I need your immediate help to digitally sign request xml message for
synchronous webservice call on SAP PI 7.4(single stack). Requirement is
- SAP PI makes a request to the ZSMOPL, sends messages with the signature and the certificate used for the signature. This information must be in the header of the message (<soapenv: Header>). X.509 Certificates.
Can I use Soap adapter with webservice security profile? ( I tried this, but it throws error )
Or Do I have to go for java mapping. Can I please get the sample code to implement digital signature.
SOAP header template as provided by zsmopl
http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-925981AA89D6C41EB3144465584498121">MIIGQDCCA2owggJSoAMCAQICCQCuBuTAUz+owz
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
http://www.w3.org/2001/10/xml-exc-c14n#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Transforms>
http://www.w3.org/2001/10/xml-exc-c14n#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
http://www.w3.org/2000/09/xmldsig#sha1"/>
eXyR08F9i3u8qQ3bJVccW6e/es8=
</ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>NS45ULI7S81aXmchf37FS2y6va</ds:SignatureValue>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-925981AA89D6C41EB3144465584498123" xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
-----------------------------------------------------------------------------------------------------------------------
Receiver SOAP channel, select "Select Security Profile". The "Security Profile" should be "Web Services Security".
On your Receiver Agreement/ICO that uses this channel, select the "Security Standard" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and select "Security Procedure (Request)" -> Sign.
On "Certificate for Signing (WS Request)", select your keystore and view for your digital certificate.
I have done above settings, then sent messages. Receiver SOAP channels throws error as " MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: Response message contains an errorXIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: An invalid security token was provided Caused by: An invalid security token was provided (Bad ValueType "")"
be adding modules given in the blog https://blogs.sap.com/2015/10/26/http-tracing-in-soap-receiver-adapters-with-tracehttp-module-parameter/
I got the payload ( signed header + body ) sent by receiver SOAP Channel to zsmopl,
below is the payload.
<SOAP:Header>
MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgYhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>MIIFDDCCAvSgAwIBAgICA3cwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlBMMRQwEgY>
<ds:SignedInfo>
<ds:Reference URI='#wsuid-body-0ac9b863-cc3f-11e7-ad57-0000007f6e76'>
<ds:Transforms>
</ds:Transforms>
<ds:DigestValue>4Mrv2iByb7TSQKueTFri/im2WxY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qttdS359FNhLXxRV6woxJCPtCuQ</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#sap-16'/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP:Header>
I could identify the difference b/w PI payload and the template, differences are in PI payloads, below values missing
1.xml attribute ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1”. this should be populated 3 times
2.There is no values populated under <keyinfo> tags.
I believe this is causing error in PI. I've raised OSS note for fix from SAP.
Please suggest here how to proceed further.
Add comment