Service Group Configuration in SOAMANAGER using SSL Certificates
Service Group configuration is a topic that is coming up over and over again among our customers as they are moving to S/4HANA or adding additional integration scenarios to their current landscape. Recently we had to RE-configure parts of S/4HANA connectivity by using the service group approach as the existing logical port configuration didn’t suffice for replicating BP master data to multiple systems.
We used the following, excellent blogs as our starting point to configure the connectivity to the cloud systems, but while we succeeded in achieving connectivity using basic authentication the configuration using SSL certificates was failing to generate no matter what.
After weeks of digging and with help from SAP Support we finally got to the end of it and it turns out we need to further manipulate the WSDL document and add the required security policies manually.
NOTE that as a pre-requisite you must also add the binding information mentioned in the above blogs before you add the additional security policy required for SSL authentication to work.
- Double check the namespace declarations for the security policy tags are in place otherwise add the following inside wsdl:definitions:
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility1.0.xsd" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
- Place the following content before wsdl:types
<wsp:Policy wsu:Id="BN_BN_Certificate" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy> <wsp:ExactlyOne> <sp:HttpBasicAuthentication/> <sp:RequireClientCertificate/> </wsp:ExactlyOne> </wsp:Policy> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <wsp:ExactlyOne> <sp:Basic256/> <sp:Basic192/> <sp:Basic128/> <sp:TripleDes/> <sp:Basic256Rsa15/> <sp:Basic192Rsa15/> <sp:Basic128Rsa15/> <sp:TripleDesRsa15/> <sp:Basic256Sha256/> <sp:Basic192Sha256/> <sp:Basic128Sha256/> <sp:TripleDesSha256/> <sp:Basic256Sha256Rsa15/> <sp:Basic192Sha256Rsa15/> <sp:Basic128Sha256Rsa15/> <sp:TripleDesSha256Rsa15/> </wsp:ExactlyOne> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:TransportBinding> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
- Finally, add the following policy reference inside wsdl:binding:
<wsp:Policy> <wsp:PolicyReference URI="#BN_BN_Certificate"/> </wsp:Policy>
- Save the WSDL, upload it in SOAMANAGER and publish it in the registry
Processing the WSDL manually as described above might break the XML structure and you will get errors during the upload – if that is the case in SOAMANAGER you can navigate to Tools -> WSDL Analyzer. It has been quite helpful, regardless of the cryptic error messages.