Recently I received a task to digital sign outgoing XML Invoice. That is not a problem at all - you can do this easily in SOAP adapter as adapter module. But my assignment had restriction, that because that XML was processed by ccBPM (in XI 7.0) - that signing had to be done in mapping - not in adapter.
I have spent few days to crack this problem, but finally - with extensive help of scn.sap.com - I was successful.
I developed java mapping and for signing itself I used Apache Santuario -- Index library - but because I was on SAP XI 7.0 - I had to use old version for java 1.4.2. Actual version in java 1.4 branch is Apache Download Mirrors.
Also - before you can start - you have to get XI jar libraries from your system. You have two options - ask some basis person to gather those files for you or you can use that excellent ABAP report - but because you need also jar libraries from different paths - you need to modify slightly modify that report. I strongly recommend to see that wiki page to know more about getting those jars - Where to get the libraries for XI development - Process Integration - SCN Wiki
So what jar libraries do we need?
| library name | where to get it |
|---|---|
| aii_af_trace.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/ |
| aii_map_api.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/apps/sap.com/com.sap.xi.services |
| aii_utilxi_misc.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ext/ |
| commons-logging-1.1.jar | Apache Santuario |
| keystore_api.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/ interfaces/keystore_api/keystore_api.jar |
| keystore.jar | /usr/sap/<SID>/DVEBMGS<nr>/j2ee/cluster/server0/bin/services/keystore/keystore.jar |
| xmlsec-1.4.8.jar | Apache Santuario |
So if you have downloaded Apache Santuario, get SAP NWDS running and have all these libraries we can start with java mapping.
- start NWDS and create new java project.
![jm1.PNG]()
- Add all needed libraries into project
![jm2.PNG]()
- Create new java class XMLSignMapping which extends DefaultHandler and implements StreamTransformation. This class (or interface which it is implementing) contains two methods:
- execute - this is method which system will call in mapping process - all logic comes here
- setParameter - method to work with container
- Create new java class XIKeystoreAccessor - this will be utility class to which will contain logic to work with Keystore. You can find content of this class as attachment.
- Create new java class TraceUtil - utility for logging - content as attachment
- I had to resolve few issues with Apache Santuario library due to bugs in it - so I had to add new package into the project org.apache.xml.security.resource and add xmlsecurity_en_US.properties and xmlsecurity.properties into it. xmlsecurity.properties is just renamed xmlsecurity_en_US.properties which you can find in xmlsecurity.jar library
- If you created these 3 classes and added content into them - create jar file from project
![jm4.PNG]()
- Upload that jar and two jars from Apache Santuario project into XI as external library and add XMLSingMapping as a java mapping class into interface mapping - you can find more on java mappings here - Java Mapping in SAP PI / XI – Step-by-step example » Techplay
When I worked on this problem - I have found, that there is no complete guide how to access KeyStore and digitally sign XML from mapping. So I hope that this blog post will help somebody to not spent a lot of hours on implementing signing as I did 
Aloha !