on 12-22-2006 9:26 AM
Hi all,
My scenario is what follows:
Some XML messages sent to XI have some info encrypted with the public key technology. The public-key certificate used for encryption is part of a key pair generated, and stored, in a previously custom created view - CartaoCidadao in the XI J2EE keystore service. The certificate is then for distribute by the senders of that kind of messages. The objective is programmatically access the keystore service, namely the profile (or private key) ccKeyPair of the CartaoCidadao view to decipher that info, validate it and finally send it to the SAP ERP2005.
To achieve that goal Ive decided to use a java mapping program -CCDataValidator.jar- and the SSF (Secure Store and Forward) java libraries. Next you can see the bit of code of my mapping program execute method to obtain the profile from keystore service and where the problem resides:
// get profile from keystore service of J2EE engine
InitialContext context = new InitialContext();
KeystoreManager manager = (KeystoreManager)context.lookup("keystore");
KeyStore keyStore = manager.getKeystore("CartaoCidadao");
String alias = "ccKeyPair";
try {
SsfProfileKeyStoreprofile = new SsfProfileKeyStore(keyStore, alias, null);
} catch (Exception e) {
e.printStackTrace();
throw new StreamTransformationException("Error while accessing keystore", e);
}
Ive no problem with the call lookup the service and if try to check if my view is available using KeystoreManager.existKeystoreView(CartaoCidadao) the result is true.
The problem happens when I make the call KeystoreManager.getKeystore(CartaoCidadao), getting the follow exception:
<i>java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)
at ccDataValidation.CCDataValidator.execute(CCDataValidator.java:108)
at com.sap.aii.ibrep.server.mapping.ibrun.RepJavaMapping.execute(RepJavaMapping.java:73)
at com.sap.aii.ibrep.server.mapping.ibrun.RepMappingHandler.run(RepMappingHandler.java:80)
at com.sap.aii.ibrep.server.mapping.rt.MappingHandlerAdapter.run(MappingHandlerAdapter.java:107)
at com.sap.aii.ibrep.server.mapping.ServerMapService.transformInterfaceMapping(ServerMapService.java:127)
at com.sap.aii.ibrep.server.mapping.ServerMapService.transform(ServerMapService.java:104)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceBean.transform(MapServiceBean.java:40)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0.transform(MapServiceRemoteObjectImpl0_0.java:167)
at com.sap.aii.ibrep.sbeans.mapping.MapServiceRemoteObjectImpl0_0p4_Skel.dispatch(MapServiceRemoteObjectImpl0_0p4_Skel.java:104)
at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:320)
at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:198)
at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:129)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
<b>Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation []</b> at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:755)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:234)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 20 more
<b>Caused by: java.security.AccessControlException: access denied </b> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:748)
... 23 more</i>
Obviously its a security problem regarding GET_VIEW permissions.
How can I set a GET_VIEW permission to this view so my mapping program can access it?
I already tried to add all Granted Domains available in All Domains for the Action GET_VIEW and view CartaoCidadao in the Security tab of the J2EE keystore service via Visual Administrator but the problem remains. What I am missing?
I also was walking around the Security Provider service in the Visual Administrator but I dont know if, and what, I have to do something here, about Protection Domains per example.
Can anyone help me out on this? Please
Im around this issue for a week now I dont know what to do more.
Thank you very much and Merry Christmas!
Alexandre
Hi Henrique,
Sorry for my delayed answer.
Yes I resolved it using a workaround.
I transferred my certificate to the "default" view of the J2EE keystore service and this way don't had to make any changes to access permissions.
Hope it helps you.
Alexandre.
P.S. - Please don't forget reward point if it feet's you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alexandre,
have you solved your issue?
Im facing the exact same problem now.
I was even thinking of deploying the Keystore access part as an EJB and access it through java mapping (so I could give permissions for EJB in Security Provider) but Thomas's error (from topic ) sugests that even that won't work.
Any help would be appreciated.
Regards,
Henrique.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Have had the same problem earlier and couldn't find a solution (didn't look very hard since I found an acceptable workaround)
Ended up with placing the certificate in the TicketKeystore and had no problems with that (I was accessing it from a custom LoginModule for SAP EP)
Dagfinn
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.