During a project I needed to make a call from an SAP ECC 6 system towards an external web service. This external web service was secured with WS-Security X509 Token profile. So the payload had to be digitally signed. With no integration platform yet available, I intended to make a direct call from the SAP back)end system. But this really proofed to be impossible. Getting keys and certificates into an SAP system is always a challenge, but configuration of the WS-Security in SAP’s SOAManager is actually quite trivial.
But things did not work out: a real showstopper became the Metering info that was present in each and every outbound call. As of Support Pack 17 of SAP NetWeaver 7.0, the element <CallerInformation> is present in the SOAP header of each outbound SOAP request. Purpose of this element is to gather service metering and transfer it to the service provider.
<CallerInformation wsu:Id="part-CallerInformation-2" xmlns="http://www.sap.com/webas/712/soap/features/runtime/metering/"> <m:Type xmlns:m="http://www.sap.com/webas/712/soap/features/runtime/metering/">SA</m:Type> <m:App xmlns:m="http://www.sap.com/webas/712/soap/features/runtime/metering/"/> <m:Component xmlns:m="http://www.sap.com/webas/712/soap/features/runtime/metering/"/> </CallerInformation> </soap-env:Header>
And the bad news is: you cannot get rid of this Metering information, as clearly documented by SAP Support (SAP note 1239428). The only workaround is to forward the information in the URL of the HTTP call. But in my case, the well secured web service rightfully refused to accept the web service call with all these extra parameters in the URL.
So SAP has implemented an proprietary and incompatible “feature”. Why can’t it be switched off?
Is this a trick of SAP to enforce the use of SAP PI/PO? Obviously any ESB can remove this ugly SOAP header.