Skip to Content
0

Digital signature and validation for sync web-service

Nov 18, 2017 at 12:49 PM

245

avatar image
Former Member

I need your immediate help to digitally sign request xml message for

synchronous webservice call on SAP PI 7.4(single stack). Requirement is

  1. SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.

Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )

Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.

SOAP header template as provided by zsmopl

http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz

http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:CanonicalizationMethod>

http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Transforms>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transform>

</ds:Transforms>

http://www.w3.org/2000/09/xmldsig#sha1"/> eXyR08F9i3u8qQ3bJVccW6e/es8=

</ds:Reference>

</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11=" http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

-----------------------------------------------------------------------------------------------------------------------

Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".

On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.

On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.

I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"

be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parameter/

I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,

below is the payload.

<SOAP:Header>

MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgYhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY>

<ds:SignedInfo>

<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>

<ds:Transforms>

</ds:Transforms>

<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>

<ds:KeyInfo>

<wsse:SecurityTokenReference>

<wsse:Reference URI='#sap-16'/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</SOAP:Header>


I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing

1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.

I believe this is causing error in PI. I've raised OSS note for fix from SAP.

Please suggest here how to proceed further.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
avatar image
Former Member Dec 07, 2017 at 04:35 PM
0

This requirement ( wssec signing only ) was achieved using SOAP AXIS. Detailed explanation of the solution can be found at my blog : wssec signing

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Nov 22, 2017 at 05:41 AM
0

Any updates Here !!

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Nov 23, 2017 at 11:58 AM
0

Update!!

SAP Confirmed that, SOAP Channel is not fully supporting WS-Security & suggested to use SOAP Axis. PI set-up is going on for this.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Nov 28, 2017 at 10:26 AM
0

Basis team deployed AXIS related jar into PI server ( xml sec 1.4.2 and wss4j - 1.5.6 ).

I've configured the receiver axis channel with ws-security signing. Screenshot below. When I run the scenario, I'm getting an error.

error log screenshot below.


screenshot.jpg (88.6 kB)
screenshot2.jpg (248.2 kB)
Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Avinash,

please check all the components i.e (required and optional component is to be in ok status)has deployed or not using the standard url http://hostname:port/XIAxisAdapter/MessageServlet?parameters

Regards

Pavan

0