cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

soap adapter

Go to solution
Former Member

on ‎08-14-2007 4:18 PM

0 Kudos

Hi

In soap adapter we have options like encryption/decryption/sign/verify. Could you plz tell me if we are checking these options what is going to happen ?? Plz don't provide me help links. I have already gone through that ....but not ablet to understand.

If we check encryption option...........whether the message that we are going to send to webservice is encrypted ?? If it is encrypted how the webservice is going to decrypt it or how it is able to know the encrypted message ??

thanks

kumar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-14-2007 8:01 PM
0 Kudos

Hi Kumar !

I don't see any encryption/decryption option in my SOAP Adapter. Check this:

A security setting can be defined for certain HTTP-based adapters in the corresponding sender channels in the Integration Directory that enforces one of the following three security levels (in ascending order):

  • HTTP without SSL

  • HTTP with SSL (=HTTPS) without client authentication

  • HTTP with SSL (=HTTPS) with client authentication

The adapters supporting this feature are:

on Integration Server:

  • XI protocol

  • plain http adapter

on the Adapter Engine:

  • SOAP Adapter

Configure the XI landscape so that a message can be received by these adapter (running in IS or the Adapter Engine) and so that it is correctly processed.

Configure both the sender clients and the XI servers (J2EE Engine and Integration Server) so that HTTPS with and without client authentication is possible following the steps below:

1. Make sure that IAIK library is available: check in Visual Admin under Server->Services->Security Provider-> Tab runtime->Tab cryptography providers whether IAIK is listed.

2. In the Dispatcher-> SSL Provider; Check for following steps:

- Make sure that the server maintained a sever identity in Dispatcher->Services->SSL provider->server identity. The entry must be a reference to the keystorage service. Make sure that the certificate is valid (i.e. has a valid date). In case of client authentication, make sure that a valid certificate of the issuer of the client certificate is maintained in the keystorage service under view TrustedCAs

- If SSL provider had only a few cipher suites, include all available suites

- SSL's setting for requesting client certificate i.e select the "Request client certificate" option under client autentication tab in the SSL Provider service.

3. In Server -> Services -> Security Provider; add certificate to your User Name.

-Assign the client certificate to the user you have included in the sender agreement:

Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate

4. Configure the SOAP adapter in visual admin. To do this, change the relevant SOAP adapter service sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter in the security provider service of Server (under -> Runtime-> Policy Configurations). Under the Authentication tab set the list of login modules using add new button as follows:

1. ClientCertLoginModule, SUFFICIENT

2. BasicPasswordLoginModule, SUFFICIENT

You do not need to enter anything specific into the Options column

5 Similarly Enable SSL client J2EE engine (if sender and receiver are different):

- Make sure that a valid certificate of the issuer of the server identity certificate is maintained in the keystorage service under view TrustedCAs

- In case of client authentication, make sure that a valid client certificate (as specified in the receiver channel) is maintained in the keystorage service

For each adapter, there are 9 (= 3 times 3) combinations to test:

The communication from the sender to the XI component can be established with each of the three security levels and the corresponding sender channel can be configured with each of the three security levels as shown below:

connection / sec level HTTP HTTPS without ca HTTPS with ca

HTTP Accept Reject Reject

HTTPS without ca Accept Reject Reject

HTTPS with ca Accept Accept Accept

Example (Configuring SOAP Adapter)

The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.

1. HTTP without SSL

Select the Enforced security level = HTTP in the sender soap channel. In the receiver soap channel click on the check box “user authentication” and specify the username and password. Send the message and check if the scenario is working fine.

2. HTTP with SSL (=HTTPS) without client authentication

Select the Enforced security level = HTTPS without client authentication in the sender soap channel. Don’t select the check boxs certificate authentication or user authentication. Try sending message and it should work.

3. HTTP with SSL (=HTTPS) with client authentication

Select the Enforced security level = HTTPS with client authentication in the sender soap channel. Don’t select certificate authentication in the receiver channel and try sending message. You will notice that the message sending will fail giving authorization error.

In the receiver soap channel you need to do the following:

- To make sure that the certificate is used, you remove your user password and unmark the checkbox “ user authentication”

- Select the check box “certificate authentication”

- Provide the client certificate.

Source: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter

Written by Rahul Nawale.

Regards,

Matias.

Show replies
Show replies
henrique_pinto
Active Contributor
‎08-14-2007 8:27 PM
0 Kudos

Hey Matias,

the message-level security configurations is not done in the adapter parameters directly.

There, you just select whether you want to use message-level security or not (by setting the <i>Select Security Profile</i> flag.

Once you set it, then you can configure message-level security in the correspondent sender/receiver agreement. Check these links:

- Sender Soap adapter: http://help.sap.com/saphelp_nw70/helpdata/en/1f/7e2441509fa831e10000000a1550b0/frameset.htm

- Receiver Soap adapter: http://help.sap.com/saphelp_nw70/helpdata/en/56/992d4142badb2be10000000a1550b0/frameset.htm

At soap adapter itself, you can do only configuration regarding transport-level security (HTTPS, authentication etc.).

Regards,

Henrique.

Former Member
‎08-15-2007 5:56 AM
0 Kudos

Hi Matias,

thanks for the weblog. It is really good. But I didn't understand the example that he is explaining.

>>Example (Configuring SOAP Adapter)

The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.

Is it like that is it SOAP-XI-SOAP scenario that he is talking ?? or otherwise he is using B2B like XI-SOAP to SOAP-XI kind of sceario ??

thanks

kumar

Former Member
‎08-15-2007 12:54 PM
0 Kudos

Hi Kumar !

The example is to test the SOAP configuration, so he is configuring the SOAP receiver channel (inbound) to call the SOAP sender channel (outbound), is like a loop...so I imagine the scenario goes like this: he will send a request to the soap sender channel to trigger the scenario, the sender adapter will go to Integration server, then to soap receiver adapter, then back to the soap sender.

Regards,

Matias

Former Member
‎08-15-2007 4:20 PM
0 Kudos

Hi matias,

One more doubt like .......in the blog he used the terms client and server. could you plz tell me which one is client and which one is server in case of our example ??

Regards

Kumar

Former Member
‎08-15-2007 4:54 PM
0 Kudos

Hi Kumar !

I understand that for this example, the sender channel is the server and the receiver channel acts as the client..I mean, the receiver channel is who posts the url, like any other application or a users via an Internet browser..the sender channel is the one who is waiting (server) for somebody to request its service.

Regards,

Matias

PD: Please give points if useful.

Former Member
‎08-15-2007 5:53 PM
0 Kudos

Hi matias,

could you plz explain the below statement !

>>3. In Server -> Services -> Security Provider; add certificate to your User Name.

Which certificate is to be added ? to which user ?? How to generate the certificate ?? I am totally new to this securities. Plz bare with me.

thanks

kumar

Former Member
‎08-15-2007 7:59 PM
0 Kudos

Hi Kumar !

It says:

-Assign the client certificate to the user you have included in the sender agreement:

Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate

Once you assign to the sender agreement a comm channel that uses soap, there will appear new options about security for you to check in the sender agreement object screen. Check this:

http://help.sap.com/saphelp_nw04s/helpdata/en/b1/f29e7a56e18a439984a3c6630951d2/frameset.htm

Certificates:

A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.

http://en.wikipedia.org/wiki/Certificate_authority

I recommend you to close this thread if the main question is solved, and start a new thread asking the new doubts, to have more people helping you with this subject, giving you more info and experiencies.

Regards,

Matias.

Answers (2)

Answers (2)

Former Member
‎08-14-2007 7:58 PM
0 Kudos

Hey Kumar

>>Could you plz tell me if we are checking these options what is going to happen ??

they are used for encryption etc,first of all you have to install the certificates in VA,section 3.2 of the second link,then u give the encryption paramets in Receiver agreement page 18 of the second link,in this way you will encrypt the message and send it to receiver.Now the receiver will have the decrpytion key for this,it depends what type of ecryption algo u are using,depending upon that the receiver will have his own key to decrpty ,it will use that key and will decrypt the message

is it clear now?if not reply back

Thanx

Aamir

Show replies
Show replies
Former Member
‎08-14-2007 6:30 PM
0 Kudos

Hi Kumar !

I know you don't like links, but I have this 2 that are very clear:

http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98...

If you still have doubts, please ask.

Regards,

Matias.

Show replies
Show replies
Former Member
‎08-14-2007 7:28 PM
0 Kudos

Hi Matias,

I have gone through those doc's. But they were not answering my quesitons. If anybody knows the answers plz do let me know.

thanks

kumar

Ask a Question