Additional Blogs by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use Client Authentication with SOAP Adapter

Former Member
‎05-31-2006 11:10 AM
0 Kudos
A security setting can be defined for certain HTTP-based adapters in the corresponding sender channels in the Integration Directory that enforces one of the following three security levels (in ascending order):
  • HTTP without SSL
  • HTTP with SSL (=HTTPS) without client authentication
  • HTTP with SSL (=HTTPS) with client authentication
The adapters supporting this feature are:  on Integration Server:
  • XI protocol
  • plain http adapter
on the Adapter Engine:
  • SOAP Adapter
Configure the XI landscape so that a message can be received by these adapter (running in IS or the Adapter Engine) and so that it is correctly processed. Configure both the sender clients and the XI servers (J2EE Engine and Integration Server) so that HTTPS with and without client authentication is possible following the steps below: 1. Make sure that IAIK library is available: check in Visual Admin under Server->Services->Security Provider-> Tab runtime->Tab cryptography providers whether IAIK is listed.  2. In the Dispatcher-> SSL Provider; Check for following steps:  - Make sure that the server maintained a sever identity in Dispatcher->Services->SSL provider->server identity. The entry must be a reference to the keystorage service. Make sure that the certificate is valid (i.e. has a valid date). In case of client authentication, make sure that a valid certificate of the issuer of the client certificate is maintained in the keystorage service under view TrustedCAs  - If SSL provider had only a few cipher suites, include all available suites  - SSL's setting for requesting client certificate i.e select the "Request client certificate" option under client autentication tab in the SSL Provider service.  3. In Server -> Services -> Security Provider; add certificate to your User Name.  -Assign the client certificate to the user you have included in the sender agreement: Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate   4. Configure the SOAP adapter in visual admin. To do this, change the relevant SOAP adapter service sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter in the security provider service of Server (under -> Runtime-> Policy Configurations). Under the Authentication tab set the list of login modules using add new button as follows: 1. ClientCertLoginModule, SUFFICIENT 2. BasicPasswordLoginModule, SUFFICIENT You do not need to enter anything specific into the Options column  5 Similarly Enable SSL client J2EE engine (if sender and receiver are different):  - Make sure that a valid certificate of the issuer of the server identity certificate is maintained in the keystorage service under view TrustedCAs  - In case of client authentication, make sure that a valid client certificate (as specified in the receiver channel) is maintained in the keystorage service For each adapter, there are 9 (= 3 times 3) combinations to test: The communication from the sender to the XI component can be established with each of the three security levels and the corresponding sender channel can be configured with each of the three security levels as shown below: connection / sec level      HTTP HTTPS without ca HTTPS with ca HTTP                     Accept     Reject             Reject HTTPS without ca     Accept     Reject             Reject HTTPS with ca             Accept     Accept             Accept  Example (Configuring SOAP Adapter) The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.  1.  HTTP without SSL Select the Enforced security level = HTTP in the sender soap channel. In the receiver soap channel click on the check box “user authentication” and specify the username and password. Send the message and check if the scenario is working fine.  2.  HTTP with SSL (=HTTPS) without client authentication Select the Enforced security level = HTTPS without client authentication in the sender soap channel. Don’t select the check boxs certificate authentication or user authentication.  Try sending message and it should work.  3.  HTTP with SSL (=HTTPS) with client authentication Select the Enforced security level = HTTPS with client authentication in the sender soap channel. Don’t select certificate authentication in the receiver channel and try sending message. You will notice that the message sending will fail giving authorization error.  In the receiver soap channel you need to do the following: -     To make sure that the certificate is used, you remove your user password and unmark the checkbox “ user authentication” -     Select the check box “certificate authentication” -     Provide the client certificate.
8 Comments
Popular Blog Posts