on 12-22-2006 12:43 AM
Hi all,
My scenario is what follows:
Some XML messages sent to XI have some info encrypted with the public key technology. The public-key certificate used for encryption is part of a key pair generated, and stored, in a previously custom created view - CartaoCidadao in the XI J2EE keystore service. The certificate is then for distribute by the senders of that kind of messages. The objective is programmatically access the keystore service, namely the profile (or private key) ccKeyPair of the CartaoCidadao view to decipher that info, validate it and finally send it to the SAP ERP2005.
To achieve that goal Ive decided to use a java mapping program -CCDataValidator.jar- and the SSF (Secure Store and Forward) java libraries. Next you can see the bit of code of my mapping program execute method to obtain the profile from keystore service and where the problem resides:
// get profile from keystore service of J2EE engine
InitialContext context = new InitialContext();
KeystoreManager manager = (KeystoreManager)context.lookup("keystore");
KeyStore keyStore = manager.getKeystore("CartaoCidadao");
String alias = "ccKeyPair";
try {
SsfProfileKeyStoreprofile = new SsfProfileKeyStore(keyStore, alias, null);
} catch (Exception e) {
e.printStackTrace();
throw new StreamTransformationException("Error while accessing keystore", e);
}
Ive no problem with the call lookup the service and if try to check if my view is available using KeystoreManager.existKeystoreView(CartaoCidadao) the result is true.
The problem happens when I make the call KeystoreManager.getKeystore(CartaoCidadao), getting the follow exception:
<i>java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)
at ccDataValidation.CCDataValidator.execute(CCDataValidator.java:108)
at com.sap.aii.ibrep.server.mapping.ibrun.RepJavaMapping.execute(RepJavaMapping.java:73)
at com.sap.aii.ibrep.server.mapping.ibrun.RepMappingHandler.run(RepMappingHandler.java:80)
at com.sap.aii.ibrep.server.mapping.rt.MappingHandlerAdapter.run(MappingHandlerAdapter.java:107)
at com.sap.aii.ibrep.server.mapping.ServerMapService.transformInterfaceMapping(ServerMapService.java:127)
at com.sap.aii.ibrep.server.mapping.ServerMapService.transform(ServerMapService.java:104)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceBean.transform(MapServiceBean.java:40)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0.transform(MapServiceRemoteObjectImpl0_0.java:167)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0p4_Skel.dispatch(MapServiceRemoteObjectImpl0_0p4_Skel.java:104)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:320)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:198)
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:129)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
<b>Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation []</b> at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:755)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:234)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 20 more
<b>Caused by: java.security.AccessControlException: access denied </b> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:748)
... 23 more</i>
Obviously its a security problem regarding GET_VIEW permissions.
How can I set a GET_VIEW permission to this view so my mapping program can access it?
I already tried to add all Granted Domains available in All Domains for the Action GET_VIEW and view CartaoCidadao in the Security tab of the J2EE keystore service via Visual Administrator but the problem remains. What I am missing?
I also was walking around the Security Provider service in the Visual Administrator but I dont know if, and what, I have to do something here, about Protection Domains per example.
Can anyone help me out on this? Please
Im around this issue for a week now I dont know what to do more.
Thank you very much and Merry Christmas!
Alexandre
Hello Shakif,
Please open a new forum message of your one with your questions so I can reply there and eventually you could give some points if helpful.
Let me know here, or by e-mail, the respective message link so I can reply right way.
Thanks and regards,
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex,
I saw your code in SDN for digital signature and ..can u plz tell me which algorithm is used in the intarface and class used by you for encrypting ..and signing the message...so that I can tell the receiver of the message to use the same algorithem to decritpt the message...
And we need to use public key or private key for digitally signig the..which key needs to be used for encripting the message ?..
Thanks in advance
shakif
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Arunava,
The jar files where you can find the implemantion of that classes are:
- keystore_api.jar (for KeystoreManager class)
- tc_sec_ssf.jar (for SsfProfileKeyStore class)
The KeyStore class is part of the JRE System Library ( rt.jar ).
Hope it helps.
Please reward if so.
Regards,
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi guys,
Sorry for the delayed answer...
I only get to do this using the DEFAUT keystore-view.
Next, I send you a java mapping code example to sign and encrypt a XI message.
public void execute(InputStream in, OutputStream out)
throws StreamTransformationException {
DefaultHandler handler = this;
SAXParserFactory factory = SAXParserFactory.newInstance();
try {
SsfProfileKeyStore profile = null;
InitialContext context = new InitialContext();
KeystoreManager manager = (KeystoreManager) context.lookup("keystore");
KeyStore keyStore = manager.getKeystore("DEFAULT");
String alias = "XXXX-cert";
try {
profile = new SsfProfileKeyStore(keyStore, alias, null);
} catch (Exception e) {
e.printStackTrace();
throw new StreamTransformationException("Error while accessing keystore", e);
}
SAXParser saxParser = factory.newSAXParser();
saxParser.parse(in, handler);
ISsfData encryptData = new SsfDataXML(new ByteArrayInputStream(bout.toByteArray()));
// Sign the data
boolean res = true;
try {
res = encryptData.sign(profile);
} catch (SsfInvalidKeyException e) {
System.err.println("Error while signing data " + e);
}
if (!res) {
System.err.println("Creation of signature failed");
}
SsfPabKeyStore pab = new SsfPabKeyStore(keyStore);
SsfSigRcpList signer = new SsfSigRcpList();
encryptData.verify(pab,signer);
encryptData.encrypt(signer, pab);
encryptData.writeTo(out);
} catch (Throwable t) {
t.printStackTrace();
}
}
....
}
Please reward if it helps you.
Regards
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex,
I have followed the [SAP Help|http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/content.htm] for signing and encrypting an document from sender side. Once, when I run the EJB Module, my server goes down. Is there any issue with permission to access Keystore? Or While creating the new Keystore, what are all the steps which I need to follow? Please help in this regard.
Thanks in Advance,
Regards,
Venkatesh. K
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
Have you solved your problem in accessing own ketstore-view, please let me know the solution if you have solved.
KeyStore keyStore = manager.getKeystore("MYSTORE");
Caused by: java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored
Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation []
Caused by: java.security.AccessControlException: access denied
Please advice.
Thanks
MMK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For those who face the same issue:
I resolve my problem using a workaround.
I transferred my certificate to the "default" view of the J2EE keystore service and this way don't had to make any changes to access permissions.
Hope it helps anybody.
Alexandre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.