cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use the Private/Public Keys from the Key Store

Go to solution
Former Member

on ‎01-19-2007 3:07 PM

0 Kudos

Hi everyone,

I am developing now an adapter for XI. I need to encrypt the messages for Sender and decrypt the messages for Receivers using the keys stored in the Visual Admin KeyStore when they are required.

In the SAP Note: 766332 -- XI3.0/7.0 Adapter Developement. It only described how to retrieve the Private/Public Keys from Visual Admin KeyStore using the com.sap.aii.security.lib APIs. And in the SPIManagedConnection class of the Sample Adapter, it is also very clear to retrieve the private key from key store with the following codes:

SAPSecurityResources secRes = SAPSecurityResources.getInstance();

KeyStoreManager ksMgr = secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);

java.security.KeyStore ks = ksMgr.getKeyStore(privKeyView);

ISsfProfile privKeyProf = ksMgr.getISsfProfile(ks, privKeyAlias, null); //Since code based permission is used no password needs to be supplied

java.security.PrivateKey privKey = privKeyProf.getPrivateKey();

The question is:

After retrieving the private/public key, how can I use them to encrypt/decrypt the XI Message???

Please give me some ideas or advices. Thanks in advance.

with regards

Xiang Zhang

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-19-2007 3:36 PM
0 Kudos

Hi Xiang,

You can encrypt/decrypt the payload using <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html">Java Cryptographic Extension</a>,

But I suggest you to use <a href="http://www.bouncycastle.org/">bouncy castle libraries</a> that are really easy to use and you can find a lot of tutorials on their usage.

Here is a really well done one, http://nyal.developpez.com/tutoriel/java/bouncycastle/.

Unfortunately it is in French but i think that google could help you to translate it (and overall java code doesn't need any translation )

Hope it helps,

Kind Regards,

Sergio

Show replies
Show replies
Former Member
‎01-22-2007 8:20 AM
0 Kudos

Hi Sergio and Satish,

thanks a lot for your advices. I'm working on now in the direction you gave to me.

I have another question:

When I encrypt an XML Payload of an XI Message with a public key in the adapter and send it to the XI, the XI should process it in the Integration Engine Pipeline. The steps like logical routing, receiver determination are very easy, because all these parameters are stored in the Header of the XI Message as attributes.

But how can the XI execute the Mapping program? The XI Payload is already encrypted using the public key. Then the XI must first use the private key to decrypt the payload, execute the mapping program, the use the public key again to encrypt the result. It sounds a little strange. _

Thanks in advance!!

Kind Regards

Xiang

Former Member
‎01-22-2007 6:09 PM
0 Kudos

Hi Xiang,

from what you say it seems that XI is in some way in the middle of a secured communication (and with secure I mean that the data are secured and not just the communication).

So from this point of view it does not sound strange, the sender adapter will decrypt the message, XI will do the mapping and the receiver adapter will encrypt it again..

But a part from the encryption this is the normal behaviour of adapters, the sender converts in an "XI understandable" format and the receiver convert in a "target understandable" format.

The problem is that normally I would expect XI to chyper messages that are going outside the company and to decypher messages incoming from outside, but not to decypher do the mapping and the chyper, which kind of scenario are you handling?

If I am properly understanding your scenario the sender adapter chyper a message

incoming into XI.. why do you need this?

If you could give me more details I could help you a little more,

Kind Regards,

Sergio

Former Member
‎01-23-2007 8:23 AM
0 Kudos

Hi Sergio,

thanks a lot for your help. It was a missunderstanding from my side. I was a little confused with the scenario.

Actually, my adapter works only inside a company network. It sends and receives information using Remote Function Calls(IIOP). There is no need to implement the Security feature in the adapter.

From your tips, I've learned a lot about the JRA and the security implementations of XI. Thank you very much.

Kind Regards

Xiang

Answers (2)

Answers (2)

Former Member
‎04-11-2008 6:55 AM
0 Kudos

Hi Xiang Zhang,

I have to retrieve the key from Visual Admin Key Store for the development of XI adapters for signing and encrypting. guide me how to retrieve the key from Admin Key Store.

Regards,

Rajesh

Show replies
Show replies
Former Member
‎01-19-2007 4:24 PM
0 Kudos

Xiang,

We have used PGP encryption and decryption for this purpose. You will get a free trial version of this. We have installed this on our XI box and created two shell scripts one for encryption and one for decryption. In this we have kept the public and private keys and this file takes two parameters. The first parameter give the file location and the second parameter tells where to keep the file after encryption or decryption.

So in XI we have created two communication channels. First communicaiton channel will execute this script from the OS command before message processing. So the file will be encrypted and put in another location.

Our second communicaiton channel will pick this encrypted file and does the FTP part.

This holds exactly true for decryption also. The only disadvantage is you will not come to know in XI if there any errors.

If you want the error messages also then we have to develop the module and deploy the jar files in visual admin and should call the adapter in communication channel.

Hope this gives you some idea........

---Satish

Show replies
Show replies
Ask a Question