Example of Principal Propagation for SOAP to RFC S...
Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
There are already few examples of principal propagation implementation in PI/PO but in this blog, you will learn on how to employ it in a SOAP to RFC scenario which could be applied to integration of 3rd party system to SAP. It is also common to use user id and password for authentication but a certificate based authentication will be used here. Below is a brief description on the scenario.
Sender SOAP channel will use HTTPS with Client Authentication
Client certificate will be used for authentication on the sender side and SAP logon ticket will be used to authenticate on the receiver sideNote: The scenario on the receiver side is calling the IDOC_INBOUND_SINGLE which is a function module that creates an IDoc.
Note: The scenario on the receiver side is calling the IDOC_INBOUND_SINGLE which is a function module that creates an IDoc.
Import the public client certificate into the logon user id
Export/Import of SAPLogonTicket
Export the public logon ticket of PO system as Binary
Import the logon ticket into ECC
Add CreateTicketLoginModule module in the ticket template
Go to NWA --> Configuration --> Security --> Authentication and Single Sign-On
By default SOAP adapter is using ticket as template for defining the Login module to use for authentication.
Modify the ticket template in order to add the CreateTicketLoginModule login module so that SOAP adapter will allow authentication using certificates.
Set the sender SOAP adapter to use HTTPS with Client Authentication
Enable the Principal Propagation in the ICO
Inbound Processing tab
Outbound Processing tab
Testing
Export the private client certificate in PKCS12 format, set a password and then generate the certificate export
We will only use SOAP UI for testing
Set the KeyStore and KeyStore Password of the SSL Settings of the SOAP UI Preferences. KeyStore value would the path to your private client certificate and the KeyStore Password must be the same as your private client certificate export password.
Submit the SOAP request
Verify the UNAME value in the table EDIDS of ECC. It should match the PO logon id that owns the client certificate used for submitting the request in SOAP UI
I hope this post provide you a good basis for the doing your own scenario in taking advantage of principal propagation. Certificate based authentication will also provide more security and less maintenance as compared to using user id/password as most companies have security policy around password expiration.