How To Fix WSS034 - Invalid algorithm (expected &1 &2 &3, received &4)

SAP Error Message:

WSS034 Invalid algorithm (expected &1 &2 &3, received &4)

Cause:
This error occurs in SAP's Web Services Security (WS-Security) processing when the cryptographic algorithm used in a received message does not match the expected algorithm(s) configured in the system.

The system expects certain signature or encryption algorithms (e.g., SHA-256, RSA-SHA1, AES256).
The incoming SOAP message or security token uses a different algorithm than those expected.
This mismatch can happen due to:

Configuration differences between the sender and receiver.
Changes in security policies or certificates.
Unsupported or deprecated algorithms being used.
Incorrect or missing algorithm identifiers in the WS-Security headers.




Explanation of the Message Parameters:

&1 &2 &3 — The list of expected algorithms (e.g., http://www.w3.org/2001/04/xmldsig-more#rsa-sha256).
&4 — The algorithm actually received in the message.


Solution:


Check the Expected Algorithms Configuration:

Review the WS-Security configuration in SAP NetWeaver or the relevant SAP system.
Go to the Web Service Security settings (e.g., via transaction STRUST, SOAMANAGER, or the Web Service configuration).
Verify which algorithms are configured as acceptable for signature and encryption.



Check the Sender's Algorithm:

Inspect the incoming SOAP message or security token.
Identify the algorithm URI used in the <ds:SignatureMethod> or <xenc:EncryptionMethod> elements.
Confirm if it matches one of the expected algorithms.



Align Algorithms:

If the sender uses an unsupported algorithm, request the sender to change to one of the expected algorithms.
Alternatively, update the SAP system configuration to accept the algorithm used by the sender, if it is secure and supported.



Update Certificates and Security Policies:

Sometimes, updating certificates or security policies can reset or change the algorithms.
Ensure that the certificates and policies are consistent on both sides.



Patch or Upgrade:

If the algorithm is new or recently introduced, ensure your SAP system is up to date with the latest patches or support packages that support the algorithm.



Debugging:

Enable WS-Security trace or logging to capture the exact SOAP message and security headers.
Use tools like SOAP UI or Wireshark to analyze the message.




Related Information:

SAP Notes: Search for SAP Notes related to WS-Security and algorithm support.
SAP Help Portal: Documentation on WS-Security configuration in SAP NetWeaver.
Common Algorithms:

Signature: http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Encryption: http://www.w3.org/2001/04/xmlenc#aes256-cbc


Transactions/Tools:

SOAMANAGER — Web Service Configuration.
STRUST — Certificate and SSL management.
SICF — Internet Communication Framework.




Summary:
The WSS034 error indicates a mismatch between expected and received cryptographic algorithms in WS-Security processing. To resolve it, verify and align the configured algorithms on both sender and receiver sides, update configurations or certificates as needed, and ensure both systems support the same secure algorithms.