cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Content Server error

Former Member

on ‎06-01-2011 1:18 PM

0 Kudos

Hi All,

I am trying to write a Java utility that will create a document using Content Server HTTP API in a repository with security turned on. I use SAP SSF classes to calculate the secKey value for my request, but everytime I get HTTP 401 error and the Content server log contains following error:

Security SsfVerify failed rc=12, lasterror=18, decoding error for, PSE=
?\C:\Program Files\SAP\Content Server\Security\ZT1.pse,"

My algorithm is following: first I calculate the MD5 hash of the parameters:

byte[] digest = null;
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(param.getBytes());
digest = md.digest();

Then I sign it using SAP SSF classes:

ByteArrayInputStream bais = new ByteArrayInputStream(digest);
		
// create object of ssf data
ISsfData data = null;

try {
    data = new SsfDataPKCS7(bais);
    KeyStore keystore = KeyStore.getInstance("PKCS12");
    keystore.load(new FileInputStream("c:\\work\\PKI\\CS_NW1.p12"), "pwd".toCharArray());		      
    SsfProfileKeyStore profile = new SsfProfileKeyStore(keystore, "cs_nw1", "pwd");
    boolean res = data.sign(profile);
		    
    if (!res) {
        System.out.println("Creation of signature failed");
    } else {
	ByteArrayOutputStream baos = new ByteArrayOutputStream();
	data.writeTo(baos);
	result = Base64.encodeBase64URLSafeString(baos.toByteArray());
   }
		    
} catch (Exception e) {
   e.printStackTrace();
}

Is anyone here who has experience with the Content Server HTTP API in combination with digital signatures and could help me with my problem?

Many thanks in advance!

Best regards,

Tomas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎06-16-2011 12:36 PM
0 Kudos

Hi Christoph,

thank you for your answer, but this is not what I was looking for.

Finally I managed to solve my problem - I created a new repository and generated and uploaded a new DSA certificate to it (using putCert operation of the Content Server HTTP API). Then I realized that I can use the SHA1 hashing along with DSA signatures for the Content Server HTTP API. So my posted code is basically correct, just the MD5 hash value should not be calculated, because the ISsfData class provides automatic SHA1 hashing.

Best regards,

Tomas

Edited by: Tomas Hansut on Jun 16, 2011 1:37 PM

Show replies
Show replies
Former Member
‎11-30-2011 1:19 PM
0 Kudos

Hi Tomas,

I am facing the same problem and I am really interessted, how Your solution works "in detail".

Did You create the certificate using the standard java keytool, like

"keytool -genkeypair - keyalg DSA -alias NONE -dname "CN=NONE, ......"

or has the certificate to be generated with the JAVA IAIK library.

I understand that You are using this library in order to create the secKey. Where did You get it from? I expected that there is an open implementation as I understood from the documentation, that there are open standards for encryption used.

Best regards

Former Member
‎05-09-2012 12:53 PM
0 Kudos

Hi Tomas,

I tried to implement the interface with C# and got same error as you mentioned above (Security SsfVerify failed rc=12, lasterror=18, decoding error for).

I'm not sure if my problem comes from the certificate which I created using makecert.exe or if I did somethime wrong signing the URL. How did you create your certificate?

Maybe you can see a major fault in my code. I tried it that way:

byte

[] byteArray = File.ReadAllBytes(@"C:\_xbound_ocf\Development\Dev\Binaries\Release\ENUtxt.pdf");

string docId = Guid.NewGuid().ToString().Replace("-", "").ToUpper();

string expiration = DateTime.Now.Add(new TimeSpan(2, 0, 0)).ToString("yyyyMMddHHmmss");

string accessMode = "c";

string parameterToBeSigned = ReplaceCharacter(_ContRep.Text) + ReplaceCharacter(_CompID.Text) + ReplaceCharacter(docId) + ReplaceCharacter(_DocProt.Text) +

ReplaceCharacter(accessMode) + ReplaceCharacter(_AuthId.Text) + ReplaceCharacter(expiration);

string path = @"C:\_xbound_ocf\Development\Dev\ProcessDirector\ArchiveLinkTest\ArchiveLinkTest\certs\DSAWithSHA1\MyUserCert.pfx";

X509Certificate2 certificate = new X509Certificate2(path, "alba&1");

DSACryptoServiceProvider provider = ( DSACryptoServiceProvider)certificate.PrivateKey;

System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

ASCIIEncoding encoding2 = new System.Text.ASCIIEncoding();


byte[] data = encoding2.GetBytes(parameterToBeSigned);

           

SHA1Managed sha1 = new SHA1Managed();

byte[] hash = sha1.ComputeHash(data);

byte[] signed = provider.CreateSignature(hash);

string secKey = Convert.ToBase64String(signed);

           

string url = _URL.Text + "?create" +

     "&contRep=" + ReplaceCharacter(_ContRep.Text) +

      "&compId=" + ReplaceCharacter(_CompID.Text) +

      "&docId=" + ReplaceCharacter(docId) +

      "&pVersion=" + ReplaceCharacter(_Version.Text) +

      "&Content-Length=" + byteArray.Length.ToString() +

      "&docProt=" + ReplaceCharacter(_DocProt.Text) +

      "&accessMode=" + ReplaceCharacter(accessMode) +

      "&authId=" + ReplaceCharacter(_AuthId.Text) +

      "&expiration=" + ReplaceCharacter(expiration) +

      "&secKey=" + ReplaceCharacter(secKey);

ReplaceCharacter is a function which replaces the invalid characters for url.

Best regards

Anja

christoph_hopf
Advisor
Advisor
‎06-08-2011 10:25 AM
0 Kudos

Hi Tomas,

based on your description I would recommend you to check the settings for the used content repository in transaction CSADMIN. Maybe there is some additional security or certificate setting required.

From DMS point of view I would like to draw your attention to SAP note 504692 which was created for triggering DMS functions in the background by using DMS API functionalities. This note also contains some sample programs which might be useful for you.

Best regards,

Christoph

Show replies
Show replies
Ask a Question