Showing results for 
Search instead for 
Did you mean: 

WS-Security SOAP Header does not include expected elements

Former Member
0 Kudos

Our SAP R/3 Enterprise is sending messages to XI which then forwards them to third party applications withing our corporate firewall.

One of these applications (Java) provides a Web Service to which we are attempting to direct a message from XI.

This Web Service requires WS-Security information be included in the SOAP header identifying Username, Password as described by the Oasis standards.


<wsse:Security xmlns:wsse=""


<wsse:UsernameToken xmlns:wsu=""











I have gone through a lot of documentation provided by SAP and SDN in an attempt to determine how and what to configure in order to generate the above SOAP header and although I am fairly sure SAP XI can perform this function I am at a loss on what needs to be done.

Their are plenty of documents describing how to do this for a Web Service generated by an SAP (WAS, R/3, XI, etc) but other than references to doing so for a third party application nothing that is concrete. Yet I am fairly certain that it is a simple process.

In one article of SAP Insider I found reference to this email address and am hoping that you will be able to assist.

Our XI is currently running WAS Netweaver 04 (640) patched at SAPKB64017.

Accepted Solutions (1)

Accepted Solutions (1)

Active Contributor
0 Kudos

WS-Security will be supported in the next release (PI 7.10).

It is not possible with NW 04 or 04S.



Answers (1)

Answers (1)

Former Member
0 Kudos


OASIS WS-Security 1.0 has been supported by the XI SOAP adapter for a long time.

However, what you're trying to do isn't possible in XI yet, because it isn't pure WS-Security.

WS-Security provides definition for the wsse:UsernameToken element, but provides little in the way of content. The standard allows for //wsse:UsernameToken/Username, and for //wsse:UsernameToken/<xsd:any> to support extensibility. WS-Security does not define the existence of wsse:Password, wsse:Nonce, wsse:Created, etc.

OASIS released a separate standard at the same time as WS-Security 1.0 to define a set of extensions for the wsse:UsernameToken element. This standard includes //wsse:UsernameToken/Password and your other elements. So, you need an application that has implemented WS-Security 1.0 as well as the "Web Services Security UsernameToken Profile 1.0" standard.

XI does not appear to support this standard extension, so customers are frequently doing a custom implementation in order to implement the features they need from the UsernameToken Profile standard. I've seen a customer do it in the plain HTTP adapter and use XSLT in the message mapping for receiver cases.

I've yet to see a sender case. Adapter modules in the SOAP adapter might work, but I see this as a technical risk because I don't know if you can re-authenticate from within the adapter module, and I suspect that XI applies the business-service authorization rule (the user authorization to access that particular service) before the adapter modules are called.

--Dan King

Manager, SAP NetWeaver Integration


Former Member
0 Kudos

Hi - I think my issue () is the same as this one. Can this be implemented in PI 7.11?