on 06-07-2004 10:25 AM
Hi,
I want to use the keystore service to establish a SSL connection from the Web AS to another webserver.
As I read in JavaDocs I have to use a SecurityConnector grant code permissions. After done this I can crete a SecureConnectionFactory which uses a Keystore view.
When I try to grant the code permissions I get the following error.
Does anyone know what this means?
Thanks in advance
Helmut
java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Grant code permissions for domain[local/VW_IDM_WDP/webdynpro/public/classes] and params [{GET_VIEW * * }] failed!
at com.sap.engine.services.keystore.impl.RemoteSecurityConnectorImpl.grantCodePermission(RemoteSecurityConnectorImpl.java:77)
at com.sap.engine.services.keystore.interfaces.RemoteSecurityConnector_Stub.grantCodePermission(RemoteSecurityConnector_Stub.java:193)
at com.vw.idm.ejb.IDM_KVSBean.kvsSecureConnFactory(IDM_KVSBean.java:170)
at com.vw.idm.ejb.IDM_KVSObjectImpl0.kvsSecureConnFactory(IDM_KVSObjectImpl0.java:281)
at com.vw.idm.ejb.IDM_KVS_Stub.kvsSecureConnFactory(IDM_KVS_Stub.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.services.webservices.runtime.EJBImplementationContainer.invokeMethod(EJBImplementationContainer.java:99)
at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:145)
at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:67)
at com.sap.engine.services.webservices.runtime.servlet.ServletDispatcherImpl.doPost(ServletDispatcherImpl.java:92)
at SoapServlet.doPost(SoapServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:373)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:250)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:319)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:297)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:696)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:221)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:146)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)
at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized!
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:615)
at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:128)
at com.sap.engine.services.security.domains.ProtectionDomainsRuntime.grantPermission(ProtectionDomainsRuntime.java:151)
at com.sap.engine.services.security.server.ProtectionDomainContextImpl.grantPermission(ProtectionDomainContextImpl.java:59)
at com.sap.engine.services.keystore.impl.RemoteSecurityConnectorImpl.grantCodePermission(RemoteSecurityConnectorImpl.java:75)
... 29 more
Hi
Did you get it working I have the same problem
Thanks
Theo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Helmut,
you need a specific authority (role) to create keystore views. I'm not sure if this is also true for getting KS views. Looking at the exception it seems to be an authorization problem, is the caller authorized (e.g. non anonymous)?
Just an idea.
Best regards
Stefan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
I have some very nasty secyrity problem to access the "keystore" service from within a resource adapter application.
I have created a view holding my certificates and private keys and the idea is to use this "keystore" service to access these objects. I need them in my adaptor.
The result is that I cal lookup the service - no problem with that.
I check if my view is available using KeyStoreManager.existKeystoreView(viewName) ; result of this is true - my view exists, but when I make this call KeyStoreManager.getKeystore(viewName); I get this nasty exception :
ava.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException:
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)
at com.seeburger.ksm.xi.source.XIRepositorySourceProvider.getRepository(XIRepositorySourceProvider.java:154)
at com.seeburger.ksm.cryptoapi.impl.CryptoApi.getCertificate(CryptoApi.java:265)
at com.seeburger.ediint.util.cert.SimpleKeyManager.getCertificate(SimpleKeyManager.java:75)
at com.seeburger.as1.tasks.AS1MessageComposer.getEDIMessageBuilderConfig(AS1MessageComposer.java:259)
at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:126)
at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:100)
at com.seeburger.as1.AS1Processor.sendAs1(AS1Processor.java:249)
at com.seeburger.as1.AS1Processor.execute(AS1Processor.java:179)
at com.seeburger.frame.FrameWork.syncNewData(FrameWork.java:805)
at com.seeburger.xi.as1mail.frame.AS1Processor.execute(AS1Processor.java:66)
at com.seeburger.xi.as1mail.frame.XIProcessor.call(XIProcessor.java:112)
at com.seeburger.xi.as1mail.ra.CCIInteraction.call(CCIInteraction.java:200)
at com.seeburger.xi.as1mail.ra.CCIInteraction.execute(CCIInteraction.java:107)
at com.sap.aii.af.endpoint.ModuleProcessorExitBean.process(ModuleProcessorExitBean.java:203)
at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0.process(ModuleLocalLocalObjectImpl0.java:116)
at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:197)
at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:116)
at com.sap.aii.af.listener.AFWListenerBean.onMessage(AFWListenerBean.java:178)
at com.sap.aii.af.listener.AFWListenerLocalObjectImpl0.onMessage(AFWListenerLocalObjectImpl0.java:120)
at com.sap.aii.af.ra.ms.impl.ServicesImpl.deliver(ServicesImpl.java:243)
at com.sap.aii.af.ra.ms.impl.protocol.xi.XIEventHandler.onDeliver(XIEventHandler.java:708)
at com.sap.aii.af.ra.ms.impl.core.queue.RequestConsumer.onMessage(RequestConsumer.java:100)
at com.sap.aii.af.ra.ms.impl.core.queue.Queue.run(Queue.java:399)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)
Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: checkPermissions() for [{GET_VIEW xxxKeystore }] failed!
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:297)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:33)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 29 more
Caused by: java.security.KeyStoreException: java.security.AccessControlException: access denied
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:702)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:228)
... 31 more
Obviously it is a security problem with lacking GET_VIEW permissions
But how to set a GET_VIEW permission to this view so my resource adapter can access the content?
I did the following: I went to
EngineAdmin->Server->Services->Key Storage
I selected the repository tab and I see that I can grant permissions to the available domains. So I do so - I grant GET_VIEW permission to all domains I can associate with my application, the result is the same.
What am I missing?
Please help
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.