on 04-11-2007 3:39 PM
Guys,
My scenario: to perform a digital signature under some specific parametrization, as requested by receiver side, I have to develop a custom digital signature application. We are trying to use XI's API for digital signature: http://help.sap.com/saphelp_nw04s/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm
And also, as requested by receiver side, the actual XML message will need to be enveloped as a string in the message definition of the WSDL (wrapped/literal mode). Hence, we can't execute the digital signature application in a adapter module (where it would be "easy" to perform it).
Hence, we need to perform the digital signature at mapping runtime, before the signed message is wrapped as a string in the wsdl message.
We have faced some problems related to the API (specially related to poor documentation ) but right now we are stuck at acessing the J2EE Keystore from the java mapping program.
Have you guys performed this before?
Any hints will be appreciated.
Regards,
Henrique.
Hi,
I have not done this type of task, but i have some couple of links may be useful see below.
/people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
SAP Java Cryptographic Toolkit
http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm
Also see the below threads.
Regards
Chilla
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
There is a KeyStoreManager class which is the interface to the key
store service.
KeystoreManager. createKeystoreView(.)
KeystoreManager. getKeystore(.)
KeystoreManager. getProperty(.)
http://help.sap.com/saphelp_nw2004s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
Regards,
Bill
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Let me tell you where exactly I am.
First, I tried to implement the sample code present here:
http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
However, I couldn't execute that code, in runtime, I got exception from cast of Object (return from InitialContext.lookup() ) to KeyStoreManager.
Then, I tried to use access method described in ConvertCRLFfromToLF.java of sample_module.rar, and It was like this:
SAPSecurityResources secRes = SAPSecurityResources.getInstance();
KeyStoreManager manager = secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);
But with this method I got exception saying that PermissionMode class was not available (Resource not found). I even tried importing aii_security_lib.jar into Integration Repository, but then got LinkageError, saying that the PermissionMode class linking violated some constraints.
Any ideas?
Regards,
Henrique.
Hi,
After closer look at the previous link, this link might be more informative:
http://help.sap.com/saphelp_nw2004s/helpdata/en/18/6197044da2a745a4d588da33e0facf/frameset.htm
All the classes and interfaces can be found in tc_sec_ssf.jar.
However, there is no sample code. Combine this with the sample code from the previous link might help.
Sorry cannot help more.
Regards,
Bill
Guys,
in order to let you know.
With the help of Alexandre de Sousa, I found out that the DEFAULT view won't give permission exception during java mapping. I installed my certificate there and it is working, by now.
In a later moment, I'll try to investigate what permissions I'll need to give to my custom entry to let java mapping access it.
Thank you and kind regards,
Henrique.
PS: Also, for the Digital Signatures and Encryption API Javadocs, follow the following path.
In the SAP NetWeaver Developer Studio menu, go to:
Help -> SAP Web AS Documentation -> SAP WeB AS Technologies.
In the new window, go to:
SAP NetWeaver Developer Studio Documentation -> Java Development Manual -> Reference -> API Documentation -> Digital Signatures and Encryption
Henrique.
Hi Henrique,
I am trying to access the Keystore, so I wrote the code like,
SAPSecurityResources secRes = SAPSecurityResources.getInstance();
KeyStoreManager manager = secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);[/code]
But with this method I got exception saying that PermissionMode class was not available (Resource not found). I even tried importing aii_security_lib.jar into Integration Repository, but then got LinkageError, saying that the PermissionMode class linking violated some constraints.
Any ideas, please help me,
Regards,
Venkatesh. K
Are you accessing KeyStore also from java mapping/UDF?
If that's the case, don't use this code. Use the one proposed at http://help.sap.com/saphelp_nw70/helpdata/EN/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
The .jars you need are described above in the topic.
Regards,
Henrique.
Hi Henrique,
I'm trying to do the same with XMLDigSig on portion of XML message in UDF and falling over at KeystoreManager import.
What extra steps did you go through to import the keystore_api.jar? (e.g. were you bringing this in as an Imported Archive through ESB)
Many thanks,
Aaron
This is a 5 year old thread, I hardly remember the details of that implementation, since I've long left that development team.
But going through my old files, this is what I was able to recall:
/*
* Created on Sep 28, 2007
*
* To change the template for this generated file go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
package com.sap.xnfe.dsig.core;
import java.io.IOException;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import org.w3c.dom.Element;
import com.sap.aii.af.service.resource.SAPSecurityResources;
import com.sap.aii.security.lib.KeyStoreManager;
import com.sap.aii.security.lib.PermissionMode;
import com.sap.engine.lib.xml.signature.Constants;
import com.sap.security.core.server.ssf.SsfDataXML;
import com.sap.security.core.server.ssf.SsfInvalidAlgException;
import com.sap.security.core.server.ssf.SsfInvalidDataException;
import com.sap.security.core.server.ssf.SsfInvalidKeyException;
import com.sap.security.core.server.ssf.SsfPabKeyStore;
import com.sap.security.core.server.ssf.SsfProfileKeyStore;
import com.sap.security.core.server.ssf.SsfRefXMLInfo;
import com.sap.security.core.server.ssf.SsfRefXMLList;
import com.sap.security.core.server.ssf.SsfSigRcpList;
/**
* @author I813314
*
* To change the template for this generated type comment go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
public class XMLData {
private SsfDataXML data = null;
public XMLData(Element elmt) throws InvalidXMLDataException {
if (elmt == null) {
throw new InvalidXMLDataException("Empty input data!");
} else
try {
this.data = new SsfDataXML(elmt);
} catch (SsfInvalidDataException e) {
throw new InvalidXMLDataException(
"Invalid input data: " + e.getMessage());
}
}
public boolean sign(
String KeyStoreView,
String KeyStoreEntry,
String ReferenceId,
String sigPrefix,
boolean checkCert,
OutputStream out)
throws XMLSignatureException {
boolean res = false;
// create list of references
String trans[] =
{
SsfRefXMLInfo.TRANS_ENVELOPED_SIGNATURE,
SsfRefXMLInfo.TRANS_C14N_OMIT_COMMENTS };
SsfRefXMLList refList = new SsfRefXMLList();
refList.add(new SsfRefXMLInfo("#" + ReferenceId, trans));
// get Profile from keystore service of AS Java
SsfProfileKeyStore profile = null;
try {
SAPSecurityResources secRes = SAPSecurityResources.getInstance();
KeyStoreManager manager =
secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);
KeyStore keyStore = manager.getKeyStore(KeyStoreView);
profile = new SsfProfileKeyStore(keyStore, KeyStoreEntry, null);
} catch (KeyStoreException e) {
throw new XMLSignatureException(
"Error accessing KeyStore: " + e.getMessage());
}
// Check the certificate's validity
if (checkCert) {
String sName = null;
try {
X509Certificate cert = profile.getCertificate();
sName = cert.getSubjectDN().getName();
cert.checkValidity();
} catch (CertificateExpiredException e) {
throw new XMLSignatureException(
"Certificate for "
+ sName
+ " not valid: Valid date expired./n"
+ e.getMessage());
} catch (CertificateNotYetValidException e) {
throw new XMLSignatureException(
"Certificate for "
+ sName
+ " not valid: Initial valid date in the future./n"
+ e.getMessage());
}
}
// sign the data
try {
if (sigPrefix == null) {
sigPrefix = "";
}
Constants.setSTANDARD_PREFIX(sigPrefix);
res =
data.sign(
null,
refList,
profile,
SsfDataXML.INC_CERT_OWN,
false,
false);
if (!res) {
throw new XMLSignatureException("Creation of signature failed.");
}
} catch (SsfInvalidKeyException e) {
throw new XMLSignatureException(
"Invalid Private Key: " + e.getMessage());
} catch (SsfInvalidAlgException e) {
throw new XMLSignatureException(
"Invalid Algorithm: " + e.getMessage());
}
// write output data
try {
data.writeTo(out);
} catch (IOException e) {
throw new XMLSignatureException(
"Error writing output data:" + e.getMessage());
}
return res;
}
public boolean verify(String KeyStoreView) throws XMLSignatureException {
boolean res = false;
// create list of signers or recipients
SsfSigRcpList sigList = new SsfSigRcpList();
// get Personal Addres Book from keystore service of AS Java
SsfPabKeyStore pab = null;
if (KeyStoreView != null && !KeyStoreView.equals("")) {
try {
SAPSecurityResources secRes =
SAPSecurityResources.getInstance();
KeyStoreManager manager =
secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL);
KeyStore keyStore = manager.getKeyStore(KeyStoreView);
pab = new SsfPabKeyStore(keyStore);
} catch (KeyStoreException e) {
throw new XMLSignatureException(
"Error accessing KeyStore: " + e.getMessage());
}
}
// verify the data
try {
res = data.verify(pab, sigList);
} catch (SsfInvalidDataException e) {
throw new XMLSignatureException(
"Validation of signature failed: " + e.getMessage());
}
return res;
}
}
I do remember I was able to make it work at the mapping runtime, at a later point in time.
However, since the EJB version was already being productized, I didn't go forward with the mapping approach and now I can't find any evidence or code sample from back then.
I recall it having something to do with permissions in the KeyStore service of Visual Admin.
Check this thread in order to try to make it work:
http://scn.sap.com/thread/695058
I was able to find an even older version of the digital signature mapping, but I'm pretty sure this was not the final version I was able to make it work (though I'm not sure I ended up changing anything on code level or just at Visual Admin configuration/permission level. Here it is, anyway.
Ah, make sure to add the libraries .jars into the external definition of the Java Mapping, or else the mapping runtime won't be able to refer to them.
/*
* Created on Apr 13, 2007
*
* To change the template for this generated file go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
package com.sap.xnfe.xi.mapping.ds;
import java.io.IOException;
import java.io.OutputStream;
import java.rmi.RemoteException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import org.w3c.dom.Document;
import com.sap.engine.interfaces.keystore.KeystoreManager;
import com.sap.engine.lib.xml.signature.Constants;
import com.sap.security.core.server.ssf.SsfDataXML;
import com.sap.security.core.server.ssf.SsfInvalidAlgException;
import com.sap.security.core.server.ssf.SsfInvalidKeyException;
import com.sap.security.core.server.ssf.SsfProfileKeyStore;
import com.sap.security.core.server.ssf.SsfRefXMLInfo;
import com.sap.security.core.server.ssf.SsfRefXMLList;
/**
* @author I813314
*
* To change the template for this generated type comment go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
public class XMLSigner {
private Document doc = null;
private String signId = null;
public XMLSigner(Document doc, String signId) throws XMLSignerException {
this.doc = doc;
if (doc == null) {
throw new XMLSignerException("Empty Document!");
}
this.signId = signId;
if (signId == null) {
throw new XMLSignerException("Empty Id!");
}
}
public boolean sign(String profileRef, OutputStream out)
throws XMLSignerException {
boolean res = false;
// create object of ssf data and references
SsfDataXML data = null;
SsfRefXMLList refList = null;
try {
data = new SsfDataXML(doc.getDocumentElement());
String trans[] =
{
SsfRefXMLInfo.TRANS_ENVELOPED_SIGNATURE,
SsfRefXMLInfo.TRANS_C14N_OMIT_COMMENTS };
refList = new SsfRefXMLList();
refList.add(new SsfRefXMLInfo("#" + signId, trans));
} catch (Exception e) {
throw new XMLSignerException(e.getMessage());
}
SsfProfileKeyStore profile = null;
try {
profile = getProfile(profileRef);
} catch (NamingException e) {
throw new XMLSignerException(
"Error acessing Initial Context: " + e.getMessage());
} catch (RemoteException e) {
throw new XMLSignerException(
"Error acessing KeyStore View: " + e.getMessage());
} catch (KeyStoreException e) {
throw new SecurityException(
"Error accessing KeyStore Entry: " + e.getMessage());
}
// sign the data
try {
Constants.setSTANDARD_PREFIX("");
res =
data.sign(
null,
refList,
profile,
SsfDataXML.INC_CERT_OWN,
false,
false);
if (!res) {
throw new XMLSignerException("Creation of signature failed.");
}
} catch (SsfInvalidKeyException e) {
throw new XMLSignerException(e.getMessage());
} catch (SsfInvalidAlgException e) {
throw new XMLSignerException(e.getMessage());
}
// write the signed data
try {
data.writeTo(out);
} catch (IOException e) {
throw new XMLSignerException(
"Error writing signed data: " + e.getMessage());
}
return res;
}
private SsfProfileKeyStore getProfile(String profileRef)
throws NamingException, RemoteException, KeyStoreException {
// get profile from keystore service of AS Java
InitialContext ctx = null;
KeystoreManager manager = null;
String keyStoreView = "DEFAULT";
String keyStoreEntry = null;
KeyStore keyStore = null;
SsfProfileKeyStore profile = null;
ctx = new InitialContext();
manager = (KeystoreManager) ctx.lookup("keystore");
keyStoreEntry =
manager.getKeystoreViewProperties(keyStoreView).getProperty(
profileRef);
if (keyStoreEntry == null || keyStoreEntry.equals(""))
throw new KeyStoreException("No KeyStore entry matches this CNPJ.");
keyStore = manager.getKeystore(keyStoreView);
profile = new SsfProfileKeyStore(keyStore, keyStoreEntry, null);
return profile;
}
}
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.