Scribd
Upload
139 views6 pages

Sender SOAP Adapter

SAP PI

Uploaded by

arankota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
139 views6 pages

Sender SOAP Adapter

SAP PI

Uploaded by

arankota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Sender SOAP Adapter: HTTPS with Client

Authentication
Posted by Aashish Sinha in Process Integration (PI) & SOA Middleware on 20-Sep-2013 03:27:58
inShare1

I worked on multiple scenarios where we used to receive data from our partners and I know most of
you including me used to exchange certificate rather using simple username/password combination for
exchanging data with partners with HTTPS protocol.

Very commonly, after exchanging certificates and completing all configuration with respect to SSL,
partners are not able to post data to us and getting errors due to username/password. Partners are
getting below error while calling SAP PI SOAP URL.
401 – Unauthorized error.

A very simple solution to this error is to create a username/password and provide it to partner to
include this user in program and post data. Sometime partners ask to make it anonymous so that they
can post data anonymously.
To make SOAP Adapter call anonymous, look into below thread for William Li’s reply.
http://scn.sap.com/thread/236507

Personally, I don’t like this solution as it is disabling XISOAPAdapter login for all requests.

Now again we are back to square one and question still with use.
What is the use of exchanging certificate?

We exchange certificate because we don’t want to use username and password in between and it
should be automatic communication between Partners and our system.
Let’s go a bit inside of this issue.
I will say, below things are done from our side
1. Certificate exchanged and installed.
2. SSL configured (means HTTPS ports are created)
Once above 2 are done, we normally completes our scenario. In SOAP Sender channel, and choose one
of the HTTP Security levels. we have HTTP security level with 3 options –
 - HTTP
 - HTTPS Without Client Authentication
 - HTTPS With Client Authentication
Use HTTP is our normal scenario. When we use HTTPS without Client Authentication, it won’t look out
for certificates. When we choose HTTPS with Client Authentication it will look out for certificates. So
when we exchange certificates we need to select option 3.
But when we choose, partners start getting unauthorized error, as our system is not ready to receive
data from partners. We need to made changes in our system.
We faced similar issues and we have dig it deep to find solution.
Alas, we succeeded to do client authentication with certificate exchange for Sender SOAP Adapter with
our partners.
Requirement was to receive Data (XML data) from partners to our system using SOAP Adapter. While
establishing connection and posting data to our PI Box, partner were getting 401 – Unauthorized error.
Scenario for this interface was SOAP (XML Message from partner) -> SAP PI -> SAP ECC (Standard
Server Proxy). Development procedure is normal procedure and I expect all development is complete
with respect to PI development.
Note: PI development is not part of this weblog.

Assumption –
1. Certificate Exchanged are done.
2. SSL Ports are configured
3. Certificates are already installed in PI system (STRUST/NWA : Certificates)
4. All network/DNS things are done – e.g.: Port Opening, Public IP etc.
First we will check configuration of SOAP Sender Channel for this scenario.
SOAP Sender Communication Channel –

As you can see above, in HTTP security level, value selected is HTTPS with Client Authentication. This
indicates that SAP PI will authenticate Certificate coming with SOAP request and then only it will get
posted to pi and ECC.

How does it works?

When SOAP request come to SAP PI through partners, system reads information from certificate and
then it does a lookup for the user associated with this certificate and authenticate this user against
SOAP Adapter. Once this authentication is successful, system looks out for the authorizations of
associated user if the user is capable enough to post data to PI system. If everything is fine, data will
get posted to SAP PI.
Now the question is how we do all these settings in PI. Below are the steps:

Step 1 - Find one service user for which we will install certificate. To do so, go to below location in
NWA.
NWA -> Configuration -> Identity Management
Give username and click on go. (You can use service user PIISUSER). Then select user and check below
if you have Certificates Tab. If you don’t have Certificates Tab follow as below.

Go to –
NWA -> Configuration -> Authentication and Single Sign On
Click on Properties and Modify value of ume.logon.allow_cert as below.
Once above setting is saved, move back to Identity management and open the user for which you
want to install the certificate. In my case, I am using user PIISUSER service user. You will see
Certificate tab appeared.

Click on certificate tab, Click on modify and then upload the certificate you have with your partner.

Once above is done, we are halfway through.

Step 2 – Go to - NWA -> Configuration -> Authentication and Single Sign on -> Authentication Tab

From Type Filter Choose Other and press enter.


Now we need to change value of CertLogon and Default of Policy Configuration Name.

Click on Edit and provide values of both Policies as client_cert, like below screenshot.

We are done with second step. Final step will take care of Soap Adapter Authentication.

Step 3 – This step requires to assign whatever you did above to XISOAPAdapter. Do you remember
this parameter in SOAP Sender URL? Yes we need to set value for this field as well to make this
scenario working with client authentication.

To configure XISOAPAdapter go to
NWA -> Configuration -> Authentication and Single Sign on -> Authentication Tab
From Type dropdown choose Web. In next screen filter *SOAP* in Policy Configuration Name and you
will get SOAP Adapter details.
Select XISOAPAdapter line and click on edit to modify value. Assign Value as client_cert below in used
template.

Now we are ready to receive data with SOAP Sender Adapter – HTTPS with Client Authentication.
Below are the traces of message received when partner sent soap request to us –
We are done with configuration and message started flowing to our system.
Most Important part of this scenario is - "SOAP request should have Certificate". Then only it will lookup
for certificate and authenticate the user.

Above configuration changes are applicable only for Client Authentication and you SOAP Adapter will
only accept Client authentication method. To make you configuration working for both kind of
authentication, do as per below -

Go to NWA -> Configuration -> Authentication and Single Sign On and Edit Client_Cert Poilicy
configuration to add BasicPasswordLoginModule as Optional.
Have a look below.

After above configuration, Your SOAP adapter will work in Basic authentication as well as with Client
certificate.
16438 Views Categories: Process Orchestration, Process

You might also like