cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Digital signature using SSF and accessing certificate and keys from keystore at mapping level

Go to solution
Former Member

on ‎02-12-2014 8:15 PM

0 Kudos

Dear Experts,

I have requirement to sign the input payload and encode it to base64 and assign it over a one string called "strsignature", again the same payload I just need to encode it base64 and assign it over another string called "strXmldata" , finally both string containing singed and base64 encode data in output payload should be send to bank in HTTP body   . Please keep in mind this is not xml digital signature ,  below are the details of input and desired output structure.

Input payload

<?xml version="1.0"?>

<PaymentMessage>

   <PaymentTransaction>

     <CompanyCode>PARTNER01</CompanyCode>

     <SequenceNum>132180</SequenceNum>

     <TransactionData>:20:2000000058

:32A:020112SAR888,00

:50:SAUDI ARABIAN OIL COMPANY

BOX 5000

DHAHRAN

  </TransactionData>

    <TransactionComment> comments</TransactionComment>

  </PaymentTransaction>

</PaymentMessage>


Desired Output Payload

strSignature = "Signed and base64 encoded whole input payload" & strXmldta = "Base64encoded whole input payload"

Where I am standing

So far I have written the below java mapping code from SAP help example using SSF to achieve to access the certificate and keys as java and sign the data. currently I have only the development system where signed certificate from CA has not been installed, and SSL has not been enabled.

Code

package com.javamapping;

import java.io.ByteArrayOutputStream;

import java.io.InputStream;

import java.security.KeyStore;

import javax.naming.InitialContext;

import sun.misc.BASE64Encoder;

import com.sap.aii.mapping.api.AbstractTransformation;

import com.sap.aii.mapping.api.StreamTransformationException;

import com.sap.aii.mapping.api.TransformationInput;

import com.sap.aii.mapping.api.TransformationOutput;

import com.sap.aii.utilxi.core.io.IOUtil;

import com.sap.engine.interfaces.keystore.KeystoreManager;

import com.sap.security.api.ssf.ISsfData;

import com.sap.security.core.server.ssf.SsfDataPKCS7;

import com.sap.security.core.server.ssf.SsfProfileKeyStore;

public class GetBase64EncodedParameter extends AbstractTransformation {

  public void transform(TransformationInput input, TransformationOutput output)

  throws StreamTransformationException {

  try {

  BASE64Encoder encoder = new BASE64Encoder();

  InputStream inputStream = input.getInputPayload().getInputStream();

  inputStream.close();

  String strFlatData = IOUtil.copyToString(inputStream, "UTF-8");

  String base64EncodedData = encoder.encode( strFlatData.getBytes());

  byte[] signedDataBytes = getSignedDataStream(inputStream);

  String base64EncodedSignedData = encoder.encode(signedDataBytes);

  String httpBodyString = "strXmlData=" + base64EncodedData + "&strSignature=" + base64EncodedSignedData;

  output.getOutputPayload().getOutputStream().write(httpBodyString.getBytes());

  } catch (Exception ie) {

  // do nothing

  }

  }

   private byte[] getSignedDataStream(InputStream inputStream) throws Exception{

  ISsfData data = new SsfDataPKCS7(inputStream);

  InitialContext ctx = new InitialContext();

  Object o = (Object) ctx.lookup("keystore");

  KeystoreManager manager = (KeystoreManager) o;

  KeyStore keyStore = manager.getKeystore("DEFAULT");

  String alias = "sign_test";

  SsfProfileKeyStore profile = new SsfProfileKeyStore(keyStore, alias, null);

  data.sign(profile);

  ByteArrayOutputStream baos = new ByteArrayOutputStream();

  data.writeTo(baos);

  return baos.toByteArray();

  }

}

Questions

1- What are "DEFAULT" and "alias" , do I need to replace it after the actual certificate installation on PI server? is it related to what we give the name of certificate(signed by CA)  while installing?

2- The code is error free, However do you guys think my code will work based on my requirement, more specifically to access keystore as java? if not please provide your valuable input based on my requirement .  I need your help, I am not very much expert in java

3- On PI server under "Entry Import" only two entry types(PKCS#12 and PKCS#8Key Pair) are available, but I need to use PKCS#7, can I use PKCS#8 instead? is it related to certificate?

4- Can I test my code now without the actual certificate installed on PI server,can I install some trail certificate eg. verisign  ? if yes which one I can use from the default available certificates?

5- while installing the certificate, is it mandatory to put under "TrustedCAs" on PI server? if we are using certificate signed by CA.

Thanks,

Farhan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-14-2014 2:39 AM
0 Kudos

Hi Farhan -

Please find answers to some of your questions below -

1. Yes. You will need to replace the KeyStore name and alias in the code with the actual Key Storage View name and private key name in NWA. Go to NWA ->Configuration->Security->Certificate and Keys for details.

2. Your code looks closer to your the requirement, but would need some tweaking. I had previously used the class SsfDataXML for a similar requirement (instead of SsfDataPKCS7) and could extract the signature from the element "SignatureValue". The signature section of the signed document will look like -

3. I didn't have an issue in using a certificate in PKCS#8 format.

4. You would need a sample certificate to test your code. You could try with any of the default certificates in your key store.

5. You can put your signed certificate in any key store.

Regards,

Sameej

Show replies
Show replies
Former Member
‎02-14-2014 12:00 PM
0 Kudos

Hi Sameej,

Thanks  a lot for answers. I have tested my above mentioned  code already and its working as per my requirement. I will just add few points for answer number 2, as you have mentioned XML signature tags, in my case this is not xml signature,consequently I have used ISsfData. I will write a step by step blog for this.

Output of my Code

strXmlData=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPG5zMDpQYXltZW50TWVzc2Fn

ZSB4bWxuczpuczA9Imh0dHA6Ly9PbmxpbmVWZW5kb3JQYXltZW50Ij4KICAgPFBheW1lbnRNZXNz

YWdlPgogICAgICA8UGF5bWVudFRyYW5zYWN0aW9uPgogICAgICAgICA8Q29tcGFueUNvZGU+MTwv

Q29tcGFueUNvZGU+CiAgICAgICAgIDxTZXF1ZW5jZU51bT4zPC9TZXF1ZW5jZU51bT4KICAgICAg

ICAgPFRyYW5zYWN0aW9uRGF0YT41NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1

NTU1NTU1NTUgICAgICBmanNkZmpzcyBoIGpoZ2poZyBqZGdqZ2ggZGZoZyBkamdoZCBqZ2pkZ2hr

ZGpoZ2pkc2hnPC9UcmFuc2FjdGlvbkRhdGE+CiAgICAgICAgIDxUcmFuc2FjdGlvbkNvbW1lbnQ+

dGVzdDwvVHJhbnNhY3Rpb25Db21tZW50PgogICAgICA8L1BheW1lbnRUcmFuc2FjdGlvbj4KICAg

PC9QYXltZW50TWVzc2FnZT4KPC9uczA6UGF5bWVudE1lc3NhZ2U+&strSignature=MIIFrQYJKoZIhvcNAQcCoIIFnjCCBZoCAQExCzAJBgUrDgMCGgUAMA8GCSqGSIb3DQEHAaACBACg

ggN4MIIDdDCCAlygAwIBAgIFAIofBSswDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCU0ExDzAN

BgNVBAgTBkRhbW1hbTETMBEGA1UEChMKc2F0b3JwLmNvbTEPMA0GA1UEBxMGanViYWlsMQ8wDQYD

VQQLEwZzYXRvcnAxEzARBgNVBAMTCnNhdG9ycC5jb20wHhcNMTMxMTAxMDYxMTQzWhcNMzMxMTAx

MDYxMTQzWjBqMQswCQYDVQQGEwJTQTEPMA0GA1UECBMGRGFtbWFtMRMwEQYDVQQKEwpzYXRvcnAu

Y29tMQ8wDQYDVQQHEwZqdWJhaWwxDzANBgNVBAsTBnNhdG9ycDETMBEGA1UEAxMKc2F0b3JwLmNv

bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHEN9O4CHnQan2ZlC6fCECh1XB9x9gQ

RuOCW87cCB0LCSwRo7JRej76W3291U39a1sMxrgEpsZgVDy4JBI6VdP+Kqdcg76e+M/LHMFIwQ81

8OT06/MzDy6g6cB3THAOhzkvSGnA3CMFZmacW3XYDp3y/TuDCnf8Uo9vI7GZRd7NPKZAQ3llLDq3

Q0ggeCmpxX/4GwXVzBXzcng2H5yITsY7K3GebhjkDLcKS4InCTSSLcoKHlOm6zO+u57dX6fkC3zC

sY+7GNgKTT+XUTBZP/Pv+bpBAXxxa+iOgiCSWF5Scpz/ptA2bGxpC3Ap46hnybnFs5E/rlu7MKaU

htX7XJkCAwEAAaMhMB8wHQYDVR0OBBYEFKwegOx8nwrlhbbBvzCjJaCTNCwxMA0GCSqGSIb3DQEB

BQUAA4IBAQAnBOZ5mR/g6pHBneYxg0+UKd8pM4JczgRJ9aBH75lRlrBPykBNxJTS5gECIOx5YT8H

fxQBF758yV2sscj9ltN9iHb7ft9XVWHuPPQQCzW3Jfh5eNspglrLAyqhWnaaiQPvg4Bf7lR+hahm

oZ10O4tduAoygPOgDn+Kq29ncYEBELwY9I4lYxZeiiwHGIxoNSKAIxBjicTThiP2vCYkOqZn7mbd

y4i74iIjYHKCUej02ExOBd8EoFLbayRL5vfAFGyzeqyyEYnLH47HhyDajLmctILEZNTklFH/dh9O

OH3xnEi0RLeGf8EC8weOOX3kgUlRTYbBf9L/ziQhabg//sLXMYIB+TCCAfUCAQEwczBqMQswCQYD

VQQGEwJTQTEPMA0GA1UECBMGRGFtbWFtMRMwEQYDVQQKEwpzYXRvcnAuY29tMQ8wDQYDVQQHEwZq

dWJhaWwxDzANBgNVBAsTBnNhdG9ycDETMBEGA1UEAxMKc2F0b3JwLmNvbQIFAIofBSswCQYFKw4D

AhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTEwMTIw

MDUxNlowIwYJKoZIhvcNAQkEMRYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBAQUA

BIIBACAHp71iQ2tpfuXjd4dNR8HEY+gIe21Hj8LKPCut2ni69o3NpAJVorCVfTCi51Q2E+oS1bE6

xVy5Dqhu8SiyeekGvMVZkaqlmP5ES1rgm/Fv7ABRH17TqML3Ahhz1vO7jTeD7E7LXZUFn7zcCV+L

USTaAlMQBqxMHEWSYSRvkPWwMv0h95aowiOASOZjQ9GX8UlyZZ44qeKA7K4YAADEGxo4StKN/s4I

q9kVbS651DRDJ9L+64aByyUA8KM+w1/EVF5WqTTu6j2R8yX2+0wSftM33WU1Bqb2iNPHAE7j4duF

yIcrJRtpEjUcOJElHEG/LLLNdiLcTu/QKFxU1OLQ2GI=

Answers (3)

Answers (3)

Former Member
‎02-14-2014 5:42 AM
0 Kudos

Hi Farhan,

Answer for

3.You can covert the PKCS#7 format to PKCS#12 with

SSL Converter: https://www.sslshopper.com/ssl-converter.html

You can also user OpenSSL utility to convert the certificate into different formats.

Please check this for OpenSSL utility: http://www.symantec.com/business/support/index?page=content&id=TECH179207

For loading certificates into NWA please check this :

for generating keys with OpenSSL and also with Putty check this hGenerating SSH Keys for SFTP Adapters - Type 1 - Process Integration - SCN Wiki

4. If I am not wrong for testing purpose we can use our own dummy certificates available on web.

5.Certificates are to be imported under TrustedCAs entry only.

For all these activities generally we need admin roles,you better take help from BASIS team to avoid any unwanted activities on PI server.

I hope these links may help you to get some idea on Certificates and keys on Pi  server.

Regards

Raj

Show replies
Show replies
Former Member
‎02-14-2014 12:02 PM
0 Kudos

Hi Raja,

Thanks a lot for response and your efforts for helping me. It was really helpful.

Regards,

Farhan

Former Member
‎06-23-2015 10:50 PM
0 Kudos

Hi Farhan,

Could you please tell me how did you upload your java code? I'm having the same error but I don't know how to upload your code. Thanks.

Former Member
‎06-24-2015 11:26 AM
0 Kudos

Hi Fabian,

you can upload your java code as we upload any Java mapping code. There are many blogs for Java mapping on SCN.

I didn't had any error in my code, so please let me know what kind of error your facing, and what is your exact requirement.

Regards,

Farhan

nitindeshpande
Active Contributor
‎09-02-2015 11:54 AM
0 Kudos

Hi Former Member

I am trying to sign the message using SHA1 algrorithm using java mapping and i want to use your code. But i dont have the below libraries. Can you please tell me from where we can get it?

import com.sap.aii.utilxi.core.io.IOUtil;

import com.sap.engine.interfaces.keystore.KeystoreManager;

import com.sap.security.api.ssf.ISsfData;

import com.sap.security.core.server.ssf.SsfDataPKCS7;

import com.sap.security.core.server.ssf.SsfProfileKeyStore

Regards,

Nitin Deshpande

Former Member
‎02-13-2014 6:15 PM
0 Kudos

Dear Moderators/Experts,

I apologies for violating the rules of engagement. I was not aware of this, my intention is to just get my answer.

I had posted this thread yesterday night, however still I am looking the answers for my quires. Please help me.

Thanks,

Farhan

Show replies
Show replies
Former Member
‎02-13-2014 7:38 AM
0 Kudos

Dear experts,

Please provide your valuable input for the above queries. Please help me, I am alone PI resource on client site.

Thanks,

Farhan

Show replies
Show replies
Former Member
‎02-13-2014 8:54 AM
0 Kudos

Hi Farhan,

If you go through this thread you will get some help:

There are some useful links in it>

Regards

Raj

Former Member
‎02-13-2014 10:02 AM
0 Kudos

Dear Raja,

Thanks a lot for your response, I have already gone through the thread you have mentioned.

I am looking for the answers of the questions I have  asked specifically in my thread.

Regards,

Farhan

Former Member
‎02-13-2014 1:21 PM
0 Kudos

Any help for the above quires guys? Please help me.

Thanks,

Farhan

Former Member
‎02-13-2014 3:35 PM
0 Kudos

This message was moderated.

Ask a Question