AL-Infotech

Needless to say, security is one of the important factors to make web services ubiquitous both whithin and beyond your enterprise boundries. There exists a myriad of WS security standards either approved or in the works by the standards bodies, and SAP is behind every one of the them (see OASIS Web Services Security (WSS) TC). But their basic goal is to enable applications to exchange SOAP messages securely. Specifically, the standands define security tokens that can be used to authenticate SOAP messages, maintain message integrity and confidentiality. This include Username Token, X.509 Token, Kerberos Token, and etc. 

Despite of the large number of standards produced in the WS-security area, several questions remain unclear to me. How much available are these standards in SAP Netweaver? And do NW user community know how to take advantage of these advanced capabilities? What about interoperability to similar implementations in other platforms such as Microsoft’s WSE and Indigo?

It seems like most of web services practitioners are not yet there today from what I found out. Many implementations are either using non-secure SOAP over HTTP, or using transport security over HTTPS. But this may not be sufficient in today’s world of stricter compliance requirements. Imagine a .NET client program that access ERP functionality through XI using web services. How does the application ensure end-to-end security? How does it keep track of the access record of the .NET user? There are SAP propietary ways to secure applications such as using SSO ticket or SNC. But in the world of more standards, I wanted to learn how well NW does it.

I tried to find out what NW 04 provides in terms of supporting WS-security and how well it works with WSE 3.0 in one of my projects. To my dismal, I was not able to get XI SOAP adapter using X.509 for signatures to work. I turned to use WebAS Java instead since there is a great article on SDN on how to make this work. Although I was able to finally make my WebAS Java programs to talk to WSE 3.0 programs securely, there are many limiations and gotchas in my findings. I plan to share those details with you in a separate article.

Overall, support of WS-security in NW 04 is limited and also little known to the NW community in my experience. There are issues when it comes to exchange secure SOAP messages with other Web Services platforms such as Microsoft’s. The great news I heard is that many of these issues are being addressed in NW development and will be incorporated in future NW releases.