Skip to Content
Author's profile photo Vladimir Balko

Java Mapping – Sign XML in mapping in XI 7.0

Recently I received a task to digital sign outgoing XML Invoice. That is not a problem at all – you can do this easily in SOAP adapter as adapter module. But my assignment had restriction, that because that XML was processed by ccBPM (in XI 7.0) – that signing had to be done in mapping – not in adapter.

I have spent few days to crack this problem, but finally – with extensive help of scn.sap.com – I was successful.

I developed java mapping and for signing itself I used Apache Santuario — Index library – but because I was on SAP XI 7.0 – I had to use old version for java 1.4.2. Actual version in java 1.4 branch is Apache Download Mirrors.

Also – before you can start – you have to get XI jar libraries from your system. You have two options – ask some basis person to gather those files for you or you can use that  excellent ABAP report – but because you need also jar libraries from different paths – you need to modify slightly modify that report. I strongly recommend to see that wiki page to know more about getting those jars – Where to get the libraries for XI development – Process Integration – SCN Wiki

So what jar libraries do we need?

library name where to get it
aii_af_trace.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/
aii_map_api.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/apps/sap.com/com.sap.xi.services
aii_utilxi_misc.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/
commons-logging-1.1.jar Apache Santuario
keystore_api.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ interfaces/keystore_api/keystore_api.jar
keystore.jar /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/services/keystore/keystore.jar
xmlsec-1.4.8.jar Apache Santuario

So if you have downloaded Apache Santuario, get SAP NWDS running and have all these libraries we can start with java mapping.

  1. start NWDS and create new java project.
  2. jm1.PNG
  3. Add all needed libraries into project jm2.PNG
  4. Create new java class XMLSignMapping which extends DefaultHandler and implements StreamTransformation. This class (or interface which it is implementing) contains two methods:
    1. execute – this is method which system will call in mapping process – all logic comes here
    2. setParameter – method to work with container
  5. Create new java class XIKeystoreAccessor – this will be utility class to which will contain logic to work with Keystore. You can find content of this class as attachment.
  6. Create new java class TraceUtil – utility for logging – content as attachment
  7. I had to resolve few issues with Apache Santuario library due to bugs in it – so I had to add new package into the project org.apache.xml.security.resource and add xmlsecurity_en_US.properties and xmlsecurity.properties  into it. xmlsecurity.properties is just renamed xmlsecurity_en_US.properties which you can find in xmlsecurity.jar library
  8. If you created these 3 classes and added content into them – create jar file from project jm4.PNG
  9. Upload that jar and two jars from Apache Santuario project into XI as external library and add XMLSingMapping as a java mapping class into interface mapping – you can find more on java mappings here – Java Mapping in SAP PI / XI – Step-by-step example » Techplay

When I worked on this problem – I have found, that there is no complete guide how to access KeyStore and digitally sign XML from mapping. So I hope that this blog post will help somebody to not spent a lot of hours on implementing signing as I did 🙂

Aloha !

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Grzegorz Glowacki
      Grzegorz Glowacki

      Hi Vladimir,

      You're a role model! I saw you investigated this topic in a few Discussions, and now once solved, you shared the complete solution in a Document. Thanks for sharing and keep posting.

      Regards,

      Greg

      Author's profile photo Carlos Dias
      Carlos Dias

      Hello Vladimir,

      I'm trying to find a solution for a similar problem. I need do digitally sign a message but my message is a non-xml message and i need to concatenate the signature in the end of the message.

      Do you think it's possible using your approach? Do you have any suggestions?

      Thank you! 🙂

      Author's profile photo Vladimir Balko
      Vladimir Balko
      Blog Post Author

      Hello Carlos,

      If you can work with that non-xml message as a java string, I think, that with small or none corrections it could be pretty possible.

      Please let me know if you were successful.

      Regards VB

      Author's profile photo Carlos Dias
      Carlos Dias

      Hi Vladimir,

      I'm trying to modify your code but i'am having problems because my PI version is 7.11 and some methods and libraries changed.

      And i'm also having problems finding the correct libraries. Do you recommend to test on eclipse or directly in the operation mapping?

      The  non-xml message is SWIFT and it can be worked like text.

      Thank you!

      Author's profile photo Ricardo Viana
      Ricardo Viana

      Carlos,

      Check my blog about java mapping.

      There is another API for SAP PI 7.1

      And you must user Transform insted of Execute !

      http://scn.sap.com/docs/DOC-45642

      Author's profile photo Vladimir Balko
      Vladimir Balko
      Blog Post Author

      Hello Carlos,

      I usually perform technical (unit) testing in eclipse using small testing class and exported XML from system. Integration testing have to be (of course) performed in XI/PI system 🙂

      I recommend you to look at excellent document from Ricardo Viana (mentioned in his comment) about Java Mapping - it is really helpful.

      Author's profile photo Carlos Dias
      Carlos Dias

      Hi Vladimir,

      what is the purpose of ResourceException and the BabelMessage class? I got some Jars from my SAP PI 7.11 installation but none of the seem to have this classes. My solution was to delete in the second case  and also chaged ResourceExcpetion to an other exception.

      Many thanks!!

      Author's profile photo Vladimir Balko
      Vladimir Balko
      Blog Post Author

      ResourceException is just exception, which objects raise - you can declare differetn type of exception - or none (I dont recommend that) if you want. Just change

      private XIKeystoreAccessor(TraceUtil trace) throws ResourceException

      to

      private XIKeystoreAccessor(TraceUtil trace) throws <whatever_exception>

      BabelMessage is used, because ResourceException class uses strings in BabelMessage format as input.

      Is that understandable? If not ask me more 🙂

      Author's profile photo Carlos Dias
      Carlos Dias

      Hi again Vladimir! Thank you for your help!

      I have another question: do you know if it is possible to load PI keystore from this CryptoFactory (WSS4J 1.5.5 API) class?

      I'm trying to use WSS4J to sing and encrypt XML messages and I need to load keys from the keystore.

      thanks!

      Author's profile photo Ricardo Viana
      Ricardo Viana

      Thanks for comment Vladimir 😀

      Regards,

      Author's profile photo Ricardo Viana
      Ricardo Viana

      Congrats Vladimir !

      I remember that´s I help you about it, thanks to share code and explain how to do that.

      Question for SAP PI 7.0 you must use additional API like Apache Santuario -- Index library, and for 7.0+ ?

      Spasiba Bolshoi Drug.

      Regards,

      Author's profile photo Vladimir Balko
      Vladimir Balko
      Blog Post Author

      Hi Ricardo,

      your help was really kickstarter for me - without it, I would spent I lot more time with try - failure.

      Regarding your question - I needed that library just because java 1.4.2 doesnt have built-in functionality for signing. I believe that later (non prehistorical like 1.4.2) java versions have that functionality built-in. But I didn't checked that.

      regards vb

      Author's profile photo Carlos Dias
      Carlos Dias

      Yes it was 🙂

      Finally yesterday i was able to make it work. I had to change XIKeystoreAccessor to call the transform method instead of execute. And of course change the way message was being sign because I don't have an XML message and my digest algorithm is different.

      Thanks a lot for your time and effort. Your post really help me a lot and saved me hours of work. If you came to Portugal please tell me because i want to buy you a beer 😎

      Author's profile photo Vladimir Balko
      Vladimir Balko
      Blog Post Author
      1. I was in Lisabon few years ago and I have to say that I enjoyed it so much. I visited church of Fernando Maghaliens in Belem (tasted cookies there too 🙂 ) was in Castello de san jorge, had a cafe in Cafe Brasileira and visited oceanarium too 🙂 I especially liked Alfama and Belem 🙂 So who knows - maybe sometimes in the future I will return there 🙂
      Author's profile photo Hareesh Gampa
      Hareesh Gampa

      Thank you Vladimir Balko ..It was really helpful.

      Author's profile photo Former Member
      Former Member

      Hello all

      Does anybody has the " Java Mapping in SAP PI / XI – Step-by-step example » Techplay" article on a local? Mentioned link doesnt opens. Please could you send me information?

      Thank you!