cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Keystore access in Java Mapping Program - user J2EE_GUEST

Go to solution
Former Member

on ‎04-21-2011 1:10 AM

0 Kudos

Dear Gurus,

I have the following problem:

I need to validate the digital signature of a XML document and I'm using some examples provided by SAP as follows:


		InitialContext ctx = ctx = new InitialContext();		
		Object o = (Object) ctx.lookup("keystore");		
		KeystoreManager manager = (KeystoreManager) o;		
		KeyStore ks = manager.getKeystore("Serasa");
{/code}

But I get the error below, saying that user J2EE_GUEST is not authorized. How do I change the user who executes java mapping, because I granted permissions in Visual Admin to another user.

at com.sap.aii.ibrun.sbeans.mapping.MappingServiceObjectImpl0_0.processFunction(MappingServiceObjectImpl0_0.java:131)

at sun.reflect.GeneratedMethodAccessor267.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:62)

at java.lang.reflect.Method.invoke(Method.java:391)

at com.sap.engine.services.ejb.session.stateless_sp5.ObjectStubProxyImpl.invoke(ObjectStubProxyImpl.java:187)

at $Proxy218.processFunction(Unknown Source)

at sun.reflect.GeneratedMethodAccessor266.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:62)

at java.lang.reflect.Method.invoke(Method.java:391)

at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.call(RFCDefaultRequestHandler.java:284)

at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.handleRequest(RFCDefaultRequestHandler.java:219)

at com.sap.engine.services.rfcengine.RFCJCOServer$J2EEApplicationRunnable.run(RFCJCOServer.java:254)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:219)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: User is not authorized to execute keystore operation[{GET_VIEW Serasa }]

at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkUserPermission(UserBasedSecurityConnector.java:889)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkUserPermission(SecurityRestrictionsChecker.java:52)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.isUserAuthorized(SecurityRestrictionsChecker.java:148)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:174)

at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)

... 28 more

Caused by: java.security.KeyStoreException: (thread: SAPEngine_Application_Thread[impl:3]_56,view:Serasa, entry: , user: J2EE_GUEST) - checkPermissions 'getView': com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.

at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkFailed(UserBasedSecurityConnector.java:1097)

at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkPermissions_getView(UserBasedSecurityConnector.java:773)

at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkUserPermission(UserBasedSecurityConnector.java:823)

... 33 more

{/code}

Thank you very much

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

naveen_chichili
Active Contributor
‎04-21-2011 7:03 AM
0 Kudos

Hi Fabio,

please find our way Below of the keystore and certificate generation.

The keystore used is limited to be in the format of PKCS12 and the

certificate inside should be signed in SHA1 algorithm. You will need

to prepare a private key and a signed certificate and combine it into

a PKCS12 keystore.

Firstly, we will need to generate the private key,

"Openssl genrsa -out server.key 1024"

Secondly, we will generate a CSR,

"Openssl req -new -key server.key -out server.csr"

Finally, we will generate a self-signed certificate as follows,

"Openssl x509 -req -days 60 - in server.csr -signkey server.key -sha1 -

out server.crt"

This statement will generate a self-signed certificate, using SHA1 as

the signing algorithm and having an alias called "hello".

To combine the certificate and the key into a PKCS12 keystore, we

issue the follwing command,

"openssl pkcs12 -name haha -export -in server.crt -inkey server.key -

out server.p12"

This will generate the keystore in the format of PKCS12 and having a

key alias named "haha".

The command below will export the certificate from the keystore

provided.

"openssl pkcs12 -in server.p12 -out /tmp/default_pub.crt -clcerts -

nokeys"

Also Please refer to the below links for reference:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0e0117a-3167-2d10-d2ae-f87dfa5e0...

http://groups.google.com/group/cecid-hermes2/browse_frm/thread/8f85c948cb00cc3

Thanks and regards,

Naveen.

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎04-21-2011 9:24 AM
0 Kudos

Hi Fabio,

first of all have you checked if standard functions to verify digital signature for pi adpaters would work for you?

We have used the following code to access the Keystore in a custom adapter. It accesses the keystore with the access rights of a JEE application (it has a reference to the sample adapter "sap.com/com.sap.aii.adapter.sample.ra"). Check out if it works in your mapping, too.


import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.util.HashMap;
import java.util.Map;

import javax.resource.ResourceException;

import com.sap.aii.af.service.resource.SAPSecurityResources;
import com.sap.aii.security.lib.KeyStoreManager;
import com.sap.aii.security.lib.PermissionMode;

public class XIKeystoreAccessor {
    private static final XITrace TRACE = new XITrace(XIKeystoreAccessor.class.getName());

    static XIKeystoreAccessor instance = null;
    
    SAPSecurityResources securityResources;
    KeyStoreManager keystoreManager;
    Map<String, KeyStore> keystores = null;

    private XIKeystoreAccessor() throws ResourceException {
	final String SIGNATURE = "XIKeystoreAccessor()";
	TRACE.entering(SIGNATURE);

	keystores = new HashMap<String, KeyStore>();

	securityResources = SAPSecurityResources.getInstance();
	try {
	    keystoreManager = securityResources.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL,
		    new String[] { "sap.com/com.sap.aii.adapter.sample.ra" });
	} catch (KeyStoreException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	}
	TRACE.exiting(SIGNATURE);
    }

    /**
     * Get a key from AS Java keystore
     * 
     * @param view
     * @param alias
     * @param password
     * @return
     * @throws ResourceException
     */
    public Key getPrivateKey(String view, String alias, String password) throws ResourceException {
	final String SIGNATURE = "getPrivateKey()";
	TRACE.entering(SIGNATURE);

	KeyStore keystore = getKeystore(view);
	Key privateKey = null;
	try {
	    privateKey = keystore.getKey(alias, password.toCharArray());
	    if (privateKey == null) {
		throw new ResourceException("Key not found. alias=" + alias);
	    }
	} catch (KeyStoreException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	} catch (NoSuchAlgorithmException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	} catch (UnrecoverableKeyException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	}
	TRACE.exiting(SIGNATURE);
	return privateKey;
    }

    public PublicKey getPublicKey(String view, String alias) throws ResourceException {
	final String SIGNATURE = "getPublicKey()";
	TRACE.entering(SIGNATURE);

	KeyStore keystore = getKeystore(view);
	PublicKey publicKey = null;
	try {
	    publicKey = keystore.getCertificate(alias).getPublicKey();
	    if (publicKey == null) {
		throw new ResourceException("Key not found. alias=" + alias);
	    }
	} catch (KeyStoreException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	}
	TRACE.exiting(SIGNATURE);
	return publicKey;

    }

    /**
     * Get a keystore i.e. a view from AS Java
     * 
     * @param view
     * @return
     * @throws ResourceException
     */
    public KeyStore getKeystore(String view) throws ResourceException {
	final String SIGNATURE = "getKeystore()";
	TRACE.entering(SIGNATURE);
	KeyStore keystore;
	try {
	    if (keystores.containsKey(view) == true) {
		keystore = keystores.get(view);
	    } else {
		keystore = keystoreManager.getKeyStore(view);
		if (keystore == null) {
		    throw new ResourceException("Keystore not found. view=" + view);
		}
		keystores.put(view, keystore);
	    }
	    TRACE.exiting(SIGNATURE);
	    return keystore;
	} catch (KeyStoreException e) {
	    TRACE.catching(SIGNATURE, e);
	    throw new ResourceException(e);
	}
    }

    static public XIKeystoreAccessor getInstance() throws ResourceException {
	if (instance == null) {
	    instance = new XIKeystoreAccessor();
	}
        return instance;
    }
}

Show replies
Show replies
Former Member
‎04-26-2011 1:34 PM
0 Kudos

Hi,

Problem solved.

My local J2SE libraries were Java 1.6 and my app server is 1.4.2.

I just changed the application libraries to the old ones and it works now. I had to change the keystore access for the methods given by Jochen Damzog because the methods I was calling were not available in Java 1.4.2

Thanks

DG
Active Contributor
‎05-02-2011 8:55 AM
0 Kudos

Hi,

Which development component or libery did you use to get access to KeyStoreManager

daniel

Former Member
‎05-02-2011 11:15 AM
0 Kudos

Hi Daniel,

I think the code from above tells you


import com.sap.aii.af.service.resource.SAPSecurityResources;
import com.sap.aii.security.lib.KeyStoreManager;
import com.sap.aii.security.lib.PermissionMode;

maybe this link also helps you [http://help.sap.com/javadocs/pi/SP3/xpi/com/sap/aii/af/service/resource/package-summary.html]

Former Member
‎05-02-2011 12:46 PM
0 Kudos

HI Daniel,

I've used the libraries from Jochen Damzog's example. But I had to add Apache Santuario's libraries: http://santuario.apache.org/ Because Java 1.4.2 does not have XML security libraries.

Regards,

Fabio

DG
Active Contributor
‎05-02-2011 12:59 PM
0 Kudos

Hi,

I'm on PI711 which supports reflection. So that is how I solved the problem.

daniel

Former Member
‎10-16-2013 8:30 AM
0 Kudos

Hi  Fabio,

you used apache santuario libraries to access keystore from mapping? Because I tried that on XI 7.0 and I had a problem, that in mapping I did not have access to com.sap.aii.security - so I cannot use KeyStoreManager.

Can you help me with that issue?

Former Member
‎02-12-2014 12:13 AM
0 Kudos

We are using PI73.  This code compiles and deploy OK.  But, doesn't access keys from view when calling from File communication channel (using custom adapter module).  Is there any security that I need to check?  Please advice.

Thanks

Sat

Ask a Question