Axis Adapter Sender Comm Channel with usernameToken
SAP PI by default provides basic authentication for its inbound webservices scenario. Here a service user is authenticated by SOAP message servlet and message is passed through.
In some scenarios we are required to add addition authentication mechanism.SAP has provided few options in WS adapter but it is yet to available for single stack SAP PO7.3.
Even with WS adapter there are limitations like availability of certificate signing authority, non-java based system which are unable to generate SAP single sign on token using its API.
In this blog I will explain the simple implementation of axis adapter to accept username token and password digest as well as password text to authenticate arbitrary users. I am assuming ESR and Id has been configured like any other scenario and we are required to do configuration in NWA and communication channel
Login into NWA->Configuration->Authentication and Single Sign-On
Edit policy configuration and search for “axis”
You will get policy configuration name – “sap.com/com.sap.aii.axis.app*XIAxisAdapter”
Edit login modules and change as per screenshot
BasicPasswordLoginModule = “SUFFICIENT”
DigestLoginModule=” REQUISITE”
Now we are ready to configure our communication channel.
Create a SOAP sender communication channel. Select transport protocol Servlet (Axis)
- usernameToken and Password text with basic authentication
Below is the module configuration for arbitrary user login.
Here each addtional module parameter is explained.
This module parameter is used for basic authentication
|
Module Key |
Parameter Name |
Parameter Value |
|
auth |
handler.type |
java:org.apache.axis.handlers.http.HTTPAuthHandler |
This handler type is used user login based on specific authentication schema. Like here we are using basic authentication as well as username token.
|
Module Key |
Parameter Name |
Parameter Value |
|
login |
handler.type |
java:com.sap.aii.adapter.axis.ra.handlers.security.LoginHandler |
This handler type accepts user token generated by client and put it into message context.
For arbitrary user, user parameters are set to “*” and password type must be set PasswordText so that the password can be retrieved from the message header. It’s a very useful feature in case user needs to authenticate to end system like SAP CRM in our scenario. We can configure principal propagation between PI and CRM and in PI tick the principal propagation check box in integrated configuration.
|
Module Key |
Parameter Name |
Parameter Value |
|
usertoken |
handler.type |
java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver |
|
usertoken |
action |
UsernameToken |
|
usertoken |
Pwd.password |
* |
|
usertoken |
user |
* |
Below is the request message for usernameToken and passwordText.
PI communication channel log:
this screeshot provides the clear picture how individual module is executed at run time/
- usernameToken and Password text with basic authentication
Module configuration for passwordDigest:
We can use password digest for specific user. In this case client should call webservice with same user ID.
This provides added security as password is not sent as plain text.
|
Module Key |
Parameter Name |
Parameter Value |
|
usertoken |
handler.type |
java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver |
|
usertoken |
action |
UsernameToken |
|
usertoken |
Pwd.password |
******* |
|
usertoken |
user |
srd474 |
Request message for passwordDigest:-
Message log:-
Good blog Ranjeet.Keep on blogging.
Good one.. 🙂
Looks good, i will try setup this one later...
I've tried to implement this scenario but I'm getting the following error:
No application classloader can load login module class: com.sap.engine.services.security.server.jaas.DigestLoginModule. Probably application that deployed the login module is stopped and cannot be started.
Do you have any idea?
Thank you!
That was really helpful !
Hi Ranjeet,
Could you please help me out in using validate and decrypt along with this User token.
Thanks
Lalitha
How to do same for HTTP(Axis) Receiver