PI 7.11 Transport Level Secuirty: Communicating with external web service from SOAP adapter through SSL
When I was developing one of PI interface which required Transport Level Security while communicating to external web service. Initially I had faced lot of issues, configuring certificates, Trusted CA certificate and understanding of TLS and why there is so much security steps required, because I didn’t had much of background of how TLS and SSL protocol works.
Then I started reading about SSL protocol blogs and TLS concepts, and then I started relating the concepts and the security steps that required in SAP NWA to be carried out. After this, I have understood that why each security steps are required SAP PI and NWA to achieve various security aspects. It’s my little try to share my experience in how to develop SAP PI Interface involving TLS through SSL, so that other developers could get better understanding and benefit out of it.
+Step 1: +The client sends “client_hello” message to the server which contains the client’s SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL
*Step 2: *The server sends the “server_hello” message to the client, containing the server’s SSL version number, cipher settings, randomly generated data, and other information the client needs to communicate with the server over SSL. The server also sends its own digital certificate and, if the client is requesting a server resource that requires client authentication, then server may optionally requests the client’s digital certificate.
Step 3 and 4: Using all data generated in the handshake so far, the client creates the premaster secret for the session, encrypts it with the server’s public key (obtained from the server’s digital certificate), and sends the encrypted premaster secret to the server. Note that, if the server cannot be authenticated then client will abort the protocol and stops the SSL handshake.
Step 5: If the server has requested client authentication (an optional step in the handshake), then client sends both the signed data and the client’s own digital certificate to the server along with the encrypted premaster secret.
*Step 6: *If the server has requested client authentication, the server attempts to authenticate the client. If the client cannot be authenticated, the session is terminated. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, then performs a series of steps which the client also performs, starting from the same premaster secret to generate the master secret.
*Step 7: *The client informs the server that future messages from the client will be encrypted with the session secret key. It then sends a separate encrypted “client finished” message indicating that the client portion of the handshake is finished.
Step 8: Similarly, the server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate encrypted “server_finished” message indicating that the server portion of the handshake is finished.
Step 9: The SSL handshake is now complete, and the SSL session has begun. The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity .
h2. SAP PI Configuration Steps:
PI ESR (Design) part:
If business requires any message mapping of data while transferring the data then developer can create corresponding DT, MT, MM, Service Interfaces, OP. As these steps are well known to every once i would skip the details of this part.
PI Directory (runtime) part:4. In SOAP receiver CC, provide the target web service URL and make sure that URL has , (e.g. https://serverHost:123/ws/purchaseOrderUrl for Web Service or https://serverHost:port/XISOAPAdapter/MessageServlet?channel=party:service:channel if any Soap Sender adapter CC acting as WS), not http. Provide username/password by clicking on the Basic Authentication option to execute the URL. See Fig.4