Introduction
In ths blog we want to go through the valuable properties related to the SOAP Axis for WSSE and compare with the respective attribute between the SAP Process Orchestration and SAP Cloud Integration. You can refer to the official documentation of the WS-Security Configuration on SAP Integration Suite to get more info.
I will take SOAP Receiver Adapter as an example. Its functionality of the WS-Security will be demonstrated and how the response messages look like.
So the following main aspects have been included in this blog:
1. WS-Security configuration overview of SAP Cloud Integration
2. How to sign message in the SAP SAP Process Orchestration and SAP Cloud Integration
3. How to sign with Time Stamp in the SAP SAP Process Orchestration and SAP Cloud Integration
4. Receiver is Basic Security Profile Complaint
5. How to encrypt message in the SAP SAP Process Orchestration and SAP Cloud Integration
WS-Security Configuration Overview
In SAP PI/PO, you can configure the WS-Security in the SOAP Communication Channel of Integration Builder. Under Module, add WS-Security in the adapter module settings. The security Actions Signature, Encryption, Timestamp can be configured, and Key Store Entry can also be defined by the alias.
In SAP Integration Suite, the SOAP 1.x Receiver Adapter allows you to secure the message and we have two possibilities in the WS-Security configuration. two possibilities can be specified the configurations
The one is Based on Policies in WSDL.
With this option, the security settings are specified as part of the receiver endpoint (within the endpoint WSDL) in elements as defined by the WS-Policy standard.
The security settings are in the receiver endpoint’s WSDL. It is in elements as defined by the WS-Policy standard. This allows you to specify, for instance, that certificates required for message-level security are included with the message directly within the WSDL.
With this configuration, the receiver endpoint’s WSDL incorporates security configurations, structured according to the WS-Policy standard’s defined elements.
The following is a sample WS-security policy with signature and timestamp.
Under the policy elements, you will find the following specification in the WSDL.
AsymmetricBinding: Specifies the use of asymmetric keys (e.g., X.509 certificates) for signing. IncludeTimestamp: Ensures that each message has a timestamp, adding an element of freshness to avoid replay attacks. X509Token: Indicates that an X.509 certificate will be used for the message signature. AlgorithmSuite: Specifies the algorithm suite, here using Basic256Sha256 for hashing and encryption, ensuring a high level of security.
Another one is Via Manual Configuration in Channel. The security settings need to be configured manually in the channel. The WS-Security Type and Public Key Alias for Encryption, Layout, Algorithm Suite Assertion, Initiator Token, Recipient Token will be enabled only if the Via Manual Configuration in Channel is selected for WS-Security Configuration
Signature
SOAP messages can be signed using a private key, and the recipient can verify the legitimacy of the signature using a public key. The signature ensures the integrity and authenticity of the message, preventing tampering. X.509 certificates are typically used to sign messages and bind the public key to a specific entity X.509 certificates are typically used to sign messages.
By signing a message digitally, to ensure this protection, SOAP AXIS enables the use of XML signatures. It´s supporting various algorithms like SHA-256, RSA.
In the SAP Process Orchestration, navigate to the Certificates and Keys: Key Storage.
Add the Key Storage View and click on Import Entry to import your private key into the keystore of SAP Process Orchestration.
And then configure the module here in the following of the SOAP Receiver Communication Channel.
You will use the Key Storage View Name as the parameter value of cryto.view and the name of the private key as the parameter value of user.
In the SAP Integration Suite, you could create a keypair in the Keystore
And then input the Alias of the keypair in the following column Private Key Alias for Signing.
Then the message will be digitally signed using X.509 certificate. The certificate is included in Base64-encoded format within the <wsse:BinarySecurityToken> element. The certificate is Base64-encoded within the <wsse:BinarySecurityToken> and referenced in the <ds:KeyInfo>.
The following is the response message with the <wsse:BinarySecurityToken> element if you enabled and configured the message signature in the SAP Process Integration or SAP Integration Suite.
Timestamp
The WS-Security time stamp ensures that a message is valid within a specific time window. This helps prevent replay attacks and ensures that the message is only processed within the valid time frame.
In the SAP Process Orchestration, go to the SOAP Receiver and switch to the Module tab to sign the timestamp for WS-Security. Add the parameter Timestamp Signature to the sign module key, so that both the Timestamp and its Signature can be enabled. Then add the additional parameters for finer control.
Parameter Name
Parameter Value
action
Timestamp Signature
com.sap.security.core.wssec.timestamp
true
com.sap.security.core.wssec.timestamp.timeToLive
300
Note: parameter value 300 means its validity in seconds.
By this configuration, you will see the result with wsse:Timestamp.
In the SAP Integration Suite, go to the tab WS-Security of the SOAP Configuration.
If you select the checkbox and a Request-Response pattern is configured, the following Timestamp is expected in your SOAP response structure.
Receiver is Basic Security Profile Complaint
If you select the receiver system complies with the basic security profile, the UsernameToken for simple authentication, IncludeTimestamp for replay protection, and OnlySignEntireHeadersAndBody for message integrity — together make the WSDL configuration compliant with Basic Security Profile requirements.
Encryption
In SAP PI/PO, specify the keystore from which the public key will be taken for encrypting the message and ensure the certificate is correctly set up in the keystore.
And then refer to the following encrypt module to configure the SOAP Receiver Communication Channel.
In SAP Integration Suite, SOAP Axis supports message encryption to secure the content using algorithms like AES. It is permitted to perform the encryption via WSDL. Specify an alias for the public key to encrypt the message. The receiver (WS provider) public key is used to encrypt the request message (that is sent to the receiver).
Get Receiver Public Key and upload it into Integration Suite Tenant KeyStore.
Now you have the Alias of Public Key for Encryption and input it in the SOAP Receiver WS-Security Configuration. Public Key Alias for Encryption (only if the option Sign and Encrypt Message is selected)
If a Request-Response pattern is configured, the following encryption using the recipient’s public key is expected in your SOAP response structure.
With the configuration above, the response payload will contain the encryption element. It is ensuring that only the recipient with the corresponding private key can decrypt and read the message content. So make sure the public certificate that the WS provider used to sign the response must be imported in the keystore as well. Otherwise it’ll lead to the WSSE error “The security token could not be authenticated or authorized” in Integration Suite described here in the SAP Note.
Summary
In this blog, we’ve explored the migration of WS-Security features such as message signing, timestamping, and encryption. Hope it can help you understand the key aspects of implementing WS-Security through the detailed comparison and migrate the SOAP Axis (WS-Security) from SAP Process Orchestration(PO) to Cloud Integration(CI) smoothly.
IntroductionIn ths blog we want to go through the valuable properties related to the SOAP Axis for WSSE and compare with the respective attribute between the SAP Process Orchestration and SAP Cloud Integration. You can refer to the official documentation of the WS-Security Configuration on SAP Integration Suite to get more info. I will take SOAP Receiver Adapter as an example. Its functionality of the WS-Security will be demonstrated and how the response messages look like. So the following main aspects have been included in this blog:1. WS-Security configuration overview of SAP Cloud Integration2. How to sign message in the SAP SAP Process Orchestration and SAP Cloud Integration3. How to sign with Time Stamp in the SAP SAP Process Orchestration and SAP Cloud Integration4. Receiver is Basic Security Profile Complaint5. How to encrypt message in the SAP SAP Process Orchestration and SAP Cloud IntegrationWS-Security Configuration Overview In SAP PI/PO, you can configure the WS-Security in the SOAP Communication Channel of Integration Builder. Under Module, add WS-Security in the adapter module settings. The security Actions Signature, Encryption, Timestamp can be configured, and Key Store Entry can also be defined by the alias. In SAP Integration Suite, the SOAP 1.x Receiver Adapter allows you to secure the message and we have two possibilities in the WS-Security configuration. two possibilities can be specified the configurations The one is Based on Policies in WSDL. With this option, the security settings are specified as part of the receiver endpoint (within the endpoint WSDL) in elements as defined by the WS-Policy standard. The security settings are in the receiver endpoint’s WSDL. It is in elements as defined by the WS-Policy standard. This allows you to specify, for instance, that certificates required for message-level security are included with the message directly within the WSDL. With this configuration, the receiver endpoint’s WSDL incorporates security configurations, structured according to the WS-Policy standard’s defined elements. The following is a sample WS-security policy with signature and timestamp. Under the policy elements, you will find the following specification in the WSDL. AsymmetricBinding: Specifies the use of asymmetric keys (e.g., X.509 certificates) for signing. IncludeTimestamp: Ensures that each message has a timestamp, adding an element of freshness to avoid replay attacks. X509Token: Indicates that an X.509 certificate will be used for the message signature. AlgorithmSuite: Specifies the algorithm suite, here using Basic256Sha256 for hashing and encryption, ensuring a high level of security. Another one is Via Manual Configuration in Channel. The security settings need to be configured manually in the channel. The WS-Security Type and Public Key Alias for Encryption, Layout, Algorithm Suite Assertion, Initiator Token, Recipient Token will be enabled only if the Via Manual Configuration in Channel is selected for WS-Security Configuration Signature SOAP messages can be signed using a private key, and the recipient can verify the legitimacy of the signature using a public key. The signature ensures the integrity and authenticity of the message, preventing tampering. X.509 certificates are typically used to sign messages and bind the public key to a specific entity X.509 certificates are typically used to sign messages. By signing a message digitally, to ensure this protection, SOAP AXIS enables the use of XML signatures. It´s supporting various algorithms like SHA-256, RSA. In the SAP Process Orchestration, navigate to the Certificates and Keys: Key Storage. Add the Key Storage View and click on Import Entry to import your private key into the keystore of SAP Process Orchestration. And then configure the module here in the following of the SOAP Receiver Communication Channel. You will use the Key Storage View Name as the parameter value of cryto.view and the name of the private key as the parameter value of user. In the SAP Integration Suite, you could create a keypair in the Keystore And then input the Alias of the keypair in the following column Private Key Alias for Signing. Then the message will be digitally signed using X.509 certificate. The certificate is included in Base64-encoded format within the <wsse:BinarySecurityToken> element. The certificate is Base64-encoded within the <wsse:BinarySecurityToken> and referenced in the <ds:KeyInfo>. The following is the response message with the <wsse:BinarySecurityToken> element if you enabled and configured the message signature in the SAP Process Integration or SAP Integration Suite. Timestamp The WS-Security time stamp ensures that a message is valid within a specific time window. This helps prevent replay attacks and ensures that the message is only processed within the valid time frame. In the SAP Process Orchestration, go to the SOAP Receiver and switch to the Module tab to sign the timestamp for WS-Security. Add the parameter Timestamp Signature to the sign module key, so that both the Timestamp and its Signature can be enabled. Then add the additional parameters for finer control. Parameter Name Parameter Value action Timestamp Signature com.sap.security.core.wssec.timestamp true com.sap.security.core.wssec.timestamp.timeToLive 300 Note: parameter value 300 means its validity in seconds. By this configuration, you will see the result with wsse:Timestamp. In the SAP Integration Suite, go to the tab WS-Security of the SOAP Configuration. If you select the checkbox and a Request-Response pattern is configured, the following Timestamp is expected in your SOAP response structure. Receiver is Basic Security Profile Complaint If you select the receiver system complies with the basic security profile, the UsernameToken for simple authentication, IncludeTimestamp for replay protection, and OnlySignEntireHeadersAndBody for message integrity — together make the WSDL configuration compliant with Basic Security Profile requirements. Encryption In SAP PI/PO, specify the keystore from which the public key will be taken for encrypting the message and ensure the certificate is correctly set up in the keystore. And then refer to the following encrypt module to configure the SOAP Receiver Communication Channel. In SAP Integration Suite, SOAP Axis supports message encryption to secure the content using algorithms like AES. It is permitted to perform the encryption via WSDL. Specify an alias for the public key to encrypt the message. The receiver (WS provider) public key is used to encrypt the request message (that is sent to the receiver). Get Receiver Public Key and upload it into Integration Suite Tenant KeyStore. Now you have the Alias of Public Key for Encryption and input it in the SOAP Receiver WS-Security Configuration. Public Key Alias for Encryption (only if the option Sign and Encrypt Message is selected) If a Request-Response pattern is configured, the following encryption using the recipient’s public key is expected in your SOAP response structure. With the configuration above, the response payload will contain the encryption element. It is ensuring that only the recipient with the corresponding private key can decrypt and read the message content. So make sure the public certificate that the WS provider used to sign the response must be imported in the keystore as well. Otherwise it’ll lead to the WSSE error “The security token could not be authenticated or authorized” in Integration Suite described here in the SAP Note. SummaryIn this blog, we’ve explored the migration of WS-Security features such as message signing, timestamping, and encryption. Hope it can help you understand the key aspects of implementing WS-Security through the detailed comparison and migrate the SOAP Axis (WS-Security) from SAP Process Orchestration(PO) to Cloud Integration(CI) smoothly. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
