Recently I received a task to digital sign outgoing XML Invoice. That is not a problem at all – you can do this easily in SOAP adapter as adapter module. But my assignment had restriction, that because that XML was processed by ccBPM (in XI 7.0) – that signing had to be done in mapping – not in adapter.

I have spent few days to crack this problem, but finally – with extensive help of scn.sap.com – I was successful.

I developed java mapping and for signing itself I used Apache Santuario — Index library – but because I was on SAP XI 7.0 – I had to use old version for java 1.4.2. Actual version in java 1.4 branch is Apache Download Mirrors.

Also – before you can start – you have to get XI jar libraries from your system. You have two options – ask some basis person to gather those files for you or you can use that  excellent ABAP report – but because you need also jar libraries from different paths – you need to modify slightly modify that report. I strongly recommend to see that wiki page to know more about getting those jars – Where to get the libraries for XI development – Process Integration – SCN Wiki

So what jar libraries do we need?

library name where to get it
aii_af_trace.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/
aii_map_api.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/apps/sap.com/com.sap.xi.services
aii_utilxi_misc.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/
commons-logging-1.1.jar Apache Santuario
keystore_api.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ interfaces/keystore_api/keystore_api.jar
keystore.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/services/keystore/keystore.jar
xmlsec-1.4.8.jar Apache Santuario

So if you have downloaded Apache Santuario, get SAP NWDS running and have all these libraries we can start with java mapping.

  1. start NWDS and create new java project.
  2. jm1.PNG
  3. Add all needed libraries into project jm2.PNG
  4. Create new java class XMLSignMapping which extends DefaultHandler and implements StreamTransformation. This class (or interface which it is implementing) contains two methods:
    1. execute – this is method which system will call in mapping process – all logic comes here
    2. setParameter – method to work with container
  5. Create new java class XIKeystoreAccessor – this will be utility class to which will contain logic to work with Keystore. You can find content of this class as attachment.
  6. Create new java class TraceUtil – utility for logging – content as attachment
  7. I had to resolve few issues with Apache Santuario library due to bugs in it – so I had to add new package into the project org.apache.xml.security.resource and add xmlsecurity_en_US.properties and xmlsecurity.properties  into it. xmlsecurity.properties is just renamed xmlsecurity_en_US.properties which you can find in xmlsecurity.jar library
  8. If you created these 3 classes and added content into them – create jar file from project jm4.PNG
  9. Upload that jar and two jars from Apache Santuario project into XI as external library and add XMLSingMapping as a java mapping class into interface mapping – you can find more on java mappings here – Java Mapping in SAP PI / XI – Step-by-step example » Techplay

When I worked on this problem – I have found, that there is no complete guide how to access KeyStore and digitally sign XML from mapping. So I hope that this blog post will help somebody to not spent a lot of hours on implementing signing as I did 🙂

Aloha !

To report this post you need to login first.

16 Comments

You must be Logged on to comment or reply to a post.

  1. Grzegorz Glowacki

    Hi Vladimir,

    You’re a role model! I saw you investigated this topic in a few Discussions, and now once solved, you shared the complete solution in a Document. Thanks for sharing and keep posting.

    Regards,

    Greg

    (0) 
  2. Carlos Dias

    Hello Vladimir,

    I’m trying to find a solution for a similar problem. I need do digitally sign a message but my message is a non-xml message and i need to concatenate the signature in the end of the message.

    Do you think it’s possible using your approach? Do you have any suggestions?

    Thank you! 🙂

    (0) 
    1. Vladimir Balko Post author

      Hello Carlos,

      If you can work with that non-xml message as a java string, I think, that with small or none corrections it could be pretty possible.

      Please let me know if you were successful.

      Regards VB

      (0) 
      1. Carlos Dias

        Hi Vladimir,

        I’m trying to modify your code but i’am having problems because my PI version is 7.11 and some methods and libraries changed.

        And i’m also having problems finding the correct libraries. Do you recommend to test on eclipse or directly in the operation mapping?

        The  non-xml message is SWIFT and it can be worked like text.

        Thank you!

        (0) 
        1. Vladimir Balko Post author

          Hello Carlos,

          I usually perform technical (unit) testing in eclipse using small testing class and exported XML from system. Integration testing have to be (of course) performed in XI/PI system 🙂

          I recommend you to look at excellent document from Ricardo Viana (mentioned in his comment) about Java Mapping – it is really helpful.

          (0) 
          1. Carlos Dias

            Hi Vladimir,

            what is the purpose of ResourceException and the BabelMessage class? I got some Jars from my SAP PI 7.11 installation but none of the seem to have this classes. My solution was to delete in the second case  and also chaged ResourceExcpetion to an other exception.

            Many thanks!!

            (0) 
            1. Vladimir Balko Post author

              ResourceException is just exception, which objects raise – you can declare differetn type of exception – or none (I dont recommend that) if you want. Just change

              private XIKeystoreAccessor(TraceUtil trace) throws ResourceException

              to

              private XIKeystoreAccessor(TraceUtil trace) throws <whatever_exception>

              BabelMessage is used, because ResourceException class uses strings in BabelMessage format as input.

              Is that understandable? If not ask me more 🙂

              (0) 
    1. Vladimir Balko Post author

      Hi Ricardo,

      your help was really kickstarter for me – without it, I would spent I lot more time with try – failure.

      Regarding your question – I needed that library just because java 1.4.2 doesnt have built-in functionality for signing. I believe that later (non prehistorical like 1.4.2) java versions have that functionality built-in. But I didn’t checked that.

      regards vb

      (0) 
  3. Carlos Dias

    Yes it was 🙂

    Finally yesterday i was able to make it work. I had to change XIKeystoreAccessor to call the transform method instead of execute. And of course change the way message was being sign because I don’t have an XML message and my digest algorithm is different.

    Thanks a lot for your time and effort. Your post really help me a lot and saved me hours of work. If you came to Portugal please tell me because i want to buy you a beer 😎

    (0) 
    1. Vladimir Balko Post author
      1. I was in Lisabon few years ago and I have to say that I enjoyed it so much. I visited church of Fernando Maghaliens in Belem (tasted cookies there too 🙂 ) was in Castello de san jorge, had a cafe in Cafe Brasileira and visited oceanarium too 🙂 I especially liked Alfama and Belem 🙂 So who knows – maybe sometimes in the future I will return there 🙂
      (0) 

Leave a Reply