on 02-12-2014 8:15 PM
Dear Experts,
I have requirement to sign the input payload and encode it to base64 and assign it over a one string called "strsignature", again the same payload I just need to encode it base64 and assign it over another string called "strXmldata" , finally both string containing singed and base64 encode data in output payload should be send to bank in HTTP body . Please keep in mind this is not xml digital signature , below are the details of input and desired output structure.
Input payload
<?xml version="1.0"?>
<PaymentMessage>
<PaymentTransaction>
<CompanyCode>PARTNER01</CompanyCode>
<SequenceNum>132180</SequenceNum>
<TransactionData>:20:2000000058
:32A:020112SAR888,00
:50:SAUDI ARABIAN OIL COMPANY
BOX 5000
DHAHRAN
</TransactionData>
<TransactionComment> comments</TransactionComment>
</PaymentTransaction>
</PaymentMessage>
Desired Output Payload
strSignature = "Signed and base64 encoded whole input payload" & strXmldta = "Base64encoded whole input payload"
Where I am standing
So far I have written the below java mapping code from SAP help example using SSF to achieve to access the certificate and keys as java and sign the data. currently I have only the development system where signed certificate from CA has not been installed, and SSL has not been enabled.
Code
package com.javamapping;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.KeyStore;
import javax.naming.InitialContext;
import sun.misc.BASE64Encoder;
import com.sap.aii.mapping.api.AbstractTransformation;
import com.sap.aii.mapping.api.StreamTransformationException;
import com.sap.aii.mapping.api.TransformationInput;
import com.sap.aii.mapping.api.TransformationOutput;
import com.sap.aii.utilxi.core.io.IOUtil;
import com.sap.engine.interfaces.keystore.KeystoreManager;
import com.sap.security.api.ssf.ISsfData;
import com.sap.security.core.server.ssf.SsfDataPKCS7;
import com.sap.security.core.server.ssf.SsfProfileKeyStore;
public class GetBase64EncodedParameter extends AbstractTransformation {
public void transform(TransformationInput input, TransformationOutput output)
throws StreamTransformationException {
try {
BASE64Encoder encoder = new BASE64Encoder();
InputStream inputStream = input.getInputPayload().getInputStream();
inputStream.close();
String strFlatData = IOUtil.copyToString(inputStream, "UTF-8");
String base64EncodedData = encoder.encode( strFlatData.getBytes());
byte[] signedDataBytes = getSignedDataStream(inputStream);
String base64EncodedSignedData = encoder.encode(signedDataBytes);
String httpBodyString = "strXmlData=" + base64EncodedData + "&strSignature=" + base64EncodedSignedData;
output.getOutputPayload().getOutputStream().write(httpBodyString.getBytes());
} catch (Exception ie) {
// do nothing
}
}
private byte[] getSignedDataStream(InputStream inputStream) throws Exception{
ISsfData data = new SsfDataPKCS7(inputStream);
InitialContext ctx = new InitialContext();
Object o = (Object) ctx.lookup("keystore");
KeystoreManager manager = (KeystoreManager) o;
KeyStore keyStore = manager.getKeystore("DEFAULT");
String alias = "sign_test";
SsfProfileKeyStore profile = new SsfProfileKeyStore(keyStore, alias, null);
data.sign(profile);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
data.writeTo(baos);
return baos.toByteArray();
}
}
Questions
1- What are "DEFAULT" and "alias" , do I need to replace it after the actual certificate installation on PI server? is it related to what we give the name of certificate(signed by CA) while installing?
2- The code is error free, However do you guys think my code will work based on my requirement, more specifically to access keystore as java? if not please provide your valuable input based on my requirement . I need your help, I am not very much expert in java
3- On PI server under "Entry Import" only two entry types(PKCS#12 and PKCS#8Key Pair) are available, but I need to use PKCS#7, can I use PKCS#8 instead? is it related to certificate?
4- Can I test my code now without the actual certificate installed on PI server,can I install some trail certificate eg. verisign ? if yes which one I can use from the default available certificates?
5- while installing the certificate, is it mandatory to put under "TrustedCAs" on PI server? if we are using certificate signed by CA.
Thanks,
Farhan
Hi Farhan -
Please find answers to some of your questions below -
1. Yes. You will need to replace the KeyStore name and alias in the code with the actual Key Storage View name and private key name in NWA. Go to NWA ->Configuration->Security->Certificate and Keys for details.
2. Your code looks closer to your the requirement, but would need some tweaking. I had previously used the class SsfDataXML for a similar requirement (instead of SsfDataPKCS7) and could extract the signature from the element "SignatureValue". The signature section of the signed document will look like -
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>G4CH8UQu3+aDhZL8IlKHjrCRrbw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>MBZ3jTFnW2zWGFibB226H20DwXZsUqj0=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName></ds:KeyName> <ds:X509Data> <ds:X509Certificate></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> |
3. I didn't have an issue in using a certificate in PKCS#8 format.
4. You would need a sample certificate to test your code. You could try with any of the default certificates in your key store.
5. You can put your signed certificate in any key store.
Regards,
Sameej
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sameej,
Thanks a lot for answers. I have tested my above mentioned code already and its working as per my requirement. I will just add few points for answer number 2, as you have mentioned XML signature tags, in my case this is not xml signature,consequently I have used ISsfData. I will write a step by step blog for this.
Output of my Code
strXmlData=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPG5zMDpQYXltZW50TWVzc2Fn
ZSB4bWxuczpuczA9Imh0dHA6Ly9PbmxpbmVWZW5kb3JQYXltZW50Ij4KICAgPFBheW1lbnRNZXNz
YWdlPgogICAgICA8UGF5bWVudFRyYW5zYWN0aW9uPgogICAgICAgICA8Q29tcGFueUNvZGU+MTwv
Q29tcGFueUNvZGU+CiAgICAgICAgIDxTZXF1ZW5jZU51bT4zPC9TZXF1ZW5jZU51bT4KICAgICAg
ICAgPFRyYW5zYWN0aW9uRGF0YT41NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1
NTU1NTU1NTUgICAgICBmanNkZmpzcyBoIGpoZ2poZyBqZGdqZ2ggZGZoZyBkamdoZCBqZ2pkZ2hr
ZGpoZ2pkc2hnPC9UcmFuc2FjdGlvbkRhdGE+CiAgICAgICAgIDxUcmFuc2FjdGlvbkNvbW1lbnQ+
dGVzdDwvVHJhbnNhY3Rpb25Db21tZW50PgogICAgICA8L1BheW1lbnRUcmFuc2FjdGlvbj4KICAg
PC9QYXltZW50TWVzc2FnZT4KPC9uczA6UGF5bWVudE1lc3NhZ2U+&strSignature=MIIFrQYJKoZIhvcNAQcCoIIFnjCCBZoCAQExCzAJBgUrDgMCGgUAMA8GCSqGSIb3DQEHAaACBACg
ggN4MIIDdDCCAlygAwIBAgIFAIofBSswDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCU0ExDzAN
BgNVBAgTBkRhbW1hbTETMBEGA1UEChMKc2F0b3JwLmNvbTEPMA0GA1UEBxMGanViYWlsMQ8wDQYD
VQQLEwZzYXRvcnAxEzARBgNVBAMTCnNhdG9ycC5jb20wHhcNMTMxMTAxMDYxMTQzWhcNMzMxMTAx
MDYxMTQzWjBqMQswCQYDVQQGEwJTQTEPMA0GA1UECBMGRGFtbWFtMRMwEQYDVQQKEwpzYXRvcnAu
Y29tMQ8wDQYDVQQHEwZqdWJhaWwxDzANBgNVBAsTBnNhdG9ycDETMBEGA1UEAxMKc2F0b3JwLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHEN9O4CHnQan2ZlC6fCECh1XB9x9gQ
RuOCW87cCB0LCSwRo7JRej76W3291U39a1sMxrgEpsZgVDy4JBI6VdP+Kqdcg76e+M/LHMFIwQ81
8OT06/MzDy6g6cB3THAOhzkvSGnA3CMFZmacW3XYDp3y/TuDCnf8Uo9vI7GZRd7NPKZAQ3llLDq3
Q0ggeCmpxX/4GwXVzBXzcng2H5yITsY7K3GebhjkDLcKS4InCTSSLcoKHlOm6zO+u57dX6fkC3zC
sY+7GNgKTT+XUTBZP/Pv+bpBAXxxa+iOgiCSWF5Scpz/ptA2bGxpC3Ap46hnybnFs5E/rlu7MKaU
htX7XJkCAwEAAaMhMB8wHQYDVR0OBBYEFKwegOx8nwrlhbbBvzCjJaCTNCwxMA0GCSqGSIb3DQEB
BQUAA4IBAQAnBOZ5mR/g6pHBneYxg0+UKd8pM4JczgRJ9aBH75lRlrBPykBNxJTS5gECIOx5YT8H
fxQBF758yV2sscj9ltN9iHb7ft9XVWHuPPQQCzW3Jfh5eNspglrLAyqhWnaaiQPvg4Bf7lR+hahm
oZ10O4tduAoygPOgDn+Kq29ncYEBELwY9I4lYxZeiiwHGIxoNSKAIxBjicTThiP2vCYkOqZn7mbd
y4i74iIjYHKCUej02ExOBd8EoFLbayRL5vfAFGyzeqyyEYnLH47HhyDajLmctILEZNTklFH/dh9O
OH3xnEi0RLeGf8EC8weOOX3kgUlRTYbBf9L/ziQhabg//sLXMYIB+TCCAfUCAQEwczBqMQswCQYD
VQQGEwJTQTEPMA0GA1UECBMGRGFtbWFtMRMwEQYDVQQKEwpzYXRvcnAuY29tMQ8wDQYDVQQHEwZq
dWJhaWwxDzANBgNVBAsTBnNhdG9ycDETMBEGA1UEAxMKc2F0b3JwLmNvbQIFAIofBSswCQYFKw4D
AhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTEwMTIw
MDUxNlowIwYJKoZIhvcNAQkEMRYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBAQUA
BIIBACAHp71iQ2tpfuXjd4dNR8HEY+gIe21Hj8LKPCut2ni69o3NpAJVorCVfTCi51Q2E+oS1bE6
xVy5Dqhu8SiyeekGvMVZkaqlmP5ES1rgm/Fv7ABRH17TqML3Ahhz1vO7jTeD7E7LXZUFn7zcCV+L
USTaAlMQBqxMHEWSYSRvkPWwMv0h95aowiOASOZjQ9GX8UlyZZ44qeKA7K4YAADEGxo4StKN/s4I
q9kVbS651DRDJ9L+64aByyUA8KM+w1/EVF5WqTTu6j2R8yX2+0wSftM33WU1Bqb2iNPHAE7j4duF
yIcrJRtpEjUcOJElHEG/LLLNdiLcTu/QKFxU1OLQ2GI=
Hi Farhan,
Answer for
3.You can covert the PKCS#7 format to PKCS#12 with
SSL Converter: https://www.sslshopper.com/ssl-converter.html
You can also user OpenSSL utility to convert the certificate into different formats.
Please check this for OpenSSL utility: http://www.symantec.com/business/support/index?page=content&id=TECH179207
For loading certificates into NWA please check this :
for generating keys with OpenSSL and also with Putty check this hGenerating SSH Keys for SFTP Adapters - Type 1 - Process Integration - SCN Wiki
4. If I am not wrong for testing purpose we can use our own dummy certificates available on web.
5.Certificates are to be imported under TrustedCAs entry only.
For all these activities generally we need admin roles,you better take help from BASIS team to avoid any unwanted activities on PI server.
I hope these links may help you to get some idea on Certificates and keys on Pi server.
Regards
Raj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Former Member
I am trying to sign the message using SHA1 algrorithm using java mapping and i want to use your code. But i dont have the below libraries. Can you please tell me from where we can get it?
import com.sap.aii.utilxi.core.io.IOUtil;
import com.sap.engine.interfaces.keystore.KeystoreManager;
import com.sap.security.api.ssf.ISsfData;
import com.sap.security.core.server.ssf.SsfDataPKCS7;
import com.sap.security.core.server.ssf.SsfProfileKeyStore
Regards,
Nitin Deshpande
Dear Moderators/Experts,
I apologies for violating the rules of engagement. I was not aware of this, my intention is to just get my answer.
I had posted this thread yesterday night, however still I am looking the answers for my quires. Please help me.
Thanks,
Farhan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear experts,
Please provide your valuable input for the above queries. Please help me, I am alone PI resource on client site.
Thanks,
Farhan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.