SAP PI by default provides basic authentication for its inbound webservices scenario. Here a service user is authenticated by SOAP message servlet and message is passed through.
In some scenarios we are required to add addition authentication mechanism.SAP has provided few options in WS adapter but it is yet to available for single stack SAP PO7.3.
Even with WS adapter there are limitations like availability of certificate signing authority, non-java based system which are unable to generate SAP single sign on token using its API.
In this blog I will explain the simple implementation of axis adapter to accept username token and password digest as well as password text to authenticate arbitrary users. I am assuming ESR and Id has been configured like any other scenario and we are required to do configuration in NWA and communication channel
Login into NWA->Configuration->Authentication and Single Sign-On
Edit policy configuration and search for “axis”
You will get policy configuration name – “sap.com/com.sap.aii.axis.app*XIAxisAdapter”
Edit login modules and change as per screenshot
BasicPasswordLoginModule = “SUFFICIENT”
DigestLoginModule=” REQUISITE”
Now we are ready to configure our communication channel.
Create a SOAP sender communication channel. Select transport protocol Servlet (Axis)
Below is the module configuration for arbitrary user login.
Here each addtional module parameter is explained.
This module parameter is used for basic authentication
Module Key | Parameter Name | Parameter Value |
auth | handler.type | java:org.apache.axis.handlers.http.HTTPAuthHandler |
This handler type is used user login based on specific authentication schema. Like here we are using basic authentication as well as username token.
Module Key | Parameter Name | Parameter Value |
login | handler.type | java:com.sap.aii.adapter.axis.ra.handlers.security.LoginHandler |
This handler type accepts user token generated by client and put it into message context.
For arbitrary user, user parameters are set to “*” and password type must be set PasswordText so that the password can be retrieved from the message header. It’s a very useful feature in case user needs to authenticate to end system like SAP CRM in our scenario. We can configure principal propagation between PI and CRM and in PI tick the principal propagation check box in integrated configuration.
Module Key | Parameter Name | Parameter Value |
usertoken | handler.type | java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver |
usertoken | action | UsernameToken |
usertoken | Pwd.password | * |
usertoken | user | * |
Below is the request message for usernameToken and passwordText.
PI communication channel log:
this screeshot provides the clear picture how individual module is executed at run time/
Module configuration for passwordDigest:
We can use password digest for specific user. In this case client should call webservice with same user ID.
This provides added security as password is not sent as plain text.
Module Key | Parameter Name | Parameter Value |
usertoken | handler.type | java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver |
usertoken | action | UsernameToken |
usertoken | Pwd.password | ******* |
usertoken | user | srd474 |
Request message for passwordDigest:-
Message log:-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
7 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 |