cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Message Level Security

Former Member

on ‎07-14-2008 6:48 AM

0 Kudos

Hi All,

In the PI to PI scenario i used certificates for sigining and encryption. For this i followed message level security document.

In PI1 message is signed and encrypted, but the sign is not validated and message is not decrypted in PI2 server. Output from PI2 server is coming in encrypted form. How to solve this issue.

PI1 SP is 11 and PI2 SP is 06.

Kindly suggest some solution.

Regards

Prakash

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎04-30-2012 7:27 PM
0 Kudos

Hi Prakash, did you ever solve the issues? Would you mind sharing what you learned?

Show replies
Show replies
Former Member
‎01-30-2009 8:44 PM
0 Kudos

Hi,

Were you able to go past this error? We are having a similar issue with the XI Adapter from PI to ECC system.

Show replies
Show replies
Former Member
‎12-18-2009 6:20 AM
0 Kudos

Hi,

Same issue, but we are also facing big time headache. We have escalated to SAP 15 days gone no use, even they also unable to provide any solution.

In our case some files gets processed and some or not and whenever we get error this is the error we get

Security_verify_error

SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">

<SAP:Category>XIServer</SAP:Category>

<SAP:Code area="SECURITY">SECURITY_VERIFY_ERROR</SAP:Code>

<SAP:P1>Check Signature and Decrypt Message</SAP:P1>

<SAP:P2 />

<SAP:P3 />

<SAP:P4 />

<SAP:AdditionalText>Signature error The found signature was not valid. Check signature logs for details.</SAP:AdditionalText>

<SAP:Stack>Error during message security handling in inbound channel: Security profile 'Check Signature and Decrypt Message'</SAP:Stack>

<SAP:Retry>M</SAP:Retry>

</SAP:Error>

Please let me know if any one could fix this issue.

Regards,

Sunil.

Former Member
‎03-17-2010 3:29 AM
0 Kudos

Hi Sunil,

Are you able to solve this issue?

Thanks,

Kamal

Former Member
‎07-14-2008 12:51 PM
0 Kudos

Hi All,

I already saw the help links as per the help only i configured all the steps, but i am not able to solve the error.

Also if I send message from PI2 to PI1, error is coming in call adapter of PI2 server. Following is the error message

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><!-- Call Adapter --> <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand=""><SAP:Category>XIServer</SAP:Category><SAP:Code area="SECURITY">SECURITY_APPLY_ERROR</SAP:Code><SAP:P1>Sign and Encrypt Message</SAP:P1><SAP:P2/><SAP:P3/><SAP:P4/><SAP:AdditionalText>Communication error Unallowed RFC-XML Tag (SOAP_EINVALDOC)</SAP:AdditionalText><SAP:ApplicationFaultMessage namespace=""/><SAP:Stack>Error during message security handling in outbound channel: Security profile 'Sign and Encrypt Message'

</SAP:Stack><SAP:Retry>M</SAP:Retry></SAP:Error>

Can any one suggest any solution to solve the error.

Regards

Prakash

Show replies
Show replies
Former Member
‎12-23-2009 6:05 AM
0 Kudos

Hi Prakash,

We are facing a similar problem in XI to XI communication with message level encryption scenario.

Kindly suggest. If u got any solution for this.

Former Member
‎07-14-2008 11:15 AM
0 Kudos

Hi,

Message-Level Security

Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.

● A digital signature authenticates the business partner signing the message and ensures data integrity of the business document carried by a message.

Signatures are used in two scenarios:

○ Non-repudiation of origin

The sender signs a message so that the receiver can prove that the sender actually sent the message.

○ Non-repudiation of receipt

The receiver signs a receipt message back to the sender so that the original sender can prove that the receiver actually received the original message.

● Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.

SAP NetWeaver usage type Process Integration (PI) offers message-level security for the XI protocol itself, for the RosettaNet protocol, for the CIDX protocol, and for the SOAP and Mail adapters. The table below summarizes the message-level security features of these protocols and adapters.

Message-Level Security Features

XI Protocol (XI 3.0)

Messaging components

Integration Server and PCK

SOAP

Adapter Engine and PCK

Mail

Adapter Engine

RNIF 2.0

Adapter Engine

RNIF1.1/CIDX

Adapter Engine

IIly

Signature

X

X

X

X

X

Non-repudiation of origin

X

X

(Web service security)

X

X

Non-repudiation of receipt

X

X

X

Encryption

X

X

X

X

Technology

Web service security (XML signature)

Signed parts are the SAP main header, the SAP manifest, and the payloads (SOAP attachments).

Encrypted parts are the payloads (SOAP attachments).

S/MIME or

Web service security (XML signature)

The SOAP body is signed.

S/MIME

S/MIME

PKCS#7

XI 3.0 is the XI protocol valid for both SAP NetWeaver ´04 and SAP NetWeaver 7.0.

Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.

● XI protocol

○ (s4) Integration Server to Integration Server, PCK to Integration Server

○ (r4) Integration Server to Integration Server, Integration Server to PCK

● SOAP protocol

○ (s3) SOAP sender to Adapter Engine or PCK

○ (r3) Adapter Engine or PCK to SOAP receiver

● Mail protocols

○ (s3) Mail server to Adapter Engine or PCK (IMAP4/POP3)

○ (r3) Adapter Engine or PCK to mail server (IMAP4/SMTP)

● RNIF and CIDX protocol

○ (s3) RNIF or CIDX sender to Adapter Engine

○ (r3) Adapter Engine to RNIF or CIDX receiver

You define whether and how message-level security is to be applied to messages in the Integration Directory by using sender agreements on the inbound (sender) side in scenarios (s3) and (s4) and by using receiver agreements on the outbound (receiver) side in scenarios (r3) and (r4). For more information about configuring message-level security, see Security Configuration at Message Level.

Message-level security relies on public and private x.509 certificates maintained in the J2EE keystore, where each certificate is identified by its alias name and the keystore view where it is stored. Certificates are used in the following situations:

● When signing a message, the sender signs it with its private key and attaches its certificate containing the public key to the message.

The receiver then verifies the digital signature of the message with the senderu2019s certificate attached to the message. There are two alternative trust models to verify the authenticity of the senderu2019s public certificate:

○ In the direct trust model, the signeru2019s public key certificate is compared with the locally maintained, expected public key certificate of the partner. Therefore, the direct trust model requires offline exchange of public key certificates, which can be self-signed or issued by a CA.

○ In the hierarchical trust model, the signeru2019s public key certificate is validated by a locally maintained public certificate of the CA that issued the signeru2019s public certificate. In addition, the subject name and the issuer of the signeru2019s certificate is compared with the expected partneru2019s identity configured in a receiver agreement on the receiver side.

Generally, the hierarchical trust model enables chains of certificates attached to the message. The XI 3.0 message format, however, does not support such chains; the certificate used for signing has to be signed by a root CA.

In the hierarchical trust model, the sender and the receiver only need to agree upon the CA and the subject name that the sender has used in its certificate.

The following trust models are supported:

○ The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust models.

○ The XI protocol and the SOAP adapter (with Web service security) only support a single-level hierarchical trust model.

○ The Mail adapter and the SOAP adapter (with S/MIME) support a multi-level hierarchical trust model.

● When encrypting a message, the sender encrypts with the public key of the receiver (also verifying the correctness of the receiveru2019s certificate by using the public key of the certificateu2019s root CA).

The receiver decrypts with its private key certificate.

For more information about the certificate store, see Certificate Store.

Whenever a message is signed, the receiver archives the signed messages for non-repudiation purposes. See Archiving Secured Messages.

reg,

suresh

Show replies
Show replies
Former Member
‎07-14-2008 7:15 AM
0 Kudos

Hi,

For more clarification:

http://help.sap.com/saphelp_nw04s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm

Boopathi

Edited by: Boopathi Thangavel on Jul 14, 2008 8:18 AM

Show replies
Show replies
Ask a Question