on 08-14-2007 4:18 PM
Hi
In soap adapter we have options like encryption/decryption/sign/verify. Could you plz tell me if we are checking these options what is going to happen ?? Plz don't provide me help links. I have already gone through that ....but not ablet to understand.
If we check encryption option...........whether the message that we are going to send to webservice is encrypted ?? If it is encrypted how the webservice is going to decrypt it or how it is able to know the encrypted message ??
thanks
kumar
Hi Kumar !
I don't see any encryption/decryption option in my SOAP Adapter. Check this:
A security setting can be defined for certain HTTP-based adapters in the corresponding sender channels in the Integration Directory that enforces one of the following three security levels (in ascending order):
HTTP without SSL
HTTP with SSL (=HTTPS) without client authentication
HTTP with SSL (=HTTPS) with client authentication
The adapters supporting this feature are:
on Integration Server:
XI protocol
plain http adapter
on the Adapter Engine:
SOAP Adapter
Configure the XI landscape so that a message can be received by these adapter (running in IS or the Adapter Engine) and so that it is correctly processed.
Configure both the sender clients and the XI servers (J2EE Engine and Integration Server) so that HTTPS with and without client authentication is possible following the steps below:
1. Make sure that IAIK library is available: check in Visual Admin under Server->Services->Security Provider-> Tab runtime->Tab cryptography providers whether IAIK is listed.
2. In the Dispatcher-> SSL Provider; Check for following steps:
- Make sure that the server maintained a sever identity in Dispatcher->Services->SSL provider->server identity. The entry must be a reference to the keystorage service. Make sure that the certificate is valid (i.e. has a valid date). In case of client authentication, make sure that a valid certificate of the issuer of the client certificate is maintained in the keystorage service under view TrustedCAs
- If SSL provider had only a few cipher suites, include all available suites
- SSL's setting for requesting client certificate i.e select the "Request client certificate" option under client autentication tab in the SSL Provider service.
3. In Server -> Services -> Security Provider; add certificate to your User Name.
-Assign the client certificate to the user you have included in the sender agreement:
Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate
4. Configure the SOAP adapter in visual admin. To do this, change the relevant SOAP adapter service sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter in the security provider service of Server (under -> Runtime-> Policy Configurations). Under the Authentication tab set the list of login modules using add new button as follows:
1. ClientCertLoginModule, SUFFICIENT
2. BasicPasswordLoginModule, SUFFICIENT
You do not need to enter anything specific into the Options column
5 Similarly Enable SSL client J2EE engine (if sender and receiver are different):
- Make sure that a valid certificate of the issuer of the server identity certificate is maintained in the keystorage service under view TrustedCAs
- In case of client authentication, make sure that a valid client certificate (as specified in the receiver channel) is maintained in the keystorage service
For each adapter, there are 9 (= 3 times 3) combinations to test:
The communication from the sender to the XI component can be established with each of the three security levels and the corresponding sender channel can be configured with each of the three security levels as shown below:
connection / sec level HTTP HTTPS without ca HTTPS with ca
HTTP Accept Reject Reject
HTTPS without ca Accept Reject Reject
HTTPS with ca Accept Accept Accept
Example (Configuring SOAP Adapter)
The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.
1. HTTP without SSL
Select the Enforced security level = HTTP in the sender soap channel. In the receiver soap channel click on the check box user authentication and specify the username and password. Send the message and check if the scenario is working fine.
2. HTTP with SSL (=HTTPS) without client authentication
Select the Enforced security level = HTTPS without client authentication in the sender soap channel. Dont select the check boxs certificate authentication or user authentication. Try sending message and it should work.
3. HTTP with SSL (=HTTPS) with client authentication
Select the Enforced security level = HTTPS with client authentication in the sender soap channel. Dont select certificate authentication in the receiver channel and try sending message. You will notice that the message sending will fail giving authorization error.
In the receiver soap channel you need to do the following:
- To make sure that the certificate is used, you remove your user password and unmark the checkbox user authentication
- Select the check box certificate authentication
- Provide the client certificate.
Source: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
Written by Rahul Nawale.
Regards,
Matias.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Matias,
the message-level security configurations is not done in the adapter parameters directly.
There, you just select whether you want to use message-level security or not (by setting the <i>Select Security Profile</i> flag.
Once you set it, then you can configure message-level security in the correspondent sender/receiver agreement. Check these links:
- Sender Soap adapter: http://help.sap.com/saphelp_nw70/helpdata/en/1f/7e2441509fa831e10000000a1550b0/frameset.htm
- Receiver Soap adapter: http://help.sap.com/saphelp_nw70/helpdata/en/56/992d4142badb2be10000000a1550b0/frameset.htm
At soap adapter itself, you can do only configuration regarding transport-level security (HTTPS, authentication etc.).
Regards,
Henrique.
Hi Matias,
thanks for the weblog. It is really good. But I didn't understand the example that he is explaining.
>>Example (Configuring SOAP Adapter)
The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.
Is it like that is it SOAP-XI-SOAP scenario that he is talking ?? or otherwise he is using B2B like XI-SOAP to SOAP-XI kind of sceario ??
thanks
kumar
Hi Kumar !
The example is to test the SOAP configuration, so he is configuring the SOAP receiver channel (inbound) to call the SOAP sender channel (outbound), is like a loop...so I imagine the scenario goes like this: he will send a request to the soap sender channel to trigger the scenario, the sender adapter will go to Integration server, then to soap receiver adapter, then back to the soap sender.
Regards,
Matias
Hi Kumar !
I understand that for this example, the sender channel is the server and the receiver channel acts as the client..I mean, the receiver channel is who posts the url, like any other application or a users via an Internet browser..the sender channel is the one who is waiting (server) for somebody to request its service.
Regards,
Matias
PD: Please give points if useful.
Hi Kumar !
It says:
-Assign the client certificate to the user you have included in the sender agreement:
Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate
Once you assign to the sender agreement a comm channel that uses soap, there will appear new options about security for you to check in the sender agreement object screen. Check this:
http://help.sap.com/saphelp_nw04s/helpdata/en/b1/f29e7a56e18a439984a3c6630951d2/frameset.htm
Certificates:
A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
http://en.wikipedia.org/wiki/Certificate_authority
I recommend you to close this thread if the main question is solved, and start a new thread asking the new doubts, to have more people helping you with this subject, giving you more info and experiencies.
Regards,
Matias.
Hey Kumar
>>Could you plz tell me if we are checking these options what is going to happen ??
they are used for encryption etc,first of all you have to install the certificates in VA,section 3.2 of the second link,then u give the encryption paramets in Receiver agreement page 18 of the second link,in this way you will encrypt the message and send it to receiver.Now the receiver will have the decrpytion key for this,it depends what type of ecryption algo u are using,depending upon that the receiver will have his own key to decrpty ,it will use that key and will decrypt the message
is it clear now?if not reply back
Thanx
Aamir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kumar !
I know you don't like links, but I have this 2 that are very clear:
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
If you still have doubts, please ask.
Regards,
Matias.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.