Skip to Content
avatar image
Former Member

Digital signature and validation for sync web-service

I need your immediate help to digitally sign request xml message for

synchronous webservice call on SAP PI 7.4(single stack). Requirement is

  1. SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.

Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )

Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.

SOAP header template as provided by zsmopl

http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz

http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:CanonicalizationMethod>

http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Transforms>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transform>

</ds:Transforms>

http://www.w3.org/2000/09/xmldsig#sha1"/> eXyR08F9i3u8qQ3bJVccW6e/es8=

</ds:Reference>

</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11=" http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

-----------------------------------------------------------------------------------------------------------------------

Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".

On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.

On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.

I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"

be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parameter/

I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,

below is the payload.

<SOAP:Header>

MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgYhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY>

<ds:SignedInfo>

<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>

<ds:Transforms>

</ds:Transforms>

<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>

<ds:KeyInfo>

<wsse:SecurityTokenReference>

<wsse:Reference URI='#sap-16'/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</SOAP:Header>


I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing

1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.

I believe this is causing error in PI. I've raised OSS note for fix from SAP.

Please suggest here how to proceed further.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 07, 2017 at 04:35 PM

    This requirement ( wssec signing only ) was achieved using SOAP AXIS. Detailed explanation of the solution can be found at my blog : wssec signing

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 22, 2017 at 05:41 AM

    Any updates Here !!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 23, 2017 at 11:58 AM

    Update!!

    SAP Confirmed that, SOAP Channel is not fully supporting WS-Security & suggested to use SOAP Axis. PI set-up is going on for this.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 28, 2017 at 10:26 AM

    Basis team deployed AXIS related jar into PI server ( xml sec 1.4.2 and wss4j - 1.5.6 ).

    I've configured the receiver axis channel with ws-security signing. Screenshot below. When I run the scenario, I'm getting an error.

    error log screenshot below.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Avinash,

      please check all the components i.e (required and optional component is to be in ok status)has deployed or not using the standard url http://hostname:port/XIAxisAdapter/MessageServlet?parameters

      Regards

      Pavan