cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access keystore service from within resource adapter

Go to solution
Former Member

on ‎08-27-2004 11:43 AM

0 Kudos

Hello,

I have some very nasty secyrity problem to access the "keystore" service from within a resource adapter application.

I have created a view holding my certificates and private keys and the idea is to use this "keystore" service to access these objects. I need them in my adaptor.

The result is that I cal lookup the service - no problem with that.

I check if my view is available using KeyStoreManager.existKeystoreView(viewName) ; result of this is true - my view exists, but when I make this call KeyStoreManager.getKeystore(viewName); I get this nasty exception :

ava.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException:

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)

at com.seeburger.ksm.xi.source.XIRepositorySourceProvider.getRepository(XIRepositorySourceProvider.java:154)

at com.seeburger.ksm.cryptoapi.impl.CryptoApi.getCertificate(CryptoApi.java:265)

at com.seeburger.ediint.util.cert.SimpleKeyManager.getCertificate(SimpleKeyManager.java:75)

at com.seeburger.as1.tasks.AS1MessageComposer.getEDIMessageBuilderConfig(AS1MessageComposer.java:259)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:126)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:100)

at com.seeburger.as1.AS1Processor.sendAs1(AS1Processor.java:249)

at com.seeburger.as1.AS1Processor.execute(AS1Processor.java:179)

at com.seeburger.frame.FrameWork.syncNewData(FrameWork.java:805)

at com.seeburger.xi.as1mail.frame.AS1Processor.execute(AS1Processor.java:66)

at com.seeburger.xi.as1mail.frame.XIProcessor.call(XIProcessor.java:112)

at com.seeburger.xi.as1mail.ra.CCIInteraction.call(CCIInteraction.java:200)

at com.seeburger.xi.as1mail.ra.CCIInteraction.execute(CCIInteraction.java:107)

at com.sap.aii.af.endpoint.ModuleProcessorExitBean.process(ModuleProcessorExitBean.java:203)

at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0.process(ModuleLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:197)

at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.listener.AFWListenerBean.onMessage(AFWListenerBean.java:178)

at com.sap.aii.af.listener.AFWListenerLocalObjectImpl0.onMessage(AFWListenerLocalObjectImpl0.java:120)

at com.sap.aii.af.ra.ms.impl.ServicesImpl.deliver(ServicesImpl.java:243)

at com.sap.aii.af.ra.ms.impl.protocol.xi.XIEventHandler.onDeliver(XIEventHandler.java:708)

at com.sap.aii.af.ra.ms.impl.core.queue.RequestConsumer.onMessage(RequestConsumer.java:100)

at com.sap.aii.af.ra.ms.impl.core.queue.Queue.run(Queue.java:399)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: checkPermissions() for [{GET_VIEW xxxKeystore }] failed!

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:297)

at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:33)

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)

... 29 more

Caused by: java.security.KeyStoreException: java.security.AccessControlException: access denied

at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:702)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:228)

... 31 more

Obviously it is a security problem with lacking GET_VIEW permissions

But how to set a GET_VIEW permission to this view so my resource adapter can access the content?

I did the following: I went to

EngineAdmin->Server->Services->Key Storage

I selected the repository tab and I see that I can grant permissions to the available domains. So I do so - I grant GET_VIEW permission to all domains I can associate with my application, the result is the same.

What am I missing?

Please help

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member86049
Discoverer
‎08-31-2004 1:15 PM
0 Kudos

Check in the logs files in /serverX/log/system/security.N.log and /serverX/log/defaultTrace.x.x files – there should be records containing the full protection domain stack for your call and the exact domain which failed the check. You may have to decrease the log/trace severity of location ‘com.sap.engine.services.security’ in order to receive these records.

Regards Ilia

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎12-20-2006 5:25 PM
0 Kudos

Hello Sergei,

I know it’s been a while since your post but I wonder if you resolved the problem and how?

I’ve a similar problem, the difference is that I want to access keystore-view out of a XI java mapping program.

I think that I have to add granted domains in tab Security of service keystore (Key Storage) via J2EE Visual Administrator, but I don’t know which?

Can you help me out?

Thanks in advance.

Alexandre

Show replies
Show replies
Ask a Question