Tag: Business-to-Business (B2B)

Solutions, best practices and tips for Business-to-Business (B2B) communication. The posts are focused on the B2B addon, which is available for SAP Process Integration and SAP Process Orchestration.

Peer certificate rejected by ChainVerifier

Peer certificate rejected by ChainVerifier

Scenario

In a scenario with a SSL encrypted (HTTPS) SOAP target URL in the SOAP receiver channel, the message goes into an error state.

Error

The following error is shown in Message Log in PIMON:

SOAP: Call failed: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Solution

The SSL certificate needs to be imported into PIs keystore.

Download the certificate from the target server
  1. Open the Target URL in Chrome (or any other Browser)
  2. Open the developer tools by clicking on the three dots -> More Tools -> Developer Tools (Shortcut STRG + SHIFT + I)

    Chrome: Open developer tools
    Chrome: Open developer tools
  3. Go to the “Security” Tab and click on “View certificate”
  4. Go to the Details Tab and click on “Copy to file” button
  5. Click on the “Next” button and select “DER-codet-binary X.509 (.CER)”

    Download Certificate
    Download Certificate
  6. Click on “Next” button and select a destination on you local PC
Import certificate into keystore
  1. Open the Netweaver Administrator (http://your.pi:port/nwa)
  2. Go to Configuration -> Security -> Certificates and Keys
  3. Select the “Trusted CAs” View and click on “Import Entry”
  4. Select entry type “X.509 Certificate”, enter the path to the certificate you downloaded before and click on “Import”

    Certificates and Keys: Import entry
    Certificates and Keys: Import entry
  5. Resend your message

If your error is not resolved, open the certificate again and click on certification path. Afterwards, double click the first and second certificate (one after each other), save them and also import them into the TrustedCAx view.

Unique Filenames with AS2 Communication Channel

Unique Filenames with AS2 Communication Channel

During the implementation of multiple AS2 interfaces, I found myself very often in a situation where the communication partner expected unique AS2 filenames. Unfortunately, if you leave the filename parameter in an AS2 Receiver Communication Channel (CC) blank, the filename will always be your PIs system name. In case you enter a value like “Invoice”, the filename will always be set to “Invoice”.

Solution:

  1. You can use a dynamic configuration to generate unique filenames. Just add a UDF to you message mapping which sets the property “AS2Filename” in the namespace “http://sap.com/xi/XI/AS2/AS2“. Also, do not forget to enable the checkbox “Respect parameters” in the AS2 Communication Channels configuration.
  2. If you want to generate random, unique filenames only, a dynamic configuration feels like to much effort. Fortunately, there is an easier way to generate unique filename. Just put “%MSGID” into the “Filename” parameter of your AS2 Receiver Communication Channel. The parameter will be replaced with the PIs message ID, which should be unique. Additionally, it is possible to combine the placeholer with static text like “%MSGID.xml”.
    MSGID placeholder in filename parameter in AS2 Receiver Communication Channel
    MSGID placeholder in filename parameter in AS2 Receiver Communication Channel

    Be aware that in case your message fails, in every attempt to resend the mesasge the filename will be the same. Luckily, there are more placeholders available:

    Placeholder Description
    %SEQNUM A sequence number, starting with 1
    %RTSEQNUM A server wide sequence number, starting with 1
    %START The start time of the adapter
    %TIME The archiving period in milliseconds
    %MSGID The XI message ID

If you would like to find out more about the AS2 Adapter, check out the SAP Documentation.

Filter for Filename or Subject in AS2 Sender Communication Channel

Filter for Filename or Subject in AS2 Sender Communication Channel

In a current project we had the demand to send XML files from a windows server to an SAP ERP system via SAP PO. As additional requirement the files should be signed and an acknowledgment should be send back to the sender system. Therefore, we decided against the classical (S)FTP(S) and for AS2, as signature and Message Delivery Notifications (MDN) are firm elements of the AS2 specification. With mendelson AS2 there is an excellent tool available, which grabs files out of a directory and sends it to an AS2 receiver, in this case SAP PO.
Unfortunately, XML files with different data structures (Receipts, Orders, Invoices, …) were stored in the same directory and therefore send to the same URL. As the filenames looked like “Order_xxxxxxx.xml” and “Invoice_xxxxxxxx.xml” we looked for a way to separate the different files on SAP PI.

Filter for AS2 filename on SAP Process Orchestration / Process Integration

The AS2 Sender communication channel is not able to filter for a filename schema, hence you would receive all the different files with one AS2 Sender Communication Channel and route them through one Integrated Configuration (ICO). There are multiple ways to handle this:

  • You could use the EDI Separator to filter the files in a second step, but I highly recommend against using the EDI Separator in XML scenarios.
  • The filename is available as dynamic configuration and can be used as condition in an ICO.

    AS2Filename as condition in an Integrated Configuration
    AS2Filename as condition in an Integrated Configuration
  • If the structure of the XML files is different you can use an exists check as condition in your ICO.

    Check for an XPath in the condition of an ICO
    Check for an XPath in the condition of an ICO

Separating the different files with conditions in the ICO is possible, but bad practice. You have to use a dummy Sender Interface, as the data can have different structures. As a result, the selection of an Operation Mapping and the PI checks wont work. Fortunately, with mendelson AS2 it is possible to use the filename as subject. Just open the Partner configuration and type “${filename}” into the Payload Subject field.

Configure mendelson AS2 to use the filename as subject
Configure mendelson AS2 to use the filename as subject

Filter for AS2 subject on SAP Process Orchestration / Process Integration

A great feature of the AS2 Sender Communication Channel is to use regular expressions for the different expected values, like the subject. If you would like to receive only AS2 messages with a subject starting with “Order_” you can simply use “Order_.*”.

Regular Expressions in AS2 Sender Communication Channel
Regular Expressions in AS2 Sender Communication Channel

The dot has the meaning of any character and the Asterisk means zero or more occurrences. To learn more about regular expressions or test your regular expression the page regex101.com is a good place to start.

Generate WSDLs and decoded URLs for webservices

Generate WSDLs and decoded URLs for webservices

When creating an Interface with SAP Process Integration or SAP Process Orchestration which provides a webservice, you need the WSDL file or at least the URL of your webservice. Otherwise, your partner doesn’t know how to connect to your webservice.

Generate WSDL file

SAP PI and PO has a great feature do generate Web Service Description Language (WSDL) files for configurations with HTTP, XI, SOAP or WS Sender Communication Channels.

To generate a WSDL file:

  1. Open an Integrated Configuration (ICO) (or a Sender Agreement) in the Integration Builder, which is in status “Active”
  2. Click on “Integrated Configuration” in the top menu
  3. Click on “Display WSDL”
Detail View of Integrated Configuration

Detail view of Integrated Configuration (ICO) in Integration Directory (DIR)

A popup should open which displays the WSDL file and an URL to the WSDL file. Now, you can either download the file, use the URL to the WSDL file or directly get the information you need.

Get webservice URL

You can provide the whole WSDL file to your partner or just the URL. If you need the URL only, scroll to the end of the WSDL file . There you can find the HTTP and the HTTPS ports with the webservice URL in the location attribute of the address element. It looks like:

https://pisystem:50001/XISOAPAdapter/MessageServlet?senderParty=&senderService=service&receiverParty=&receiverService=&interface=SI_out&interfaceNamespace=urn%3Anamepspace

Shows Display WSDL window with address section highlighted in Integration Directory (DIR)
Display WSDL window – address section highlighted

Depending on you system configuration and your network structure, you maybe have to change domain and port of your URL before you can provide it to your partner. In case there is a Web Application Firewall, a Web Dispatcher, a Reverse Proxy or something similar in place, you should ask your system administrator for the correct domain and port. If you are communicating over an unprotected network, like the internet, you should always use SSL encryption.

Decode webservice URL

Due to different implementations of URL processing it is sometimes necessary to decode the URL, provided in the WSDL file. For example for the Chrome browser extension Boomerang you need to decode the URL before you can successfully connect to your webservice. If you do not know how your application handles URLs you can test the normal and the decoded URL. For one URL you will get an error like this:

com.sap.aii.af.service.cpa.CPAObjectNotFoundException: Couldn’t retrieve inbound binding for the given P/S/A values: FP=;TP=;FS=null;TS=;AN=null;ANS=null;

To get the decoded URL, just paste your URL in the textbox below and click on the “Decode URL” button.


If you are trying to reach the webservice in a browser you should see something like this:

Message Servlet is in Status OK

Status information:

Servlet com.sap.aii.adapter.soap.web.MessageServlet (Version $Id: //tc/xpi.adapters/NW731EXT_15_REL/src/_soap_application_web_module/webm/api/com/sap/aii/adapter/soap/web/MessageServlet.java#1 $) bound to /MessageServlet
Classname ModuleProcessor: null
Lookupname for localModuleProcessorLookupName: localejbs/ModuleProcessorBean
Lookupname for remoteModuleProcessorLookupName: null
ModuleProcessorClass not instantiated
ModuleProcessorLocal is Instance of com.sun.proxy.$Proxy523
ModuleProcessorRemote not instantiated

 

Error during MDN signature validation – email addresses do not match

Error during MDN signature validation – email addresses do not match

Scenario

PI AS2 Receiver channel to Mendelson AS2 Server with synchronous Message Delivery Notification (MDN) back to PI with signature validation.

Error

In the message protocol of the PI message monitor (PIMON) as well as in B2B Integration Cockpit (B2BIC) the following error is thrown:

MDN message signature cannot be validated. Error is “Email address in singer certificate does not match the sender address. Signer email: [email1@email.com]. Sender email: [email2@email.com]..

Solution

The email address provided in Mendelson AS2 is not equal with the email address which was provided during creation of the certificate. During the validation of the MDN signature PI compares both email address and throws the error. Either a new certificate has to be created or the email address in the Mendelson AS2 Partner configuration has to be adjusted.

Screenshot of Windows Certificate View - Details Tab
Windows Certificate View
Mendelson AS2 Partner Profile Configuration window
Mendelson AS2 Partner Profile Configuration