I need your immediate help to digitally sign request xml message for
synchronous webservice call on SAP PI 7.4(single stack). Requirement is
- SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.
Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )
Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.
SOAP header template as provided by zsmopl
http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Transforms>
http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
http://www.w3.org/2000/09/xmldsig#sha1"/> eXyR08F9i3u8qQ3bJVccW6e/es8=
</ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11=" http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
-----------------------------------------------------------------------------------------------------------------------
Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".
On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.
On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.
I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"
be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parameter/
I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,
below is the payload.
<SOAP:Header>
MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgYhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY>
<ds:SignedInfo>
<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>
<ds:Transforms>
</ds:Transforms>
<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#sap-16'/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP:Header>
I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing
1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.
I believe this is causing error in PI. I've raised OSS note for fix from SAP.
Please suggest here how to proceed further.
4 Answers
-
Best Answer
Former MemberPosted on Dec 07, 2017 at 04:35 PMThis requirement ( wssec signing only ) was achieved using SOAP AXIS. Detailed explanation of the solution can be found at my blog : wssec signing
Add comment
-
Former MemberPosted on Nov 28, 2017 at 10:26 AM
Basis team deployed AXIS related jar into PI server ( xml sec 1.4.2 and wss4j - 1.5.6 ).
I've configured the receiver axis channel with ws-security signing. Screenshot below. When I run the scenario, I'm getting an error.
error log screenshot below.
Add comment
Add comment