cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Digital signature and validation for sync web-service

Go to solution
Former Member

on ‎11-18-2017 12:49 PM

0 Kudos

I need your immediate help to digitally sign request xml message for

synchronous webservice call on SAP PI 7.4(single stack). Requirement is

  1. SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.

Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )

Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.

SOAP header template as provided by zsmopl

<soapenv:Envelope xmlns:obs="http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz</wsse:BinarySecurityToken>

<ds:Signature Id="SIG-925981AA89D6C41EB3144465584498225" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="obs soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-925981AA89D6C41EB3144465584498124">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="obs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>eXyR08F9i3u8qQ3bJVccW6e/es8=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>

<ds:KeyInfo Id="KI-925981AA89D6C41EB3144465584498122"> <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">

<wsse:Reference URI="#X509-925981AA89D6C41EB3144465584498121" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</soapenv:Header>

<soapenv:Body wsu:Id="id-925981AA89D6C41EB3144465584498124" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

-----------------------------------------------------------------------------------------------------------------------

Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".

On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.

On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.

I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"

be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parame...

I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,

below is the payload.

<SOAP:Envelope xmlns:SOAP='http://schemas.xmlsoap.org/soap/envelope/'>

<SOAP:Header>

<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' SOAP:mustUnderstand='1'>

<wsse:BinarySecurityToken xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' wsu:Id='sap-16' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY</wsse:BinarySecurityToken>

<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>

<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>

<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>

<ds:Transforms>

<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>

</ds:Transforms>

<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>

<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>

<ds:KeyInfo>

<wsse:SecurityTokenReference>

<wsse:Reference URI='#sap-16'/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</SOAP:Header>

<SOAP:Body xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' wsu:Id='wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>

<ns1:zapiszKomunikatOS xmlns:ns1='http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/'>

I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing

1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.

I believe this is causing error in PI. I've raised OSS note for fix from SAP.

Please suggest here how to proceed further.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-07-2017 4:35 PM
0 Kudos

This requirement ( wssec signing only ) was achieved using SOAP AXIS. Detailed explanation of the solution can be found at my blog : wssec signing

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎11-28-2017 10:26 AM
0 Kudos

Basis team deployed AXIS related jar into PI server ( xml sec 1.4.2 and wss4j - 1.5.6 ).

I've configured the receiver axis channel with ws-security signing. Screenshot below. When I run the scenario, I'm getting an error.

error log screenshot below.

Show replies
Show replies
PavanKumar
Active Contributor
‎11-29-2017 3:15 PM
0 Kudos

Hi Avinash,

please check all the components i.e (required and optional component is to be in ok status)has deployed or not using the standard url http://hostname:port/XIAxisAdapter/MessageServlet?parameters

Regards

Pavan

Former Member
‎11-23-2017 11:58 AM
0 Kudos

Update!!

SAP Confirmed that, SOAP Channel is not fully supporting WS-Security & suggested to use SOAP Axis. PI set-up is going on for this.

Show replies
Show replies
Former Member
‎11-22-2017 5:41 AM
0 Kudos

Any updates Here !!

Show replies
Show replies
Ask a Question