cancel
Showing results for 
Search instead for 
Did you mean: 

Disable user and password in RNIF adapter.

Former Member
0 Kudos
156

Hi,

When I call the RNIF adapter, for example, in the browser http:///MessagingSystem/receive/RNIFAdapter/RNIF, a pop-up requesting user and password is showed.

I need to call the RNIF adapter but I don´t want to use authentication in the conextion.

Is there any solution to do it?.

Thanks.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

It may helps you,

How can I turn off User ID and Password Authentication for the CIDX/RNIF1.1/RNIF2.0 adapters?

Following procedure needs to be followed .

i. Locate the file SAPXIAF*.sca specific to the XI SP version being used in your system. This sca file contains aii_af_ms_app.sda .

ii. Open aii_af_ms_app.sda and you would find aii_af_ms_app.war file. Open this file also. You would find web.xml. Make the following changes .

iii. Comment out the following section as follows:

<!--

security-constraint>

<web-resource-collection>

<web-resource-name>XI_AF_RECEIVE</web-resource-name>

<url-pattern>receive/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>xi_af_receive</role-name>

</auth-constraint>

</security-constraint

-->

iv. Add the following section immediately either below or above the commented section.

< security-constraint>

<web-resource-collection>

<web-resource-name>XI_AF_RECEIVE</web-resource-name>

<url-pattern>receive/MPA/*</url-pattern>

<url-pattern>receive/BcAdapter/*</url-pattern>

<url-pattern>receive/AFW/*</url-pattern>

<url-pattern>receive/JPR/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>xi_af_receive</role-name>

</auth-constraint>

</security-constraint>

v. Put back web.xml in to aii_af_ms_app.sda.

vi. Close the SAPXIAF*.sca and open it again to check whether the change that you made is there in the file.

vii. Deploy the modified SDA using SDM tool.

Thanks.

Boopathi

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi,

Thanks for your information. I put a "SAP Note" few days ago, and they answered the same that Boopathi said. This is the only solution.

Thanks very much.

stefan_grube
Active Contributor
0 Kudos

I need to call the RNIF adapter but I don´t want to use authentication in the conextion.

Is there any solution to do it?.

No, there is no solution for this and it does not make sense to have a connection without user. This is too unsecure.

Regards

Stefan

bhavesh_kantilal
Active Contributor
0 Kudos

Hello Stefan,

We have actually turned of Basic Auth for the RNIF adapter due to the following reasons,

1. RNIF is used in a B2B landscape, and so we use Certificates ( Server SSL and Singature/ Encryption ).

2. We use a DAE in our DMZ and thereby all malicious traffic is stopped using IP filtering at the Firewall and Encryption checks at within the DMZ before the message even hits XI's Integration Server.

3. We thought having a basic auth at this point further would be a pain pint especially when you are integrating with multiple trading partners.

Is there some risk you still see in your analysis inspite of all these checks we are performing in turnhing of the Basic Auth?

Regards,

Bhavesh

stefan_grube
Active Contributor
0 Kudos

Hi Bhavesh,

I do not know much about RNIF, so I cannot say anything about the effort to establish basic authentication.

If you remove the authentication in web.xml, you have to consider to do this after every patch that you apply. And you cannot distinguish between HTTP and HTTPs. So inside the firewall there could be a guy sending RNIF messages without user check.

Regards

Stefan

bhavesh_kantilal
Active Contributor
0 Kudos

Stefan,

You are bang on, abt the issue with anyone inside the firewall being able to manipulate this basic auth turned of case inside the firewall.

Given me something to ponder on.

Thanks

Bhavesh

bhavesh_kantilal
Active Contributor
0 Kudos

The solution to my predicament of the fact that B2B partners are using SSL and Digital Auth to talk to us and hence do not want additional Basic Auth,

1. In our DAE withing the DMZ we turn of Basic Auth of RNIF adapters. All inbound and outbound b2b traffic flows via the DAE.

2. No internal users other than authorized users have the roles to log on to the DAE server and hence cannot trigger any message until authorizaed to the DMZ.

3. Central AE to continue to have Basic Auth turned on always so that internal LAN and XI users do not post RNIF messages without the required roles.

Regards,

Bhavesh