Skip to Content
0
Former Member
Nov 18, 2017 at 12:49 PM

Digital signature and validation for sync web-service

1085 Views

I need your immediate help to digitally sign request xml message for

synchronous webservice call on SAP PI 7.4(single stack). Requirement is

  1. SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.

Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )

Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.

SOAP header template as provided by zsmopl

http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz

http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:CanonicalizationMethod>

http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Transforms>

http://www.w3.org/2001/10/xml-exc-c14n#"> http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transform>

</ds:Transforms>

http://www.w3.org/2000/09/xmldsig#sha1"/> eXyR08F9i3u8qQ3bJVccW6e/es8=

</ds:Reference>

</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11=" http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</soapenv:Header>

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

-----------------------------------------------------------------------------------------------------------------------

Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".

On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.

On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.

I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"

be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parameter/

I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,

below is the payload.

<SOAP:Header>

MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgYhttp:// docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY>

<ds:SignedInfo>

<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>

<ds:Transforms>

</ds:Transforms>

<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>

<ds:KeyInfo>

<wsse:SecurityTokenReference>

<wsse:Reference URI='#sap-16'/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wsse:Security>

</SOAP:Header>


I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing

1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.

I believe this is causing error in PI. I've raised OSS note for fix from SAP.

Please suggest here how to proceed further.