Skip to Content

Background:

Lets start with little background of SAP PI security and what it is supports. SAP PI provides two main security aspects. 1. Transport level security through HTTPS/FTPS communiaction. 2. Message level security through WSSE protocol. Using WSSE you can perform the digital signing on the XI payload or digitally encrypt the payload or both.

Before using the security (transport or message level) in SAP PI, you should make sure that SAP J2EE WAS is enabled for security processing by deploying the SAP Java Cryptographic toolkit (IAIK) into SAP J2EE engine and HTTPS(or SSL) port 5XX01 is enabled by starting the SSL provider serivce using NWA. To cross check whether your SAP J2EE engine has been enabled for security processing, open the following url in the browser. https://<pihost>:5XX01/, it should show SAP J2EE engine start-up page(page should open without error).

I will be using SAP PI SOAP adapter to show you how to use WSSE in SAP PI.

Before we go in to details, I would like blog readers to go through the following topics that will help you in undertand this blog clearly. If you are already familier with the security terminology then they can directly jump into the configuration steps.

Digital Signing, Digital encryption, Private Certificate, Public certificate, Certifiacte Authority (CA), TrustedCA, WSSE etc.

Business Sceanrio:

Let’s see one bank business scenario where in this WSSE can be used. let us  assume you have a some BANK entity and BANK’s customer. BANK customer wants send some important, confidential data (eg. acc info, credit card info etc) to BANK. In this case, the data that is exchanged between BANK(Server) and BANK’s Customer (Client) should be securied, encrypted, should not be in plain payload. In this sceanrio, one can go ahead and use the WSSE(digital signing or encryption or both) to send data through network. In this blog, we assume that BANK server and BANK’s client both uses SAP PI as middle ware software.

SAP PI Step-by-step configuration:  

1. Design:

Following Fig.1 shows how the data flow happens between BANK server and client. 

wsse2.JPG

From above diagram you can see that, File sender adapter would picks up the confidential data through FTP or local File system. The send is send to SOAP receiver adapter which is capable of applying wsse or do a digital signing and encryption on the PI payload and send accross to the target system(Customer PI).

At Customer PI, there will be PI SOAP sender adapter which will be listening to incoming message. Once the message reaches at the SOAP sender adapter, it has capability to decrypt or validate the signature that is present in the incoming message payload. Now let’s start configuring this scenario in PI using Integration Builder Tool.

2. NWA Settings for private the public certificates:

2.1 At BANK NWA:

1. At BANK PI side, it will have it’s own private and public certificate in the keystore service of NWA. Let’s assume BANK’s CN = myBank.com. You can create new keystore view (BKV_WSSE) to have these certificates or you may use existing ones (eg. DEFULT). See Fig.2.1.1 and Fig.2.1.2 and Fig.2.1.2_private_public_cert

Fig.2.1.1.jpeg

Fig.2.1.2.JPG

Fig.2.1.2_private_public_cert.JPG

2. For digital encryption scenario you always need public certificate of other party(in our case BANK’s Customer PI i.e, CN = myCustomer.com). So you need to import BANK’s Customer Public certificate into the Keystore service(eg. into BKV_WSSE or existing view) of SAP NWA. See the Fig. 2.1.3

Fig.2.1.3.JPG

  2.2 At Customer NWA:

1. At Customer PI side, it will have it’s own private and public certificate in the keystore service of NWA. Let’s assume BANK’s CN = myCustomer.com. You can create new keystore view (CKV_WSSE) to import these certificates or you may use existing ones (eg. DEFULT). See Fig.2.2.2

Fig.2.2.2.JPG

2. For digital encryption scenario you always need public certificate of other party(in our case BANK PI i.e CN = myBank.com). So you need to import BANK’s Customer Public certificate into the Keystore service(eg. into CKV_WSSE or existing view) of SAP NWA. Please follow same steps as above to import Bank public certificate.

3. Integration Repository Steps:

Here in my scenario, i just processing the normal .txt file(which may have confidential data) and there is no requirment of having any message mapping or operation mapping so, i would skip the creation of DT, MT, SI and MM, OP. If business require some processing at the mapping side then you should create all the neccessary IR objects according to your requirment.

4. Integration Directory Steps:

4.1 At BANK PI side:

4.1.1. Create an configuration scenario with name CS_WSSE_BANK and create following objects in it. See Fig.4.1.1

Fig.4.1.1.JPG

4.1.2. Create File Sender Channel (CC_WSSE_BANK_File_Sender) and Soap Receiver channel (CC_WSSE_BANK_Soap_Receiver). Make sure that in Soap Receiver channel you have checked the ‘Security Profile’ option. See Fig.4.1.2 and Fig.4.1.3

Fig.4.1.2.JPG

Fig.4.1.3.JPG

4.1.3. Create an Integrated Configuration Object to provide corresponding channels and to complete configuration part. Once you checked the ‘Security Profile’ option, you can see additional functionality like Security Procedure, Keystore View etc at ‘Outbound Processing’ tab for Soap Receiver channel. See Fig.4.1.4

Fig.4.1.4.JPG

4.1.3.1 WSSE (digital encryption) Configuration:

To do digital encryption on the paylaod, you should first need to select the Security Procedure option ‘encryption’, then it would ask you to provide public certificate entry name with which it can do the encryption. In our case, it’s customer’s public certificate ‘customer_cert-cert’. See the Fig.4.1.3.1

Fig.4.1.3.1.JPG

4.1.3.2 WSSE (Digital siging) Cofiguration:

To do digital signing on the paylaod, you should select the Security Procedure option ‘sign’, then it would ask you to provide private certificate entry name with which it can do the digital signing. In our case, it’s Bank’s pribvate certificate ‘bank_cert’. See the previous Fig.4.1.4

4.1.3.3 WSSE (Digital signing and encryption) Configuration:

To do digital signing and encryption on the paylaod, you should select the Security Procedure option ‘sign and encrypt’, then it would ask you to provide private certificate entry name with which it can do the digital signing and . In our case, it’s Bank’s private certificate ‘bank_cert’. Along with that, it would also ask you to provide public certificate entry name with which it can do the encryption. In our case, it’s customer’s public certificate ‘customer_cert-cert’. See the Fig.4.1.3.3_page1 and page2

Fig.4.1.3.3_page1.JPG

Fig.4.1.3.3_page2.JPG

4.1.4. Activate all the objects.

4.2 At Customer PI side:

4.2.1. Create an configuration scenario with name CS_WSSE_CUSTOMER and create following objects as mentioned in above steps

4.2.2. Create SOAP Sender Channel (CC_WSSE_CUSTOMER_Soap_Sender) and FILE Receiver channel (CC_WSSE_CUSTOMER_File_Receiver). Make sure that in Soap sender channel you have checked the ‘Security Profile’ option as mentioned in above steps.

4.2.3. Create an Integrated Configuration Object to provide corresponding channels created and to complete configuration part. As you checked the ‘Security Profile’ option, you can see additional functionality like Security Procedure, Keystore View etc at ‘Inbound Processing’ tab for Soap Sender channel. Please see Fig.4.2.3

Fig.4.2.3.JPG

4.2.3.1 WSSE (digital decyption) Configuration:

To do digital decryption on the paylaod(which is encrypted), you should first need to select the Security Procedure option ‘decryption’, then it would ask you to provide private certificate entry name with which it can do the decryption. In our case, it’s customer’s private certificate ‘customer_cert’. See Fig.4.2.3.1

Fig.4.2.3.1.JPG

4.2.3.2 WSSE (Digital validation) Cofiguration:

To do digital validation on the paylaod(which is signed), you should select the Security Procedure option ‘validate’, then it would ask you to provide public certificate entry name with which it can do the validate. In our case, it’s Bank’s public certificate ‘bank_cert-cert’. See the previous Fig.4.2.3

4.2.3.3 WSSE (Digital decryption and validation) Configuration:

To do digital decrption and validation on the paylaod, you should select the Security Procedure option ‘decrypt and validate’, then it would ask you to provide private certificate entry name with which it can do the digital decryption. In our case, it’s Customer’s private certificate ‘customer_cert’. Along with that, it would also ask you to provide public certificate entry name with which it can do the validation. In our case, it’s bank’s public certificate ‘bank_cert-cert’. Please see the Fig.4.2.3.3

Fig.4.2.3.3.JPG

4.2.4. Activate all the objects.

5. Running Scenario:

Put a file confidentialData.xml in the source directory, Bank PI’s FILE sender adapter would pick this file from directory and send it to SOAP receiver adapter. This SOAP receiver adapter would do the WSSE processing and send across to the Customer PI’s SOAP Sender adapter which would be listening for incoming messages.

Once the message reaches the SOAP sender, it would process WSSE on the payload. if it’s to be decrypted then it would decrypt using it’s private key(myCustomer.com) and send it FILE receiver adapter which would put incoming file into the target directory.

6. Monitoring:

You can monitor the outgoing/incoming messages through MDT or channel monitor. if you check the audit log of outgoing/incoming message you could see the additional entries in the log eg. WSSE is processing or finished. Please see the Fig.6.1. and Fig.6.2

Fig.6.1.JPG

Fig.6.2.JPG

7. Summery:

To summaries this, SAP PI SOAP adapter can be used to process WSSE tokens like Digital sigining or encryption and Using WSSE we can send confidential data securely over network. I request blog readers to provide their comments on their understanding.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Suresh Reddy Avutu
    I am interested in the output xml file after signing. signing data as seperate nodeis visible with in the SOAP envelope?
    I have a scenario where every invoice needs to be signed for some legal Requirements.
    (0) 
    1. Rajendra Badi Post author
      Hi,

      Siging information like certificate info, genereated binary info after signing, etc would be shown in seperate SOAP header of the XI message. If you want to see that node then you can check message content in the audit log of XI messages in RWB.

      (0) 
      1. Community User
        Hi Ranjedra Badi,

        Your exmaple shows 2 PI systems at Bank and customer site,what if they have only one PI as middleware between bank and customer and if the scenario is RFC to webservice(soap)
        how to use wsse as per this scenario rfc(sender)>PI>Webservice(Receivibg system)
        Does WSSE support the below requirements:
        1)XML Documents shall be signed using XMLsignature
        Use enveloped  signatures
        2)Support RSA signing in conformance with the algorithm indentified by http:www.w3.org/2009/09/xmldsig#rsa-sha1
        3)Use exclusive canonicalization (with comment or without  comments)

        Please advise

        Thanking you so much
        pooja

        (0) 
    1. Rajendra Badi Post author
      Hi,

      Currently SAP PI SOAP adapter support only ossis.org protocol to sign/encrypt. Other protocol is not fully developed. So you you want to use your own protocol then you need to write your own custom code in adapter module and then use adapter module in soap adapter.

      (0) 
  2. Midhun Madhav

    I am doing an interface and I have to encrypt messages. Do I have to download SAP Java Cryptographic toolkit (IAIK) into SAP J2EE engine ? I am trying to do this scenario. If I replace this with SOAP Axis adapter, then also do I have to do download the Java Cryptographic toolkit?

    (0) 

Leave a Reply