RosettaNet RNIF Adapters

The RNIF adapters enable the execution of business transactions between RosettaNet trading partners based on PIP® specifications.

The adapters implement the transport, packaging, and routing of RosettaNet business messages and signals as defined in the RosettaNet Implementation Framework versions 1.1 and 2.0 (for more information, see rosettanet.org).

Transport protocols to be used are HTTP and HTTPS. With HTTPS, client authentication is possible for sender party and receiver party.

The adapters support the security functions of the RNIF business transaction dialog: confidentiality, authentication, authorization, and non-repudiation (see Message-Level Security). However, the RNIF versions 1.1 and 2.0 differ in the level of confidentiality provided by the specifications. Message-level encryption is possible only with the RNIF 2.0 adapter.

The RNIF 1.1 adapter supports detached signatures on the basis of the PKCS#7 specification and RNIF1.1 transport bindings. The transport bindings are based on the Open Buying on the Internet (OBI) standards as defined by RNIF 1.1.

The RNIF 2.0 adapter supports encryption and detached signatures on the basis of the S/MIME version 2 specification. The adapter supports service-content-level encryption and service-container-level encryption.

The validation of signatures and trustworthiness of the associated public key can be based on a hierarchical trust model or a direct trust model. The hierarchical trust model is restricted to certificates directly signed by a root CA. There is no support for handling of certificate revocation lists.

The adapter supports non-repudiation of origin and content as well as non-repudiation of receipt. For more information, see the details on accessing the non-repudiation archive.

Each PIP® specification recommends applying particular security measures. These are also reflected in the channel templates for each PIP in the business package. When setting up the trading partner agreement with your business partner, SAP recommends that you adhere to the security settings in the PIP specification.

The following table summarizes the security-relevant aspects of the RNIF 1.1 adapter:

Aspect

RNIF 1.1 Adapter

Underlying protocol

HTTP

Inbound and outbound connections should be secured by SSL (client authentication is possible).

Inbound configuration

Configuration in sender channel of type RNIF11 in the Integration Directory.

The actual message-level security options are configured in the channel in the Security Policy block. The J2EE keystore views of the actual certificates for decryption, signature validation, and signing of receipts are configured in the sender agreement associated with the channel.

Messaging user must have role SAP_XI_APPL_SERV_USER on Integration Server.

User credentials for PIP signals back to the sender can be configured.

Outbound configuration

Configuration in receiver channel of type RNIF11  in the Integration Directory.

The actual message level-security options are configured in the channel in the Security Policy block. The J2EE keystore views of the actual certificates for signing and signature validation of receipts are configured in the receiver agreement associated with the channel.

User authentication and anonymous logon to receiver system are possible. If authenticated, user must have appropriate authorizations in the receiver system.

The following table summarizes the security-relevant aspects of the RNIF 2.0 adapter:

Aspect

RNIF 2.0 Adapter

Underlying protocol

HTTP

Inbound and outbound connections should be secured by SSL (client authentication is possible).

Inbound configuration

Configuration in sender channel of type RNIF in the Integration Directory.

The actual message-level security options are configured in the channel in the Security Policy block. The J2EE keystore views of the actual certificates for decryption, signature validation, and signing of receipts are configured in the sender agreement associated with the channel.

Messaging user must have role SAP_XI_APPL_SERV_USER on Integration Server.

User credentials for PIP signals back to the sender can be configured.

Outbound configuration

Configuration in receiver channel of type RNIF in the Integration Directory.

Actual options of message level-security are configured in the channel in the block Security Policy. The J2EE keystore views of the actual certificates for encryption, signing, and signature validation of receipts are configured in the receiver agreement associated to the channel.

User authentication and anonymous logon to receiver system are possible. If authenticated, user must have appropriate authorizations in the receiver system.

For a detailed description of how to configure SSL for the Adapter Engine, see HTTP and SSL.

For the J2EE configuration, see Security Configuration at Message Level.

For a description of the possible security features, see Message-Level Security.