Skip to Content

SAP PI by default provides basic authentication for its inbound webservices scenario. Here a service user is authenticated by SOAP message servlet and message is passed through.

In some scenarios we are required to add addition authentication mechanism.SAP has provided few options in WS adapter but it is yet to available for single stack SAP PO7.3.

Even with WS adapter there are limitations like availability of certificate signing authority, non-java based system which are unable to generate SAP single sign on token using its API.

In this blog I will explain the simple implementation of axis adapter to accept username token and password digest as well as password text to authenticate arbitrary users. I am assuming ESR and Id has been configured like any other scenario and we are required to do configuration in NWA and communication channel

Login into NWA->Configuration->Authentication and Single Sign-On

Edit policy configuration and search for “axis”

You will get policy configuration name – “sap.com/com.sap.aii.axis.app*XIAxisAdapter”

Edit login modules and change as per screenshot

BasicPasswordLoginModule = “SUFFICIENT”

DigestLoginModule=” REQUISITE”

Policy Configuration.JPG

Now we are ready to configure our communication channel.

Create a SOAP sender communication channel. Select transport protocol Servlet (Axis)

comm channel 1.JPG

  • usernameToken and Password text with basic authentication

Below is the module configuration for arbitrary user login.

   mudule parameter Password text.JPG

Here each addtional module parameter is explained.

This module parameter is used for basic authentication

Module Key

Parameter Name

Parameter Value

auth

handler.type

java:org.apache.axis.handlers.http.HTTPAuthHandler

This handler type is used user login based on specific authentication schema. Like here we are using basic authentication as well as username token.

Module Key

Parameter Name

Parameter Value

login

handler.type

java:com.sap.aii.adapter.axis.ra.handlers.security.LoginHandler

This handler type accepts user token generated by client and put it into message context.

For arbitrary user, user parameters are set to “*” and password type must be set PasswordText so that the password can be retrieved from the message header. It’s a very useful feature in case user needs to authenticate to end system like SAP CRM in our scenario. We can configure principal propagation between PI and CRM and in PI tick the principal propagation check box in integrated configuration.

Module Key

Parameter Name

Parameter Value

usertoken

handler.type

java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver

usertoken

action

UsernameToken

usertoken

Pwd.password

*

usertoken

user

*

Below is the request message for usernameToken and passwordText.

request password text.JPG

PI communication channel log:

  this screeshot provides the clear picture how individual module is executed at run time/

message log password text.JPG

  • usernameToken and Password text with basic authentication

Module configuration for passwordDigest:

module parameter password digest.JPG

We can use password digest for specific user. In this case client should call webservice with same user ID.

This provides added security as password is not sent as plain text.

Module Key

Parameter Name

Parameter Value

usertoken

handler.type

java:com.sap.aii.adapter.axis.ra.handlers.security.WSDoAllReceiver

usertoken

action

UsernameToken

usertoken

Pwd.password

*******

usertoken

user

srd474

Request message for passwordDigest:-

request password digest.JPG

Message log:-

message log password digest.JPG

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. F. Souza

    I’ve tried to implement this scenario but I’m getting the following error:

    No application classloader can load login module class: com.sap.engine.services.security.server.jaas.DigestLoginModule. Probably application that deployed the login module is stopped and cannot be started.

    Do you have any idea?

    (0) 

Leave a Reply