cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem using Keystore service

Former Member

on ‎06-07-2004 10:25 AM

0 Kudos

Hi,

I want to use the keystore service to establish a SSL connection from the Web AS to another webserver.

As I read in JavaDocs I have to use a SecurityConnector grant code permissions. After done this I can crete a SecureConnectionFactory which uses a Keystore view.

When I try to grant the code permissions I get the following error.

Does anyone know what this means?

Thanks in advance

Helmut

java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Grant code permissions for domain[local/VW_IDM_WDP/webdynpro/public/classes] and params [{GET_VIEW * * }] failed!

at com.sap.engine.services.keystore.impl.RemoteSecurityConnectorImpl.grantCodePermission(RemoteSecurityConnectorImpl.java:77)

at com.sap.engine.services.keystore.interfaces.RemoteSecurityConnector_Stub.grantCodePermission(RemoteSecurityConnector_Stub.java:193)

at com.vw.idm.ejb.IDM_KVSBean.kvsSecureConnFactory(IDM_KVSBean.java:170)

at com.vw.idm.ejb.IDM_KVSObjectImpl0.kvsSecureConnFactory(IDM_KVSObjectImpl0.java:281)

at com.vw.idm.ejb.IDM_KVS_Stub.kvsSecureConnFactory(IDM_KVS_Stub.java:205)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at com.sap.engine.services.webservices.runtime.EJBImplementationContainer.invokeMethod(EJBImplementationContainer.java:99)

at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:145)

at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:67)

at com.sap.engine.services.webservices.runtime.servlet.ServletDispatcherImpl.doPost(ServletDispatcherImpl.java:92)

at SoapServlet.doPost(SoapServlet.java:51)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:373)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:250)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:319)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:297)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:696)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)

at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized!

at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)

at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:615)

at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)

at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)

at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:128)

at com.sap.engine.services.security.domains.ProtectionDomainsRuntime.grantPermission(ProtectionDomainsRuntime.java:151)

at com.sap.engine.services.security.server.ProtectionDomainContextImpl.grantPermission(ProtectionDomainContextImpl.java:59)

at com.sap.engine.services.keystore.impl.RemoteSecurityConnectorImpl.grantCodePermission(RemoteSecurityConnectorImpl.java:75)

... 29 more

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎01-27-2006 9:59 AM
0 Kudos

Hi

Did you get it working I have the same problem

Thanks

Theo

Show replies
Show replies
Former Member
‎06-08-2004 11:31 AM
0 Kudos

Hi Helmut,

you need a specific authority (role) to create keystore views. I'm not sure if this is also true for getting KS views. Looking at the exception it seems to be an authorization problem, is the caller authorized (e.g. non anonymous)?

Just an idea.

Best regards

Stefan

Show replies
Show replies
Former Member
‎08-27-2004 12:59 PM
0 Kudos

Hello,

I have some very nasty secyrity problem to access the "keystore" service from within a resource adapter application.

I have created a view holding my certificates and private keys and the idea is to use this "keystore" service to access these objects. I need them in my adaptor.

The result is that I cal lookup the service - no problem with that.

I check if my view is available using KeyStoreManager.existKeystoreView(viewName) ; result of this is true - my view exists, but when I make this call KeyStoreManager.getKeystore(viewName); I get this nasty exception :

ava.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException:

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)

at com.seeburger.ksm.xi.source.XIRepositorySourceProvider.getRepository(XIRepositorySourceProvider.java:154)

at com.seeburger.ksm.cryptoapi.impl.CryptoApi.getCertificate(CryptoApi.java:265)

at com.seeburger.ediint.util.cert.SimpleKeyManager.getCertificate(SimpleKeyManager.java:75)

at com.seeburger.as1.tasks.AS1MessageComposer.getEDIMessageBuilderConfig(AS1MessageComposer.java:259)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:126)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:100)

at com.seeburger.as1.AS1Processor.sendAs1(AS1Processor.java:249)

at com.seeburger.as1.AS1Processor.execute(AS1Processor.java:179)

at com.seeburger.frame.FrameWork.syncNewData(FrameWork.java:805)

at com.seeburger.xi.as1mail.frame.AS1Processor.execute(AS1Processor.java:66)

at com.seeburger.xi.as1mail.frame.XIProcessor.call(XIProcessor.java:112)

at com.seeburger.xi.as1mail.ra.CCIInteraction.call(CCIInteraction.java:200)

at com.seeburger.xi.as1mail.ra.CCIInteraction.execute(CCIInteraction.java:107)

at com.sap.aii.af.endpoint.ModuleProcessorExitBean.process(ModuleProcessorExitBean.java:203)

at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0.process(ModuleLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:197)

at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.listener.AFWListenerBean.onMessage(AFWListenerBean.java:178)

at com.sap.aii.af.listener.AFWListenerLocalObjectImpl0.onMessage(AFWListenerLocalObjectImpl0.java:120)

at com.sap.aii.af.ra.ms.impl.ServicesImpl.deliver(ServicesImpl.java:243)

at com.sap.aii.af.ra.ms.impl.protocol.xi.XIEventHandler.onDeliver(XIEventHandler.java:708)

at com.sap.aii.af.ra.ms.impl.core.queue.RequestConsumer.onMessage(RequestConsumer.java:100)

at com.sap.aii.af.ra.ms.impl.core.queue.Queue.run(Queue.java:399)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: checkPermissions() for [{GET_VIEW xxxKeystore }] failed!

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:297)

at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:33)

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)

... 29 more

Caused by: java.security.KeyStoreException: java.security.AccessControlException: access denied

at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:702)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:228)

... 31 more

Obviously it is a security problem with lacking GET_VIEW permissions

But how to set a GET_VIEW permission to this view so my resource adapter can access the content?

I did the following: I went to

EngineAdmin->Server->Services->Key Storage

I selected the repository tab and I see that I can grant permissions to the available domains. So I do so - I grant GET_VIEW permission to all domains I can associate with my application, the result is the same.

What am I missing?

Please help

Former Member
‎09-10-2004 11:16 PM
0 Kudos

Try this:

EngineAdmin->Server->Services->Security Provider

Select your Keystore view and go to the Security Roles tab, select the role view-creator and add your user/group.

Ask a Question