on 08-27-2004 11:43 AM
Hello,
I have some very nasty secyrity problem to access the "keystore" service from within a resource adapter application.
I have created a view holding my certificates and private keys and the idea is to use this "keystore" service to access these objects. I need them in my adaptor.
The result is that I cal lookup the service - no problem with that.
I check if my view is available using KeyStoreManager.existKeystoreView(viewName) ; result of this is true - my view exists, but when I make this call KeyStoreManager.getKeystore(viewName); I get this nasty exception :
ava.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException:
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)
at com.seeburger.ksm.xi.source.XIRepositorySourceProvider.getRepository(XIRepositorySourceProvider.java:154)
at com.seeburger.ksm.cryptoapi.impl.CryptoApi.getCertificate(CryptoApi.java:265)
at com.seeburger.ediint.util.cert.SimpleKeyManager.getCertificate(SimpleKeyManager.java:75)
at com.seeburger.as1.tasks.AS1MessageComposer.getEDIMessageBuilderConfig(AS1MessageComposer.java:259)
at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:126)
at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:100)
at com.seeburger.as1.AS1Processor.sendAs1(AS1Processor.java:249)
at com.seeburger.as1.AS1Processor.execute(AS1Processor.java:179)
at com.seeburger.frame.FrameWork.syncNewData(FrameWork.java:805)
at com.seeburger.xi.as1mail.frame.AS1Processor.execute(AS1Processor.java:66)
at com.seeburger.xi.as1mail.frame.XIProcessor.call(XIProcessor.java:112)
at com.seeburger.xi.as1mail.ra.CCIInteraction.call(CCIInteraction.java:200)
at com.seeburger.xi.as1mail.ra.CCIInteraction.execute(CCIInteraction.java:107)
at com.sap.aii.af.endpoint.ModuleProcessorExitBean.process(ModuleProcessorExitBean.java:203)
at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0.process(ModuleLocalLocalObjectImpl0.java:116)
at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:197)
at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:116)
at com.sap.aii.af.listener.AFWListenerBean.onMessage(AFWListenerBean.java:178)
at com.sap.aii.af.listener.AFWListenerLocalObjectImpl0.onMessage(AFWListenerLocalObjectImpl0.java:120)
at com.sap.aii.af.ra.ms.impl.ServicesImpl.deliver(ServicesImpl.java:243)
at com.sap.aii.af.ra.ms.impl.protocol.xi.XIEventHandler.onDeliver(XIEventHandler.java:708)
at com.sap.aii.af.ra.ms.impl.core.queue.RequestConsumer.onMessage(RequestConsumer.java:100)
at com.sap.aii.af.ra.ms.impl.core.queue.Queue.run(Queue.java:399)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)
Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: checkPermissions() for [{GET_VIEW xxxKeystore }] failed!
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:297)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:33)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 29 more
Caused by: java.security.KeyStoreException: java.security.AccessControlException: access denied
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:702)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:228)
... 31 more
Obviously it is a security problem with lacking GET_VIEW permissions
But how to set a GET_VIEW permission to this view so my resource adapter can access the content?
I did the following: I went to
EngineAdmin->Server->Services->Key Storage
I selected the repository tab and I see that I can grant permissions to the available domains. So I do so - I grant GET_VIEW permission to all domains I can associate with my application, the result is the same.
What am I missing?
Please help
Check in the logs files in /serverX/log/system/security.N.log and /serverX/log/defaultTrace.x.x files there should be records containing the full protection domain stack for your call and the exact domain which failed the check. You may have to decrease the log/trace severity of location com.sap.engine.services.security in order to receive these records.
Regards Ilia
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Sergei,
I know its been a while since your post but I wonder if you resolved the problem and how?
Ive a similar problem, the difference is that I want to access keystore-view out of a XI java mapping program.
I think that I have to add granted domains in tab Security of service keystore (Key Storage) via J2EE Visual Administrator, but I dont know which?
Can you help me out?
Thanks in advance.
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.