on 04-23-2011 5:45 PM
I am on PI 7.11 and have a receiver soap comm. channel for accessing an external vendor's webservice. Their requirement is to use Web Services Security Username Token authentication scheme - as an example the soap message must look something like:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2007-07-06T13:51:53.860Z</wsu:Created>
<wsu:Expires>2007-07-06T13:56:53.860Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken>
<wsse:Username>ztest</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">9xxxxxxxxxxxxxxxxxxxxxxxxxx=</wsse:Password>
<wsse:Nonce>Wyyyyyyyyyyyyyyyyyyyyy==</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2007-07-06T13:51:53.844Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body>
</soapenv:Envelope>
I would be interested in knowing how this type of soap msg / wss has been implemented by anyone. The SAP documentation at http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ce4829a0d7154ee10000000a421937/frameset.htm seems vague (at least to me it is). I saw another post () thats comparable but not sure what the best way to go is - is it a combination of soap adapter Module settings, xslt mapping, Axis adapter or other approaches...
Any information on this is greatly appreciated.
Regards,
Keith
Edited by: Keith Mollet on Apr 26, 2011 3:56 PM
Username token is one of the user authentication method in web service. SOAP adapter does not support this directly. Axis framework references open source api Apache axis which supports User name token.
One option is to use Axis adapter and see you can able to create header with username token as you described. second option is use XSLT mapping and create SOAP Header for the username token.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Baskar for your reply. Yes, I have seen posts allude to Axis and xslt, but what I don't understand is that by setting the soap receiver comm. channel checkbox " Select Security Profile" on, the associated Receiver Agreement then has a section of fields open up ("Security Standard", and "....Prodedure") which actually default to the appropriate xsd setting (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd). This almost implies that SAP has in fact integrated in this wss set of values??? If not, then what does this setting actually mean?
Thanks,
Keith
Those features represent encrypt and decrypt the data and sign and verify or validate the digital signature of the message. Username token is another method of authentication. In addition to https with client authentication, username/password, this is an another way of sending the user/password credentials to the trading partner.
Refer this link
http://www.oasis-open.org/committees/wss/documents/WSS-Username-02-0223-merged.pdf
Hi - we have generated the 'correct' soap message now with the wss injected, BUT we are still having an issue whereby the digest I create does not match the vendors, and thus attempting to access their WS is denied. My question now is that given my set-up below, and the fact its supposedly using the following algorithm (as per line 113 of:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf)
Password_Digest = Base64 ( SHA-1 ( nonce + createdTime + password ) )
"That is, concatenate the nonce, creation timestamp, and the password (or shared secret or
password equivalent), digest the combination using the SHA-1 hash algorithm, then include the
Base64 encoding of that result as the password (digest)."
Does anyone see anything I may be missing? Does the password have to be added to the action line? I have tried this and still not the same digest (as the venor's) gets created.
We installed the Apache .jar files (1.5.1, which we may be bumping up to 1.5.4 or higher soon) and I have set up the Axis adpter, Module settings as follows:
Processing Sequence:
1 AF_Adapters/axis/AFAdapterBean Local Enterprise Bean afreq
2 AF_Adapters/axis/HandlerBean Local Enterprise Bean xireq
3 AF_Adapters/axis/HandlerBean Local Enterprise Bean wssec
4 AF_Adapters/axis/HandlerBean Local Enterprise Bean trp
5 AF_Adapters/axis/HandlerBean Local Enterprise Bean xires
6 AF_Adapters/axis/AFAdapterBean Local Enterprise Bean afres
Module Configuration:
trp handler.type java:com.sap.aii.adapter.axis.ra.transport.http.HTTPSender
trp module.pivot true
wssec action UsernameToken Timestamp
wssec addUTElement Nonce Created
wssec handler.type java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllSender
wssec passwordType PasswordDigest
wssec pwd.password <shared secret>
wssec user <username>
xireq handler.type java:com.sap.aii.axis.xi.XI30OutboundHandler
xires handler.type java:com.sap.aii.axis.xi.XI30OutboundHandler
This is all as per Note 1039369 and by viewing other SDN posts.
Thanks,
Keith
Marked this thread as 'Answered'. Our Axis adapter set-up needed the setting
Payload Extraction = SOAP Body Child
set. After setting that, it all worked. The error occurring previously appeared to allude to a ws (pure) security issue, but the reality was that our Axis set-up was fine. The real issue was the xml formation missing the values which the above setting provides.
Thanks,
Keith
Hi Keith/Baskar,
I am doing a similar scenario with username token along with message encryption and signature for wssec.
I am have deployed and using the axis protocol of soap adapter and configured the modules as shown in attached screen.
It is almost same as you did. But it gives me the below error when I use password Digest.
Error While Sending Message: Additional error text from response: com.sap.engine.interfaces.messaging.api.exception.MessagingException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest was supplied, but only http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText is supported. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@4d774d77 |
When I used PasswordText instead of PasswordDigest (Rest all is same), I get the below error,even though I have added it as UsernameToken Timestamp
Error While Sending Message: Additional error text from response: com.sap.engine.interfaces.messaging.api.exception.MessagingException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS5327E: A null value is not allowed for the created time of the time stamp. The Application Server expected the wsu:Created element. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@7d5e7d5e
I needed security configuration for encryption and signature as well for encoding the username token. I have deployed the public provider in trusted CAs and private key pair in the default key store.But I have still not configured the encryption modules as I wanted to get through this username token issue in the first place.
Please also find attached the security xml the provider is expecting.
Could you please help me here?
Regards,
Mahesh
Hello Gopalakrishnan,
I need to design an (asynchronous) interface in my PI 7.1 to receive a webservice call and forward it to m backendsystem through RFC or Proxy.
But the sender system is not able to use client certificates. And we dont want to send user/password as url-parameters.
So I have to do it on my side:
-Using http sender adapter (http-plain-adapter)
I can get the request through http channel. Cann I add user/password to my adapter?
-Using SOAP-Sender: Is there a security option to use soap https without authentication?
-Using SOAP AXIS: Can I use the wss-parameters also in a soap sender side ?
What is the best way to do it?
Thanks and best Regards
Fard
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.