Problem accessing J2EE u0093keystoreu0094 service ...

Former Member · ‎12-22-2006

Hi all,

My scenario is what follows:

Some XML messages sent to XI have some info encrypted with the public key technology. The public-key certificate used for encryption is part of a key pair generated, and stored, in a previously custom created view - “CartaoCidadao” – in the XI J2EE “keystore” service. The certificate is then for distribute by the senders of that kind of messages. The objective is programmatically access the keystore service, namely the profile (or private key) “ccKeyPair” of the “CartaoCidadao” view to decipher that info, validate it and finally send it to the SAP ERP2005.

To achieve that goal I’ve decided to use a java mapping program -“CCDataValidator.jar”- and the SSF (Secure Store and Forward) java libraries. Next you can see the bit of code of my mapping program execute method to obtain the profile from “keystore” service and where the problem resides:

// get profile from keystore service of J2EE engine 
InitialContext context = new InitialContext();
KeystoreManager manager = (KeystoreManager)context.lookup("keystore");
KeyStore keyStore = manager.getKeystore("CartaoCidadao");
String alias = "ccKeyPair";
try {
	SsfProfileKeyStoreprofile = new SsfProfileKeyStore(keyStore, alias, null);
} catch (Exception e) {
	e.printStackTrace();
	throw new StreamTransformationException("Error while accessing keystore", e);
}

I’ve no problem with the call lookup the service and if try to check if my view is available using KeystoreManager.existKeystoreView(“CartaoCidadao”) the result is true.

The problem happens when I make the call KeystoreManager.getKeystore(“CartaoCidadao”), getting the follow exception:

java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)

at ccDataValidation.CCDataValidator.execute(CCDataValidator.java:108)

at com.sap.aii.ibrep.server.mapping.ibrun.RepJavaMapping.execute(RepJavaMapping.java:73)

at com.sap.aii.ibrep.server.mapping.ibrun.RepMappingHandler.run(RepMappingHandler.java:80)

at com.sap.aii.ibrep.server.mapping.rt.MappingHandlerAdapter.run(MappingHandlerAdapter.java:107)

at com.sap.aii.ibrep.server.mapping.ServerMapService.transformInterfaceMapping(ServerMapService.java:127)

at com.sap.aii.ibrep.server.mapping.ServerMapService.transform(ServerMapService.java:104)

at com.sap.aii.ibrep.sbeans.mapping.MapServiceBean.transform(MapServiceBean.java:40)

at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0.transform(MapServiceRemoteObjectImpl0_0.java:167)

at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0p4_Skel.dispatch(MapServiceRemoteObjectImpl0_0p4_Skel.java:104)

at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:320)

at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:198)

at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:129)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation [] at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:755)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:234)

at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)

... 20 more

Caused by: java.security.AccessControlException: access denied at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)

at java.security.AccessController.checkPermission(AccessController.java:401)

at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:748)

... 23 more

Obviously it’s a security problem regarding GET_VIEW permissions.

How can I set a GET_VIEW permission to this view so my mapping program can access it?

I already tried to add all Granted Domains available in All Domains for the Action “GET_VIEW” and view “CartaoCidadao” in the Security tab of the J2EE “keystore” service via Visual Administrator but the problem remains. What I am missing?

I also was walking around the Security Provider service in the Visual Administrator but I don’t know if, and what, I have to do something here, about Protection Domains per example.

Can anyone help me out on this? Please…

I’m around this issue for a week now I don’t know what to do more.

Thank you very much and… Merry Christmas!

Alexandre

Former Member · ‎07-14-2008

Hello Shakif,

Please open a new forum message of your one with your questions so I can reply there and eventually you could give some points if helpful.

Let me know here, or by e-mail, the respective message link so I can reply right way.

Thanks and regards,

Alexandre

Former Member · ‎07-11-2008

Hi Alex,

I saw your code in SDN for digital signature and ..can u plz tell me which algorithm is used in the intarface and class used by you for encrypting ..and signing the message...so that I can tell the receiver of the message to use the same algorithem to decritpt the message...

And we need to use public key or private key for digitally signig the..which key needs to be used for encripting the message ?..

Thanks in advance

shakif

Former Member · ‎06-18-2008

Hi Arunava,

The jar files where you can find the implemantion of that classes are:

- keystore_api.jar (for KeystoreManager class)

- tc_sec_ssf.jar (for SsfProfileKeyStore class)

The KeyStore class is part of the JRE System Library ( rt.jar ).

Hope it helps.

Please reward if so.

Regards,

Alexandre

Former Member · ‎04-23-2008

Hi guys,

Sorry for the delayed answer...

I only get to do this using the DEFAUT keystore-view.

Next, I send you a java mapping code example to sign and encrypt a XI message.

public void execute(InputStream in, OutputStream out)
		throws StreamTransformationException {
	DefaultHandler handler = this;
	SAXParserFactory factory = SAXParserFactory.newInstance();
	try {
		
		SsfProfileKeyStore profile = null;

		InitialContext context = new InitialContext();
		KeystoreManager manager = (KeystoreManager) context.lookup("keystore");
		KeyStore keyStore = manager.getKeystore("DEFAULT");
		String alias = "XXXX-cert";

		try {
			profile = new SsfProfileKeyStore(keyStore, alias, null);
		} catch (Exception e) {
			e.printStackTrace();
			throw new StreamTransformationException("Error while accessing keystore", e);
		}

		SAXParser saxParser = factory.newSAXParser();
		saxParser.parse(in, handler);
			
		ISsfData encryptData = new SsfDataXML(new ByteArrayInputStream(bout.toByteArray()));

		// Sign the data
		boolean res = true;
		try {
			res = encryptData.sign(profile);
		} catch (SsfInvalidKeyException e) {
			System.err.println("Error while signing data " + e);
		}
		if (!res) {
			System.err.println("Creation of signature failed");
		}

		SsfPabKeyStore pab = new SsfPabKeyStore(keyStore);
		SsfSigRcpList signer = new SsfSigRcpList();


		encryptData.verify(pab,signer);
		encryptData.encrypt(signer, pab);
		encryptData.writeTo(out);

	} catch (Throwable t) {
		t.printStackTrace();
	}
}
	
....
}

Please reward if it helps you.

Regards

Alexandre

Former Member · ‎04-11-2008

Hi Alex,

I have followed the [SAP Help|http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/content.htm] for signing and encrypting an document from sender side. Once, when I run the EJB Module, my server goes down. Is there any issue with permission to access Keystore? Or While creating the new Keystore, what are all the steps which I need to follow? Please help in this regard.

Thanks in Advance,

Regards,

Venkatesh. K

Former Member · ‎01-14-2008

HI,

Have you solved your problem in accessing own ketstore-view, please let me know the solution if you have solved.

KeyStore keyStore = manager.getKeystore("MYSTORE");

Caused by: java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation []

Caused by: java.security.AccessControlException: access denied

Please advice.

Thanks

MMK

Former Member · ‎04-26-2007

For those who face the same issue:

I resolve my problem using a workaround.

I transferred my certificate to the "default" view of the J2EE keystore service and this way don't had to make any changes to access permissions.

Hope it helps anybody.

Alexandre

Problem accessing J2EE u0093keystoreu0094 service from java mapping program

Accepted Solutions (0)

Answers (7)

Answers (7)

sap.m Table image as barcode

Re: SAP PI - Determine the receiver based on Sourc...

Re: SAP PI - Determine the receiver based on Sourc...

Re: SAC Story Filters: Advanced Filtering with BW ...

Re: SAP PI - Determine the receiver based on Sourc...