1) Could you please suggest best way to handle PI web service with regard to security. We are exposing PI to use web services from external system.As the external system are not part of our DMZ and do not reside in our network what is the best approach to configure the SOAP sender and receiver channels.
2) Also When we give the WSDL to external parties normally the PI host would be local would there be any issues wrt security should the network team open up ports for them or map the local host to public host.
you are using SOAP receiver adapter to consume third party webservice. Third party webservice is provided client certificate. Import the third party certificate in the netweaver stack and reference that certificate in the soap receiver adapter using the option certifiicate authentication.
please refer help document
You need to generate Server&Client Certificate in STRUST (if empty) and distribute to 3rdParty System.
For enable Https, you need to activate (if is disactive) https service in SMICM transaction
About Soap Security, refer to the below documents & help, about SSL configuration for SOAP Adapter (Security Checks):
HTTP & SSL
How to use Client Authentication with SOAP Adapter