cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Document security option in webservices

Go to solution
Former Member

on ‎06-27-2005 11:02 AM

0 Kudos

Hello everybody,

I have made one simple webservice and deployed on my WAS 6.40 SP 12. I have configured this web service as to use <b>Document Authentication</b> for authentication mechanism.

But when i am making model of this webservice in webdynpro application, i find authentication mechanism as <b>HTTP authentication</b> under security tab of the logical port for this model.

and when i am deploying this application, i am gettin following error:

0002E3562FFE004800000014000015540003FA833E6686FB : Authentication using a wsse:Username token failed. The error was com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..

So, what am i missing for this?

Thanks in Advance,

Bhavik

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

martijndeboer
Advisor
Advisor
‎07-05-2005 11:16 AM
0 Kudos

Hi,

document security is only supported on deployable proxies. As the the Web Dynpro Web Service Model is currently using standalone proxies, document security is not available there.

There is a new web service model expected for SP15 that will allow document security.

Regards,

Martijn de Boer

Show replies
Show replies
Former Member
‎07-05-2005 12:02 PM
0 Kudos

Thanks Martijn,

Now i am using the Deployable proxy instead of Webservice model in Webdynpro.

And i got success for Document security with Basic authentication also.

But when i am using Document security with X509 certificate, its giving runtime error saying "The creation of digital signature failed."

I dont know why it is giving such error.

I have created inbound and outbound profiles and also assigned these profiles to the WS clients and Webservice.

In these profiles i am using WebServiceSecurity key and certificate also.

What could be the reason behind this?

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-05-2005 1:25 PM
0 Kudos

Hi Bhavik,

Two questions:

1) What kind of certificate are you using? DSA or RSA?

2) Can you check if you have installed the fullcrypto? This would be the iaik libraries from SAP market place and the unlimited strength crypto policy files (Sun JDK: http://java.sun.com/j2se/1.4.2/download.html IBM JDK:https://www6.software.ibm.com/dl/jcesdk/jcesdk-p)

Regards,

Martijn

Former Member
‎07-05-2005 2:54 PM
0 Kudos

Hi Martin,

I am using RSA certificate.

And i have not installed this Cripto policy files.

I will install and let you know.

regards,

Bhavik

Former Member
‎07-07-2005 12:31 PM
0 Kudos

Hi Martin,

I installed Cripto polocy files. But it didnt work.

Then what i have done is, I have re-installed the server and at time of installing i have specified to use SSL. So, now my SSL and cripto policy files are installed and configured at time of installation time only.

But, now Using my own certificate i can able to encrypt data but at the time of decrypting its unable to decrypt using the private key.

My same application is working on another Server properly.

So, I am guessing that my Private key is not created properly, but what could be the reason behind it?

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-07-2005 12:56 PM
0 Kudos

Hi,

For decryption a key called XMLEncryption in keystore view WebServiceSecurity is used. Does this key exist on your system?

Can you also tell me the the version of IAIKSecurity you have installed? You can find it in the SDM tool, Tab SDMRepository, section FileSystem.

Regards,

Martijn de Boer

Former Member
‎07-07-2005 1:44 PM
0 Kudos

Hi Martijn,

Yes ihave that private key at the same location where you have suggested.

And my IAIKSecurity version is 1.3.12.

What is this IAIKsecurity?

Is this version is correct?

I also checked on the system where this application is running properly, it has also the same version.

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-07-2005 4:54 PM
0 Kudos

Hi,

Which SP are you running?

Regards,

Martijn de Boer

Former Member
‎07-11-2005 7:10 AM
0 Kudos

Hi Martijn,

My WAS version is SP10 and NDS version also SP10.

Thanks,

Bhavik

Former Member
‎07-13-2005 11:47 AM
0 Kudos

Hello everybody,

Now i am able to encrypt and decrypt the Data which i sent Using X509 encryption.

But i am facing following problem.

javax.xml.rpc.soap.SOAPFaultException: 0002E3562FFE005100000017000006A00003FBC5B8F6601E : The part /soap:Envelope/soap:Body was required to be signed by the policy with the transformations [], but the signature was not accepted. (Info: number of valid signatures: 1, number of accepted signer certificates: 0.).

I dont know what is says?

thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-13-2005 2:44 PM
0 Kudos

Hi Bhavik,

I did not yet have time to look at your other problem.

Concerning this message: you are sending a signature. The signature is valid including all references. But you are using a certificate which is not in the list of the trusted certificates or trusted root certificates.

The keystore view (->service keystore) used for the trusted certificates is configured in the WS Security profile you are using.

When using self signed certificates, you need to add the certificate itself to the keystore view. When using certificates issued by a certificate authority, it is sufficient to put the certificate of the issuer to the keystore view.

Regards,

Martijn

Former Member
‎07-14-2005 5:31 AM
0 Kudos

Hi Martijn,

I tell you what i am using for certificates.

I have generated one Private key and its certificate in WebServiceSecurity view, named XMLEncryptionCA and XMLEncryptionCA-cert.

Then i have generated one more certificate with name XMLEncryption and XMLEncryption-cert in the same view. And i have specified authority certificate as XMLEncryptionCA-cert.

Now, my webservice and webservice proxy resides on the same WAS server. I have created one outbound messege (X509_sign_out) in profile administration in Webservice security service.

I have specified Template as Signature, Keystore view as WebServiceSecurity and Keystore alias as XMLEncryption.

Then i have created one inbound messege with template Signature and Trusted CA Certificate as WebServiceSecurity.

Now, i have assigned this outbound messege to the webservice proxy as outbound profile.

And assigned inbound messege to the webservice in inbound profile.

Is all this things are right or i am missing something?

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-14-2005 9:35 AM
0 Kudos

Hi Bhavik,

If I got you right you configured "TrustedCAs" as your keystore view to check the certificates against.

This keystore view does not contain your certificate "XMLEncryption-cert" or "XMLEncryptionCA-cert".

So there are two possibilities for adjusting this:

1) Use the keystore view "WebServiceSecurity" in your inbound profile

2) Copy the certificate into the keystore view "TrustedCAs". As your certificate "XMLEncryptionCA-cert" is probably not marked as CA certificate, you need to include "XMLEncryption-cert" in the TrustedCAs view. You may use the button "import from other" to import certificates from one keystore view into another.

Regards,

Martijn

Former Member
‎07-14-2005 9:59 AM
0 Kudos

Hi Martijn,

My inbound profile contains "WebServiceSecurity" keystore only, not the "TrustedCAs".

Is it valid?

And there are already XMLEncryptionCA-cert and XMLEncryption-cert in "TrustedCAs" keystore view.

Is "TrustedCAs" are coming in picture anywhere?

If yes, then where and when?

What requires in this keystore view?

Thanks,

Bhavik

Former Member
‎07-20-2005 11:11 AM
0 Kudos

Hi Martijin,

Still i am getting same error. I can't go ahead.

What could be the problem in my configuration?

I have checked all the certificates and profiles once again. But still giving same error.

Anybody please help me.

Thanks in advance,

Bhavik

martijndeboer
Advisor
Advisor
‎07-20-2005 11:45 AM
0 Kudos

Hi Bhavik,

Can you make screenshots of your ws security profiles, the configuration and the keystore view Web Service Security?

You can upload them here:

http://sapmats-de.sap-ag.de/upload/index.cgi?id=CEI59JEU8UW3TVECIJYWKT45Q19Z59IWJP8A3P3SXTDH97NGSX

Regards,

Martijn

Former Member
‎07-20-2005 2:21 PM
0 Kudos

Hi Martijin,

I have uploaded files. This zip file includes screenshots for Webservice, Webservice deployable proxy, Key store, Profile administration and security administration.

In Key store i have created one CA certificate and then made XMLEncryption certificate which is signed by that CA certificate.

Is this correct or where i need to change?

Thanks,

Bhavik

Former Member
‎07-21-2005 12:47 PM
0 Kudos

Hi Martijn,

Have you checked those files?

What wrong in it?

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-21-2005 1:37 PM
0 Kudos

Hi Bhavik,

the configuration looks fine. So there is either a problem with the certificates or with access to the keystore.

Can you send me the certificates? Please export them as base64 encoded.

You may either send them by mail or using the container at http://sapmats-de.sap-ag.de/upload/index.cgi?id=OYP3AK86OSPTS8MCHF7QZWX2V3830E1SYWSRJEZIGXGPEVXHGW

Can you provide system access to SAP? Then I'd like to take a look at your system.

Regards,

Martijn

Former Member
‎07-22-2005 5:29 AM
0 Kudos

Hi Martijn,

I guess that my certificates are correct, because i have used the same certificate for the document security scenario with basic username and password.And I was passing contents by encrypting using this certificate.

I got success doing this with same certificate.

Anyway i give you the certificate, but i can't provide access to the system because this system can't be accessed from the outside network.

Thanks,

Bhavik

martijndeboer
Advisor
Advisor
‎07-22-2005 9:49 AM
0 Kudos

Hi Bhavik,

I took a look at the certificates. The certificate and the CA-certificate have the same subject name. Subject names of the certificates must be unique. So this is why your certificates are not working.

You may also use test certificates from here: http://sapmats-de.sap-ag.de/download/download.cgi?id=B1EEEJQYMPIS1MCIOF4N443C4PYEYJUG0S943Q28V502YMS...

The password for the p12 files is included in the zip file in info.txt

Regards,

Martijn

Former Member
‎07-22-2005 1:00 PM
0 Kudos

Hi Martijn,

Thanks for your valuable help!!!

I have resolved this problem.

What i did is, I removed my old certificates and keys from view(took a back up of it..)

Then i have added your certificate and key after renaming those.But it didnt work and gave same error.

Then i have created new certificate without any CA. Then checked and its working properly. Then i have removed these certificates and created new certificates with signed by some CA key. That also worked properly.

Then, once again i have tried with my old certificates and yours also but it gives same error as coming early.

Means, that was the problem due to certificates only.

Thanks you very much once again.

Bhavik

Former Member
‎07-25-2005 10:02 AM
0 Kudos

Hi Martijn,

As i said i resolved this problem.

But i am facing very strange problem in it.

On friday i have tested my application and it was working fine. But, now i have made another application for Document security and after deploying i came to know that it was not working. It is giving same previous error.

Then i have made new certificates and tried again and its working properly.

So, is there some expirity dates there?

What could be the problem with it?

Thanks,

Bhavik

Former Member
‎08-13-2007 2:48 PM
0 Kudos

I see that you guys figured the security issues with webservices. If you dont mind could you please tell me how you implemented security. I am more of ABAP programmer then Java programmer. But my requirements are to implement WS in the Java component in NWDS and implement security on those WS's. I see that there is an option of using X.509 certificate. If i choose that option, i get an error, same error which you described when u started this thread. Could you explain in detail how you resolved this issue. Right now i dont have the certificate. So i would like to know what certificate i need, where i need to have that certificate deployed and do i need to write any code?

Thanks

Nahman

Answers (1)

Answers (1)

Former Member
‎06-29-2005 6:25 AM
0 Kudos

Hello SAP Experts,

Now what i have done is I have created Model using WSDL file from the local file system. Now it allows me to change the authentication mechanism from the drop down in Security tab in logical port of that model. But still in this drop down it doesn't show Document authentication.

So, whether Document authentication is supported in Webdynpro model or not?

Thanks in advance,

Bhavik

Show replies
Show replies
Ask a Question