This article is a product of a requirement where we were required to secure our communication using SSL but on top of SSL we were required to secure our payload as well with public/private key encryption. During my research I realized that the information regarding this is very limited and scattered so, I decided to write up a consolidated article hoping it will help others understand this concept better.
Option 1: HTTP – Plain and simple HTTP communication
Option 2: HTTPS Without Client Authentication – This option should be chosen if you are not planning to “authenticate” your client based on a certificate. This option is equivalent to one-way SSL in generic security world. Please note, that this is different than authenticating a client using basic user/pass. All Sender SOAP Web Services in PI inherently authenticate clients based on user/pass.
Option 3: HTTPS with Client Authentication – If you would like to go one step further and authenticate your clients (caller of your web service) based on certificates then this is the option. You can see this nice blog which talks in more details. This option is equivalent to two-way SSL in generic security world.
Also, note that option 2 and 3 will encrypt the tunnel between PI and Client. Which will also encrypt the user/pass since; Tunnel is encrypted first before user/pass is being sent over it. Also, for majority of interfaces these options will provide ample security. But, for certain cases you would want go a step further and encrypt the payload. Below are some of the cases where you would want to go further than just SSL and use payload encryption.
- Payload contains Sensitive PII (Personally Identifiable Information) ex. Credit Card number, SSN, DOB, Address etc.
- You have multiple hops (systems) between PI and Partner and they are storing you data like PI does in its database.
- You have multiple hops (systems) between PI and Partner, and they are using non-http protocol like MQ to transfer data.
- Requirement from Information Assurance Office that Payload should be encrypted At Rest. “At Rest” means data stored in Database tables in PI or in MQ. Just SSL won’t help with this since SSL only encrypt data “In-Flight”. In other words, SSL encrypts the communication Tunnel between Partner System and PI. But, once data is in PI, it is already decrypted and will be stored in PI database.
Now, that we have cleared some basic concept. Let’s go into developing and testing one web service interface. Below are interface requirements.
- SOAP to RFC
- Use Integrated Configuration
- Test using SOAPUI 5. Use public and private key to encrypt/decrypt 6. Secure payload while “In-Flight” as well as in “At Rest”.
Here are our Assumptions:
- Have download keypair from NWA keystore.
- Firewalls are open between PI and End system.
- A service userid has been created and available for test
- Download SOAPUI. Note, I am testing using SOAPUI 4.5.1
- Inerface has been developed and configred except SOAP sender Adapter and Integration Configuration->Inbound Processing tab
One of the nice things about PI 7.11 is that you don’t have to use ABAP stack for certain interfaces. Instead, you can use Integrated Configurations. In our case we are using SOAP and RFC adapter which are part of Java stack. Below is the web service flow.
Request: Partner -> (SOAP) PI (RFC) -> SAP
Response: SAP -> (RFC) PI (SOAP) -> Partner
I will cover.
- Apply SSL for Integrated Configuration between SOAP and RFC sync web service.
- Apply Payload Encryption and Decryption in Integrated Configuration
- How to configure SOAPUI web service to use for Encryption and Decryption. Please note that if you are looking for using certificates for Authentication then this blog will help you.
1. SOAP Sender Adapter Settings
2. Integrated configuration “Inbound Processing” tab settings.
3. Load WSDL in SOAP UI
4. Add PI private key to SOAPUI keystore
5. Right click on the project and select “Show Project View”
6. Click on Keystores tab.
7. Add certificate to the Outgoing WS-Security Configuration
8. Add to the Incoming WS-Security Configuration
9. Configure Outgoing and Incoming WSS on “Request” window.
10. Hit “Submit Request” green play button on top left corner.
11. You can confrim on right screen that encryption works.