Solved: SSL / X.509 In SOAP Sender/Receiver Adapter

former_member185845 · ‎01-27-2010

Hi Friends,

We have few third party Java based systems which need to integrate with SAP PI7.1

For this we are using

SOAP Sender from Third PartyTo PI

SOAP Receiver From Pi To Third Party Systems

The Customer Wants to implement SSL.X>509 certificates for encryption and decryption. as one of the option.

we are Facing few issues like.

I am assuming each of the source system webservice calls will have

to use a username/password to authenticate with the PI system

a. Will this use 'basic authentication', ie., credentials sent over as

part of the HTTP header field ?

i.

Assuming we use SSL for transport level security - this is still not secure as the credentials are not encrypted

ii. Is there a way to send in encrypted credentials and for the PI layer to decrypt the same, validate and process the request ?

b. Should we consider using a single sign-on mechanism ?

c Should we consider using X.509 digital certificates ?

i. This would require that the X.509 certs are maintained in the Source & PI webserver Java key stores

d. Should we also consider digitally signing the payload ?

i. This requires using an appropriate hashing algorithm such as SHA-1 or MD5

SOAP Sender /receievr Adapter has few properties not specific to them.How to Acheive this.

Regards

Chandra Dasari

Former Member · ‎02-01-2010

Hi Chandra,

You may try to implement this using the AXIS framework of the SOAP adapter. This provides functionality for handling of X.509 encryption and decryption.

You can generate/get the digital certificate and use it for both transport level as well as message level security. You would not require any additional encoding apart from this.

Coming to your queries:

Q - I am assuming each of the source system web service calls will have to use a username/password to authenticate with the PI system

A - If you are using a certificate, then they can call XI using this certificate. You can share your public certificate with each of the parties.

Q. Will this use 'basic authentication', ie., credentials sent over as part of the HTTP header field?

A - Depends...if you are using basic authentication, then it will not be via X.509. It will be the normal process. These two are two different things.

Q. Assuming we use SSL for transport level security - this is still not secure as the credentials are not encrypted

A - This problem is resolved if you are using digital certificates.

Q. Is there a way to send in encrypted credentials and for the PI layer to decrypt the same, validate and process the request?

A - Yes. It is possible. But then you will have to implement encryption decryption logic at both the ends separately if you are not using certificates.

Q. Should we consider using a single sign-on mechanism?

A - Is your third party part of your landscape? if not then you might want to check and confirm this approach with your security adviser.

Q Should we consider using X.509 digital certificates?

A - Yes...This would resolve most of your problems.

Q. This would require that the X.509 certs are maintained in the Source & PI web server Java key stores

A - Yes.

Q. Should we also consider digitally signing the payload?

A - If you require message level encryption along with transport layer.

Q. This requires using an appropriate hashing algorithm such as SHA-1 or MD5. SOAP Sender /receiver Adapter has few properties not specific to them.How to achieve this.

A - You can provide this option while generating the certificate itself.

Please let me know if this helps.

Cheers,

Sarath.

Former Member · ‎05-24-2010

Hi Chandra,

This may be going a bit off tangent, but you could implement x.509 through a SSO solution without using a PKI system. You can use an authentication server that acts as a certificate authority.

http://www.secude.com/html/?id=1890

Edited by: knguyeniii on May 24, 2010 10:11 AM

SSL / X.509 In SOAP Sender/Receiver Adapter

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

SAP Java Buildpack Contribution

How to setup SAP Build process automation action p...

Is activation of US language a requirement/prerequ...

Can the plan viewer be used stand-alone?

SAP RAP Refresh issue when update from grand chil...