cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication in SOAP requests

Former Member
0 Kudos

Hi all,

I Have the following scenario: 3rd Party <-(soap)-> XI <-(rfc)-> SAP

Evrytime i send a soap request, i have to authenticate (XIAPPLUSER) but i would like to know if there is a way to perform this authentication process only once or if i there is a way to exchange certificates between these 2 servers (XI and 3rd Party) as an authentication method.

The sender soap reuqest will be developed under COBOL.

any clues??

Thanks a lot in advance and kind regards,

David

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi David!

Since HTTP is stateles protocol and SOAP works over HTTP, I don't think it is possible.. Every call will be authenticated. So you can disable authentication, or it will go on every time a call is made to XI.

J2EE engine of XI supports certificates, so this is no problem.

David, what exactly do you want to achieve?

Peter

Former Member
0 Kudos

Hi Peter,

I defined a WS and used the ID to create the WSDL, i tested the interface with Altova XMLSpy and it works.

However, my application team (the team in charge of develop the WS client using COBOL) told me they do not want the end user to introduce the XIAPPLUSER and password everytime a SOAP request is sent.

They told me they would prefer using certificates between servers (as an authentication way to operate) instead but i do not know how to achieve that.

So far, from the threads i have read, i think i can add userID and password to the URL if i use HTTP adapter instead of SOAP. I will check if the Business allows me to do that.

However, i think i have to find out the way to handle SOAP adapter and certificates but, as i said before, i am lost with it.

Could you please help?

Thanx and kind regards,

david

Former Member
0 Kudos

Well, partly I understand them... However, it had to be an IT professional to be able get the password, cos' he'd have to catch it on the network level. No one of users normally sees this password..

If this is not enough strong argument, you have to use SSL with SOAP sender adapter.

It will be definetely accepted by the team.

There's a lot of threads, how to enable SSL and certificates on J2EE. You must go through them.

If you provide me your e-mail adress, tommorrow I'll send you some docs, which won't guide you, but at least help you to get overview.

Peter

Former Member
0 Kudos

Hi,

What i want is to try to avoid logging everytime the end user executes the interface (that is, everytime the user sends the soap request). It shoulb be great if we could add the logging details in the WSDL file or even in the WS url, is this possible?? or it has to be by HTTP instead of SOAP?

in the meantime, i will review the threads regarding certificates.

Thanks & kind regards,

david

Former Member
0 Kudos

Yes, it has to be done via HTTP sender adapter. You can not add logon details into SOAP adapter's URL.

However - as I said - HTTP is stateless protocol. Logon can be switched off or will be proceeded everytime message is sent to XI. Doesn't metter, whether basic authentication will be done or crtificates will be used.

Peter

Former Member
0 Kudos

Yes,

but what if we add the logon details to the request URL???

Do we have to apply the logon details every time the user executes the interface as well then??

David

Former Member
0 Kudos

David, adding username and password to URL is MUCH MORE dangerous than using basic authentication, which was refused by your dev team.. Whenever the call will be preceeded - logon data will be sent in the HTTP hader request - exactly the same way as in the basic authentication, just NOT ENCODED.

Once again:

a, you can disable authentication

b, if enabled, will be proceeded in EACH time interface used..

There is no other way.

Peter

Former Member
0 Kudos

Hi guys,

I have add the following to my URL: <i>&sap-user=<id>&sap-password=<password></i> and still using SOAP sender adapter.

The point is that right now i only have to specify login details the first time i execute the interface but i would like not to introduce these data ever.

Any ideas??

Thanks in advance and kind regards,

David

Former Member
0 Kudos

David , david..

a, was this solution accepted by your dev team, which has refused to use basic authentication to soap adapter before? if yes, i do not understand them

b, does it work? i mean - if you add this parameters to URL string.. does the scenario work (with soap adapter without basic authentication?)

c,>>The point is that right now i only have to specify login details the first time i execute the interface but i would like not to introduce these data ever.<<

Again: THESE DATA WILL BE SENDED EVERY TIME YOU EXECUTE THE INTERFACE, NOT ONLY THE FIRST TIME - AND (!!) THEY WILL BE RAW - means NOT ENCODED... Whoever, who will listen on the network can catch them... If you are convinced, that noone will listen, why did you refuse basic authentication, which is encoded?

Peter

Former Member
0 Kudos

Dont want to annoy you Peter, hehe!

My dev team do not want to avoid using basic authentication. They dont want to introduce logon details (XIAPPLUSER/password) every time the interface is executed (the end user did not know this user details surely). By adding these characters to the SOAP url, i only have to apply XIAPPLUSER details the first time i execute the interface, and no more!!

So i thought it worked.

Dev team only want to use HTTPS so i will have to set this up (any idea?) and this may fix the security issue, dont you think?

So jus to summarize:

1)Basic authentication is ok BUT we must avoid introduce this user and pwd everytime interface uis executed (because who will have to introduce them??)

2)Transport protocol will be HTTPS, it is a requirement.

3)I added the parameters to the SOAP url, What are the advantages of doing this? Maybe, only-one-loging?

Really much appreciate your patience, but i try to clarify my self

david

Former Member
0 Kudos

David,

Basic Authentication: Your DEV team has to implement it into their development (soap client's call to XI) authorization data will be sent each time interface used, encoded in base64 format. <a href="http://en.wikipedia.org/wiki/Basic_access_authentication" target="n">more...</a>

In this case, user and password will know only DEV team, to implement it. NO USER NEEDS to know them, since the authentication is done in the background...

The only way, how to get them is when somebody listens to the network, gets the HTTP request and decodes the username & password (which is no to har, cos' base64 is "lite" encoding.. However, at least something...

Adding credentials into URL:

a, I'm not sure if it worx with the SOAP adapter

b, IT'S NOT TRUE, that the data have to be introduced only once. They are also of course sent in each call to XI, not only the 1st time.. DEV team implements it into their development.

c, users do not need to know it...

d, in this case are logon details NOT DECODED...

The data can caought also just by listening to the network.. But since they are not encoded, can be exposed more easily...

If you'll use HTTPS, you can forget any other authentication type...

>>I added the parameters to the SOAP url, What are the advantages of doing this? Maybe, only-one-loging?<<

David, no.. There is no advantage for this ) (HTTP = statelss; each execution = new authorization)

Peter

Former Member
0 Kudos

Thanks Peter,

So i will try to implement Basic authentication and SOAP(url without credentials) over HTTPS.

I think security requirements will be reached.

Last thing, why do you say? <i>If you'll use HTTPS, you can forget any other authentication type</i>

Do you mean there is no need to have basic authentication with HTTPS???

and do you think i can go on with the soap adapter or change it to HTTP adapter???

I would prefer to continue with SOAP ...

Thanks and best regards,

david

Former Member
0 Kudos

You can definetely use SAOP - it supports SSL.

I don't know, wich type of certificates you're gonna use, but if u use also client certificates, there is no need to use basic authenticaton, cos cleint certificate determines the sender, so no unathorized person could send message, cos' he wouldn't have client certificate.

Peter

henrique_pinto
Active Contributor
0 Kudos

Check this to configure SSL on J2EE (in order to use in Soap adapter, f.ex.).

http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

Regards,

Henrique.

Answers (1)

Answers (1)

prateek
Active Contributor
0 Kudos

Instead of using adapter engine via SOAP adapter, if u could send data directly to the Integration Engine via HTTP adapter, then u could achieve this.

See this

/people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine

Regards,

Prateek