Java Mapping – Sign XML in mapping in XI 7.0
Recently I received a task to digital sign outgoing XML Invoice. That is not a problem at all – you can do this easily in SOAP adapter as adapter module. But my assignment had restriction, that because that XML was processed by ccBPM (in XI 7.0) – that signing had to be done in mapping – not in adapter.
I have spent few days to crack this problem, but finally – with extensive help of scn.sap.com – I was successful.
I developed java mapping and for signing itself I used Apache Santuario — Index library – but because I was on SAP XI 7.0 – I had to use old version for java 1.4.2. Actual version in java 1.4 branch is Apache Download Mirrors.
Also – before you can start – you have to get XI jar libraries from your system. You have two options – ask some basis person to gather those files for you or you can use that excellent ABAP report – but because you need also jar libraries from different paths – you need to modify slightly modify that report. I strongly recommend to see that wiki page to know more about getting those jars – Where to get the libraries for XI development – Process Integration – SCN Wiki
So what jar libraries do we need?
| library name | where to get it |
|---|---|
| aii_af_trace.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/ |
| aii_map_api.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/apps/sap.com/com.sap.xi.services |
| aii_utilxi_misc.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/ |
| commons-logging-1.1.jar | Apache Santuario |
| keystore_api.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ interfaces/keystore_api/keystore_api.jar |
| keystore.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/services/keystore/keystore.jar |
| xmlsec-1.4.8.jar | Apache Santuario |
So if you have downloaded Apache Santuario, get SAP NWDS running and have all these libraries we can start with java mapping.
- start NWDS and create new java project.
- Add all needed libraries into project
- Create new java class XMLSignMapping which extends DefaultHandler and implements StreamTransformation. This class (or interface which it is implementing) contains two methods:
- execute – this is method which system will call in mapping process – all logic comes here
- setParameter – method to work with container
- Create new java class XIKeystoreAccessor – this will be utility class to which will contain logic to work with Keystore. You can find content of this class as attachment.
- Create new java class TraceUtil – utility for logging – content as attachment
- I had to resolve few issues with Apache Santuario library due to bugs in it – so I had to add new package into the project org.apache.xml.security.resource and add xmlsecurity_en_US.properties and xmlsecurity.properties into it. xmlsecurity.properties is just renamed xmlsecurity_en_US.properties which you can find in xmlsecurity.jar library
- If you created these 3 classes and added content into them – create jar file from project
- Upload that jar and two jars from Apache Santuario project into XI as external library and add XMLSingMapping as a java mapping class into interface mapping – you can find more on java mappings here – Java Mapping in SAP PI / XI – Step-by-step example » Techplay
When I worked on this problem – I have found, that there is no complete guide how to access KeyStore and digitally sign XML from mapping. So I hope that this blog post will help somebody to not spent a lot of hours on implementing signing as I did 🙂
Aloha !
Hi Vladimir,
You're a role model! I saw you investigated this topic in a few Discussions, and now once solved, you shared the complete solution in a Document. Thanks for sharing and keep posting.
Regards,
Greg
Hello Vladimir,
I'm trying to find a solution for a similar problem. I need do digitally sign a message but my message is a non-xml message and i need to concatenate the signature in the end of the message.
Do you think it's possible using your approach? Do you have any suggestions?
Thank you! 🙂
Hello Carlos,
If you can work with that non-xml message as a java string, I think, that with small or none corrections it could be pretty possible.
Please let me know if you were successful.
Regards VB
Hi Vladimir,
I'm trying to modify your code but i'am having problems because my PI version is 7.11 and some methods and libraries changed.
And i'm also having problems finding the correct libraries. Do you recommend to test on eclipse or directly in the operation mapping?
The non-xml message is SWIFT and it can be worked like text.
Thank you!
Carlos,
Check my blog about java mapping.
There is another API for SAP PI 7.1
And you must user Transform insted of Execute !
http://scn.sap.com/docs/DOC-45642
Hello Carlos,
I usually perform technical (unit) testing in eclipse using small testing class and exported XML from system. Integration testing have to be (of course) performed in XI/PI system 🙂
I recommend you to look at excellent document from Ricardo Viana (mentioned in his comment) about Java Mapping - it is really helpful.
Hi Vladimir,
what is the purpose of ResourceException and the BabelMessage class? I got some Jars from my SAP PI 7.11 installation but none of the seem to have this classes. My solution was to delete in the second case and also chaged ResourceExcpetion to an other exception.
Many thanks!!
ResourceException is just exception, which objects raise - you can declare differetn type of exception - or none (I dont recommend that) if you want. Just change
private XIKeystoreAccessor(TraceUtil trace) throws ResourceException
to
private XIKeystoreAccessor(TraceUtil trace) throws <whatever_exception>
BabelMessage is used, because ResourceException class uses strings in BabelMessage format as input.
Is that understandable? If not ask me more 🙂
Hi again Vladimir! Thank you for your help!
I have another question: do you know if it is possible to load PI keystore from this CryptoFactory (WSS4J 1.5.5 API) class?
I'm trying to use WSS4J to sing and encrypt XML messages and I need to load keys from the keystore.
thanks!
Thanks for comment Vladimir 😀
Regards,
Congrats Vladimir !
I remember that´s I help you about it, thanks to share code and explain how to do that.
Question for SAP PI 7.0 you must use additional API like Apache Santuario -- Index library, and for 7.0+ ?
Spasiba Bolshoi Drug.
Regards,
Hi Ricardo,
your help was really kickstarter for me - without it, I would spent I lot more time with try - failure.
Regarding your question - I needed that library just because java 1.4.2 doesnt have built-in functionality for signing. I believe that later (non prehistorical like 1.4.2) java versions have that functionality built-in. But I didn't checked that.
regards vb
Yes it was 🙂
Finally yesterday i was able to make it work. I had to change XIKeystoreAccessor to call the transform method instead of execute. And of course change the way message was being sign because I don't have an XML message and my digest algorithm is different.
Thanks a lot for your time and effort. Your post really help me a lot and saved me hours of work. If you came to Portugal please tell me because i want to buy you a beer 😎
Thank you Vladimir Balko ..It was really helpful.
Hello all
Does anybody has the " Java Mapping in SAP PI / XI – Step-by-step example » Techplay" article on a local? Mentioned link doesnt opens. Please could you send me information?
Thank you!