (Java) provides a Web Service to which we are attempting to direct a message from XI.
This Web Service requires WS-Security information be included in the SOAP header identifying Username, Password as described by the Oasis standards.
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-21280292">
<wsse:Username>test</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"
>Zzqxojj3iKMfki45et4ZWqrAupQ=</wsse:Password>
<wsse:Nonce>b6QiDyhP3Ds9z24NMI0r6w==</wsse:Nonce>
<wsu:Created>2007-01-04T16:57:48.625Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
I have gone through a lot of documentation provided by SAP and SDN in an attempt to determine how and what to configure in order to generate the above SOAP header and although I am fairly sure SAP XI can perform this function I am at a loss on what needs to be done.
Their are plenty of documents describing how to do this for a Web Service generated by an SAP (WAS, R/3, XI, etc) but other than references to doing so for a third party application nothing that is concrete. Yet I am fairly certain that it is a simple process.
In one article of SAP Insider I found reference to this email address and am hoping that you will be able to assist.
Our XI is currently running WAS Netweaver 04 (640) patched at SAPKB64017.
WS-Security will be supported in the next release (PI 7.10).
It is not possible with NW 04 or 04S.
Regards
Stefan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Chris--
OASIS WS-Security 1.0 has been supported by the XI SOAP adapter for a long time.
However, what you're trying to do isn't possible in XI yet, because it isn't pure WS-Security.
WS-Security provides definition for the wsse:UsernameToken element, but provides little in the way of content. The standard allows for //wsse:UsernameToken/Username, and for //wsse:UsernameToken/<xsd:any> to support extensibility. WS-Security does not define the existence of wsse:Password, wsse:Nonce, wsse:Created, etc.
OASIS released a separate standard at the same time as WS-Security 1.0 to define a set of extensions for the wsse:UsernameToken element. This standard includes //wsse:UsernameToken/Password and your other elements. So, you need an application that has implemented WS-Security 1.0 as well as the "Web Services Security UsernameToken Profile 1.0" standard.
XI does not appear to support this standard extension, so customers are frequently doing a custom implementation in order to implement the features they need from the UsernameToken Profile standard. I've seen a customer do it in the plain HTTP adapter and use XSLT in the message mapping for receiver cases.
I've yet to see a sender case. Adapter modules in the SOAP adapter might work, but I see this as a technical risk because I don't know if you can re-authenticate from within the adapter module, and I suspect that XI applies the business-service authorization rule (the user authorization to access that particular service) before the adapter modules are called.
--Dan King
Manager, SAP NetWeaver Integration
Capgemini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.