cancel
Showing results for 
Search instead for 
Did you mean: 

SOAP Request with Web Service Security

Former Member
0 Kudos

Hi masters of XI,

the Oasis standard for web services security saids that exists three levels of security for web services, at higher level is Encryption, middle level is signature and at lower level is authentication with username and password inside the soap envelope.

I need to do a SOAP Request signed with a X.509 certificate and username and password too in SAP PI 7.0 SP11. I can sign the request with X.509 certificate without problems but i can't authenticate the request with username and password in usernametoken element like saids the Oasis standard

<wsse:Security>

<wsse:UsernameToken>

<wsse:Username>XXXX</wsse:Username>

<wsse:Password>XXXXXXXXX</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

How can we send UserNameToken's elements inside SOAP web service envelope

signing with X.509 certificate also? There are any way to do it in the

receiver agreement or receiver SOAP adapter?

thanks.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

HI,

Look at http://help.sap.com/saphelp_nw04/helpdata/en/45/a4f8bbdfdc0d36e10000000a114a6b/content.htm

There are 2 adapter modules for the receiver SOAP adapters with allows to use apache's axis. (open source java implementation for web services). First module converts XI adapter style message to apaches Axis style message. Second module is a handler, which handles the request and send it to the external webservice.

I dont know this is going to fix your problem. Just I want through one pointer. I heard from 7.1 there is some direct support.

Thanks

Moni

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi

SSL Configuration

You need to setup SSL layer for HTTPS endpoint.

Possible HTTP security levels are (in ascending order):

HTTP without SSL

HTTP with SSL (= HTTPS), but without client authentication

HTTP with SSL (= HTTPS) and with client authentication

Please go through below link for referance (above information is from below link)

Step by step guide for SSL security

http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm

http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm

General guide

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516d...

Message level security

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba68...

Regarding message level you can encrypt the message using certificates.

For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.

Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.

Check the following links.. you will get the information all about the securities...

http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm

Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba68...

Also find soeminformation in these links

http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm

/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi

Thanks

Swarup

Former Member
0 Kudos

Hi,

thank you very much for your answers.

I have solved the SSL comunication and i can sign with X.509 certificates. My problem is that in the SOAP envelope of resquest signed only travels the X.509 certificate and I need to send the username security token (wsse:UsernameToken) also.

<wsse:Security>

<wsse:UsernameToken>

<wsse:Username>XXXX</wsse:Username>

<wsse:Password>XXXXXXXXX</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

I can't find the solution to do it. The Netweaver documentation says that Netweaver is able to sign SOAP request with X.509 certificates and is able too for using UsernameToken as part of Oasis standard for web service security. In abap stack of NW you can assign a security profile to a web service call for signing the message or authenticate it with username/password inside SOAP envelope, but in java stack of XI i think that there is no way to do it.

This is my Request:

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#id-104309952">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>

</ds:Reference>

<ds:Reference URI="#Timestamp-104310599">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>

<ds:KeyInfo Id="KeyId-104377209">

<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">

<wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">

<wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>

<wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>

</wsu:Timestamp>

</wsse:Security>

</soapenv:Header>

And this is the request I need:

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">

<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#id-104309952">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>

</ds:Reference>

<ds:Reference URI="#Timestamp-104310599">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>

<ds:KeyInfo Id="KeyId-104377209">

<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">

<wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

<!-- THIS IS THE PART I NEED -->

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-104312926">

<wsse:Username>xxxxxxx</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>

</wsse:UsernameToken>

<!-- -->

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">

<wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>

<wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>

</wsu:Timestamp>

</wsse:Security>

</soapenv:Header>

Former Member
0 Kudos

Hi,

Use the above mentioned modules to convert XI message to Axis Message. Then you need to use axis api to add the header. Your code would look some thing like this. This is going to add security header to your message.

Thanks

moni

/*

Document doc = envelope.getAsDocument();

WSSecHeader secHeader = new WSSecHeader("",false);

secHeader.insertSecurityHeader(doc);

String username = "user1";

String password = "password";

WSSecUsernameToken builder = new WSSecUsernameToken();

builder.setPasswordType(WSConstants.PASSWORD_TEXT);

builder.setUserInfo(username, password);

builder.prepare(doc);

builder.appendToHeader(secHeader);

envelope.addHeader(new

SOAPHeaderElement(secHeader.getSecurityHeader()));

*/

Former Member
0 Kudos

Hello,

were you able to solve the problem? we have a similar issue.. but in our scenario all we need to use is the low level - user id / password authentication.

if you can share the solution, that would be great.

Thanks

Former Member
0 Kudos

Hi,

I opened a OSS note and the SAP response was that we need to install the specific SOAP adapter for axis. This adapter gives to you all Oasis standard functionality, including user and password authentication but I have not tried it.

for more information:

[http://help.sap.com/saphelp_nw04/helpdata/en/45/a4f8bbdfdc0d36e10000000a114a6b/frameset.htm]

I wish that my response has been useful.

Former Member
0 Kudos

Hi,

my problem with username token was solved installing the Axis adapter for SOAP.

Former Member
0 Kudos

Hello Ramon,

Thanks for the update. can you please let me know, if there is any URL or anything that describes the process of installing the AXIS adapters and bringing them into XI.

Thanks,

RKK

ravi_raman2
Active Contributor
0 Kudos

Ramon,

This is what i tried ..i created the sda with com.sap.aii.af.axisproviderlib.sda with the libs..what did you do for the handler..

Do i need to implement the method process()...it would help if you could give us some more tips..etc..also is that the only way..as you also have to write some code to add the WSSec header ..with the username token into the xml payload right..as its not supported out of the box after deploying the adapter..right..

If you have it working do you think you can send me the code..for the handler, or atleast give us some pointers on what exactly did you do....would save us a lot of time...

Regards

Ravi Raman

Former Member
0 Kudos

Hi,

inside faq_axis_adapter.zip file that SAP sent us there is a file index.html containing how to install the axis adapter and some exemples of web services security as username token, but examples are pictures. If you can't find the file faq_adapter.zip I can send you.

Former Member
0 Kudos

Hi Ramon,

could you please provide more details on how exactly you configured SOAP AXIS so that

it creates Username tokens now ?

Thank you,

Forest

Former Member
0 Kudos

Hi Ramon,

can you plz send me inside faq_axis_adapter.zip file or any body help me in configuring the axis.

Thanks,

Srini

Former Member
0 Kudos

Hi Ravi,

Do i need to implement the method process()...it would help if you could give us some more tips..etc..also is that the only way..as you also have to write some code to add the WSSec header ..with the username token into the xml payload right..as its not supported out of the box after deploying the adapter..right..

Have you developed handlers for this ? I have configured soap receiver axis adapter and now i need to start develping the handlers.

Can you plz give me code samples or how to start ?

any help would be appreciated

Thanks,

Srini