This article is a product of a requirement where we were required to secure our communication using SSL but on top of SSL we were required to secure our payload as well with public/private key encryption. During my research I realized that the information regarding this is very limited and scattered so, I decided to write up a consolidated article hoping it will help others understand this concept better.
Option 1: HTTP – Plain and simple HTTP communication
Option 2: HTTPS Without Client Authentication – This option should be chosen if you are not planning to “authenticate” your client based on a certificate. This option is equivalent to one-way SSL in generic security world. Please note, that this is different than authenticating a client using basic user/pass. All Sender SOAP Web Services in PI inherently authenticate clients based on user/pass.
Option 3: HTTPS with Client Authentication – If you would like to go one step further and authenticate your clients (caller of your web service) based on certificates then this is the option. You can see this nice blog which talks in more details. This option is equivalent to two-way SSL in generic security world.
Also, note that option 2 and 3 will encrypt the tunnel between PI and Client. Which will also encrypt the user/pass since; Tunnel is encrypted first before user/pass is being sent over it. Also, for majority of interfaces these options will provide ample security. But, for certain cases you would want go a step further and encrypt the payload. Below are some of the cases where you would want to go further than just SSL and use payload encryption.
Now, that we have cleared some basic concept. Let’s go into developing and testing one web service interface. Below are interface requirements.
Here are our Assumptions:
One of the nice things about PI 7.11 is that you don’t have to use ABAP stack for certain interfaces. Instead, you can use Integrated Configurations. In our case we are using SOAP and RFC adapter which are part of Java stack. Below is the web service flow.
Request: Partner -> (SOAP) PI (RFC) -> SAP
Response: SAP -> (RFC) PI (SOAP) -> Partner
I will cover.
1. SOAP Sender Adapter Settings
2. Integrated configuration “Inbound Processing” tab settings.
3. Load WSDL in SOAP UI
4. Add PI private key to SOAPUI keystore5. Right click on the project and select “Show Project View”6. Click on Keystores tab.7. Add certificate to the Outgoing WS-Security Configuration
8. Add to the Incoming WS-Security Configuration
9. Configure Outgoing and Incoming WSS on “Request” window.
10. Hit “Submit Request” green play button on top left corner.
11. You can confrim on right screen that encryption works.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 |