cancel
Showing results for 
Search instead for 
Did you mean: 

Enterprise services consumption by 3rd party -> Security

former_member198445
Participant
0 Kudos

Dear Experts,

I am planning to create a few enterprise services using an inside out approach (using FMs) with an intention of consuming it in a .NET WPF application (protoyping).

These web services would then be consumed by a third party application which is outside our system landscape, in the near future. This 3rd application would thus have access to our data exposed through the interface.

My question is, first of all, is it possible to achieve this kind of communication without any mappings??

Secondly, how safe is it to provide such interfaces externally and will the user authentication settings be enough to assure safe integration? WIll the firewall settings affect this kind of 3rd party communication over the internet?

Are there any problems that you all foresee?

Any comments on this would be great as I plan to start really soon..

Thanks a lot in advance,

Amith

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

>My question is, first of all, is it possible to achieve this kind of communication without any mappings??

yes once service is created then any .Net application can consume it by using wsdl.

>Secondly, how safe is it to provide such interfaces externally and will the user authentication settings be enough to assure safe integration?

user/password with limited authorization is safe enough but for extra security you probably use certificates.

>WIll the firewall settings affect this kind of 3rd party communication over the internet?

No, if your landscape is open for http communication then firewall will be unable to block any soap communication as it is plain text.

>Are there any problems that you all foresee?

First see what are your security risk appetite then check who will be user, selective partners or anyone who want to use it. For selective users you can create license or certificate key which need to be used to authenticate by calling application. Always create different endpoint for different partners or user so that you can selectively turn on/off the communication and will be able to trace who is doing what?

Hope this helps you.

Regards,

Gourav

former_member198445
Participant
0 Kudos

Thank you Gourav for your swift response....

> user/password with limited authorization is safe enough

Do we need to create a new role for such a user?

So you are saying that the firewall will not block any SOAP calls to the network and all I have to make sure is that the HTTP configuration is done by the Basis colleagues.... And any services created by me will accessible to anyone with the wsdl.. right?

Any docs or links on the required HTTP settings would be of great help..

> First see what are your security risk appetite then check who will be user, selective partners or anyone who want to use it. For selective users you can create license or certificate key which need to be used to authenticate by calling application.

Can you please share some documentation where this has been covered?? I want to know how this is done technically...

Thank you so much.

Regards,

Amith

Former Member
0 Kudos

Hi Amith,

For additional security you could also consider SAML assertions with USER-ID propagation. Then would create a SAML endpoint binding. That works together with the user authorizations you setup for the user-id in the backend & would lock things down nicely with message level encryption.

Regards, Trevor

Former Member
0 Kudos

>Do we need to create a new role for such a user?

That would be better, these roles must have selective authorizations (like only to create SalesOrder).

>And any services created by me will accessible to anyone with the wsdl.. right?

Yes, regarding opening http communication contact your basis team, It is something very standard and they should know this.

Regards,

Gourav

former_member198445
Participant
0 Kudos

Thanks Gourav,

So I can safely assume that a web service created by me in my SAP system can be accessed by a third party vendor within his system landscape without any issues in his application, irrespective of what platform it is on (.NET/JAVA).. All that is needed is the service created and its runtime configuration maintained..

Is this a scenario that you have implemented before?

Also, can the reverse process work without any hiccups i.e consuming third party web service by using the WSDL and creating logical port in SOAMANAGER? Your inputs would be really helpful here

So basically, to sum up, this kind of service based communication across networks can happen without using XI and just function modules exposed as web services..

Please let me know if you faced any issues when implementing such a scenario..

Thanks a lot in advance...

Amith

Edited by: Amith Menezes on Jul 8, 2010 9:58 AM

former_member198445
Participant
0 Kudos

Thanks Trevor,

I really did not understand your response completely but I will look into some online documentation and figure that out

Do you any inputs to my aforementioned query? Any inputs from you also would be of great help.

Regards,

Amith

Edited by: Amith Menezes on Jul 8, 2010 9:36 AM

Former Member
0 Kudos

> irrespective of what platform it is on (.NET/JAVA)

Yes, as long as consuming application can understand SOAP (objective of WS is to allow interoperability).

>All that is needed is the service created and its runtime configuration maintained..

Yes, in short wsdl url should be accessible from consumer landscape.

>Is this a scenario that you have implemented before?

Yes, and lots of example available on SDN and MSDN for intercommunication between SAP and .Net

>Also, can the reverse process work without any hiccups

Here is the catch, SAP SOAP RUNTIME do not support everything which can be developed by .Net and Java application, for example .Net WS allow you to pass user/password as part of SOAP header which is not understood by SAP and you endup doing workaround in ABAP to call such service. But most of things are supported.

>service based communication across networks can happen without using XI and just function modules exposed as web services..

For service based communication you don't need XI/PI unless you want to take advantage of PI functioanlity like routing and transformation (mapping).

Regards,

Gourav

former_member198445
Participant
0 Kudos

Thank Gourav,

That was very helpful.

> in short wsdl url should be accessible from consumer landscape.

>

So are there any situations where it wont be accesible?? Do I have to publish this web service somehwere (UDDI) to make it accessible in the consumer landcape?

Regards,

Amith

Former Member
0 Kudos

Hi,

>So are there any situations where it wont be accesible??

Yes when system is NOT available on internet (inside LAN) or purposely made secured behind firewall which block unwanted access, such issues can be solved with the help of BASIS teams. Only thing is need to remember is that wsdl url (or system) should be accessible from consumer landscape (inside or outside LAN). For example your comapnies SAP systems are not reachable from my companies systems so if we want to communicate we need to make them accessible without compromising overall security. your basis and network team will take your of this and this is totally transparent for you.

>Do I have to publish this web service somehwere (UDDI) to make it accessible in the consumer landcape?

No. UDDI service registry do not play any role during runtime. They are just yellow page/directory of web services.

Regards,

Gourav

former_member198445
Participant
0 Kudos

Hello Gourav,

Sorry for the delayed update.. I was held up with other work.

I now have a WS in ABAP which is fully functional when consumed in ABAP (using a report) but when I tried to test it using a SOA testing app (SOAPUI), I get a 'No logon data provided' error.

I provided the authentication to load the WSDL but when the service is called, I do not get a chance for authentication. If I now have to consume this service in .NET, where would I provide the User credentials?? Would they be part of the import parameters or the SOAP header? Please let me know..

Thank in advance, Regards,

Amith

Former Member
0 Kudos

Hi Amith,

in SOAPUI you set the credentials in your request window in the lower part under tab Aut. Unfortunately you set the passwort in cleartext, so change to another tab once you set it in case you are doing some presentation or something.

regards, anton

Former Member
0 Kudos

Oh, regarding .NET,

although I don't use .NET, if you use HTTP authentication the credentials are a HTTP setting of your consumer object, and have nothing to do with the payload itself. so, you usually pass that credentials on object instanciation or in a visual IDE in some dialog, tab for setting those parameters.

hope it helps,

anton

former_member198445
Participant
0 Kudos

Thanks Anton,

The 'No Logon' error has vanished. But now it is the 'SRT: Authorization denied'.... It is most probably because of the roles but I have all the possible roles for WS consumption. Do you know of any other reason??

And thanks for the .NET related answer.

Cheers, Amith

Former Member
0 Kudos

Hi,

don't know exactly but from a quick view at a system I'd guess

SAP_BC_WEBSERVICE_CONSUMER

or

SAP_BC_WEBSERVICE_SERVICE_USER

but this is just a guess.

anton

Former Member
0 Kudos

Hi,

For calling WS with user/password please use (from SAP help):

>ICredentials cred = new NetworkCredential( ²svc.Credentials = cred;

Refer to this link

On role related issue can you check if your userid has necessary authorization to execute business transactions in backend (for example Create SalesOrder etc)? since you already has all WS related authorization so I think this issue is related to function which this webservice is performing.

Regards,

Gourav

former_member198445
Participant
0 Kudos

On role related issue can you check if your userid has necessary authorization to execute business transactions in backend

Thanks Gourav for the link.....

My userID has all the authorizations needed. But on the other hand, this web service does not touch any backend tables/transactions because it is just a test web service (does a temperature conversion). I am not able to figure out the reason for this error.

Do you have any other thought?

Regards,

Amith

Edited by: Amith Menezes on Oct 11, 2010 7:13 AM

former_member198445
Participant
0 Kudos

>

> Hi,

>

> don't know exactly but from a quick view at a system I'd guess

>

> SAP_BC_WEBSERVICE_CONSUMER

>

> or

>

> SAP_BC_WEBSERVICE_SERVICE_USER

>

> but this is just a guess.

>

> anton

Thanks Anton,

I have all these roles. but I am still facinf the same issue/.

Rgds,

Amith

Former Member
0 Kudos

Hi Amith,

Can you tell me what you did in SOAMANAGER? did you chose "Basic HTTP Authentication" (user/password) or any other option.

Regards,

Gourav

former_member198445
Participant
0 Kudos

Hi Gourav,

I have used HTTPBasic Authentication method with 'User ID/Password' for transport Cannel Authentication.

Our SAP Netweaver version is 7.1 EHP4. So the SOAMANAGER configuration app maybe slightly different.

But it is HTTP Basic with User ID/Password.

Regards,

Amith

Former Member
0 Kudos

Hi Amith,

SAP_BC_WEBSERVICE_CONSUMER should have worked for you, I'm not sure why it isn't working if this is just a test web service.

Try turning on the authorisation trace in TCode ST01, then send through your request & check the trace. It will tell you what authorisation is missing. Remember to turn the trace off again.

Have you activated your web service in TCode SICF?

Regards, Trevor

former_member198445
Participant
0 Kudos

Hi Trevor,

I debugged the class 'CL_WS_SECURITY_PROTOCOL' s 'AUTHORITY_CHECK' method.

The check is failing for the authorization object 'S_SERVICE'.

This check is not against the user but is for the service itself. The Function Moodule 'AUTH_TRACE_INTERN_HASH' returns a hash code for every service and this is then checked for the auth object 'S_SERVICE'. this is the cause for the failure.

Any clue as to what this object is????

Kind regards,

Amith

Former Member
0 Kudos

Hi Amith,

The S_SERVICE should form part of the SAP_BC_WEBSERVICE_CONSUMER role, that's why I couldn't understand why it wasn't working for you. Check the authorisation objects listing for role SAP_BC_WEBSERVICE_CONSUMER in TCode PFCG & if you have red lights in the authorisations & user tabs you could try re-generating the SAP_BC_WEBSERVICE_CONSUMER role see if that helps.

Alternatively, just while you're testing you could also use the SAP_BC_WEBSERVICE_ADMIN role & that should get things working temporarily for you. You might also need to have a look at SAP note 1120760 & see if it's relevant for you but I think if you're already on EHP4 then you should be okay.

Regards, Trevor

former_member198445
Participant
0 Kudos

Thanks a lot Trevor.. Regenerating the role SAP_BC_WEBSERVICE_CONSUMER worked for me..

Former Member
0 Kudos

Hi Trevor Naidoo,

     Once again greetings.... I have also had same problem. Then I followed ur instruction. I mean in Authorization tab of services (S_SERVICE, SAP_BC_WEBSERVICE_CONSUMER) in tcode PFCG.

now it turned red to green light after i saved. But still my Web Service Navigator is not working.it says as follows.

what can i do now?

-Janaraja

Answers (0)