Skip to Content
Author's profile photo Former Member

How to use Client Authentication with SOAP Adapter

A security setting can be defined for certain HTTP-based adapters in the corresponding sender channels in the Integration Directory that enforces one of the following three security levels (in ascending order):

  • HTTP without SSL
  • HTTP with SSL (=HTTPS) without client authentication
  • HTTP with SSL (=HTTPS) with client authentication

The adapters supporting this feature are:  on Integration Server:

  • XI protocol
  • plain http adapter

on the Adapter Engine:

  • SOAP Adapter

Configure the XI landscape so that a message can be received by these adapter (running in IS or the Adapter Engine) and so that it is correctly processed. Configure both the sender clients and the XI servers (J2EE Engine and Integration Server) so that HTTPS with and without client authentication is possible following the steps below: 1. Make sure that IAIK library is available: check in Visual Admin under Server->Services->Security Provider-> Tab runtime->Tab cryptography providers whether IAIK is listed.  2. In the Dispatcher-> SSL Provider; Check for following steps:  – Make sure that the server maintained a sever identity in Dispatcher->Services->SSL provider->server identity. The entry must be a reference to the keystorage service. Make sure that the certificate is valid (i.e. has a valid date). In case of client authentication, make sure that a valid certificate of the issuer of the client certificate is maintained in the keystorage service under view TrustedCAs  – If SSL provider had only a few cipher suites, include all available suites  – SSL’s setting for requesting client certificate i.e select the “Request client certificate” option under client autentication tab in the SSL Provider service.  3. In Server -> Services -> Security Provider; add certificate to your User Name.  -Assign the client certificate to the user you have included in the sender agreement: Go to security provider under visual admin -> Select user management tab -> Find your username -> Click add certificate -> Select your certificate   4. Configure the SOAP adapter in visual admin. To do this, change the relevant SOAP adapter service sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter in the security provider service of Server (under -> Runtime-> Policy Configurations). Under the Authentication tab set the list of login modules using add new button as follows: 1. ClientCertLoginModule, SUFFICIENT 2. BasicPasswordLoginModule, SUFFICIENT You do not need to enter anything specific into the Options column  5 Similarly Enable SSL client J2EE engine (if sender and receiver are different):  – Make sure that a valid certificate of the issuer of the server identity certificate is maintained in the keystorage service under view TrustedCAs  – In case of client authentication, make sure that a valid client certificate (as specified in the receiver channel) is maintained in the keystorage service For each adapter, there are 9 (= 3 times 3) combinations to test: The communication from the sender to the XI component can be established with each of the three security levels and the corresponding sender channel can be configured with each of the three security levels as shown below: connection / sec level      HTTP HTTPS without ca HTTPS with ca HTTP                     Accept     Reject             Reject HTTPS without ca     Accept     Reject             Reject HTTPS with ca             Accept     Accept             Accept  Example (Configuring SOAP Adapter) The example is explained Considering the Scenario of Sending SOAP message from SOAP Receiver channel by giving the URL of the SOAP Sender Channel to test HTTP Security levels at Sender Channel.  1.  HTTP without SSL Select the Enforced security level = HTTP in the sender soap channel. In the receiver soap channel click on the check box “user authentication” and specify the username and password. Send the message and check if the scenario is working fine.  2.  HTTP with SSL (=HTTPS) without client authentication Select the Enforced security level = HTTPS without client authentication in the sender soap channel. Don’t select the check boxs certificate authentication or user authentication.  Try sending message and it should work.  3.  HTTP with SSL (=HTTPS) with client authentication Select the Enforced security level = HTTPS with client authentication in the sender soap channel. Don’t select certificate authentication in the receiver channel and try sending message. You will notice that the message sending will fail giving authorization error.  In the receiver soap channel you need to do the following: –     To make sure that the certificate is used, you remove your user password and unmark the checkbox “ user authentication” –     Select the check box “certificate authentication” –     Provide the client certificate. imageimage

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hi Rahul,

      This is a good blog with nice valuable information.
      Waiting for more such blogs from you.
      Regards,
      Vishal

      Author's profile photo Former Member
      Former Member
      Hi Vishal,

      Thanks, will surely come with more such blogs.

      Regards
      Rahul

      Author's profile photo Holger Stumm
      Holger Stumm
      My (remote) client asked me about XI client certification - your answer was right on the spot , so I was sending him the link to your blog.

      Thanks for your clear and focussed explanation.

      Author's profile photo Former Member
      Former Member
      Rahul - excellent blog, thanks. However, I have testing your example scenarios and 1 and 2 work fine but 3 fails. In the message monitor I get the following:

      SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: client certificate required caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more

      Any idea as to what this problem is?

      Many thanks

      Stuart

      Author's profile photo Former Member
      Former Member
      Hi Stuart,

      check if you have attached the client certificate to the user present in the access control list.

      Regards
      Rahul Nawale

      Author's profile photo Lionel Tafel
      Lionel Tafel
      Hi,

      we have this error with the CC SOAP Receiver.

      com.sap.aii.af.ra.ms.api.DeliveryException: Invalid SSL message, peer seems to be talking plain!

      Regards
      Lionel

      Author's profile photo Former Member
      Former Member
      Hi, I have the same problem. Did you solved it?

      Thanks

      Martin

      Author's profile photo Juergen Grallert
      Juergen Grallert
      Hi Rahul,

      that's a very helpful blog.
      Can you also tell me, were the settings of point 3 (assigning client certificate to user) has to be done in the Netweaver Administrator, because VisualAdmin isn't available anymore in PI 7.1

      Many thanks in advance.

      Regards,
      Juergen