on 04-21-2011 1:10 AM
Dear Gurus,
I have the following problem:
I need to validate the digital signature of a XML document and I'm using some examples provided by SAP as follows:
InitialContext ctx = ctx = new InitialContext();
Object o = (Object) ctx.lookup("keystore");
KeystoreManager manager = (KeystoreManager) o;
KeyStore ks = manager.getKeystore("Serasa");
{/code}
But I get the error below, saying that user J2EE_GUEST is not authorized. How do I change the user who executes java mapping, because I granted permissions in Visual Admin to another user.
at com.sap.aii.ibrun.sbeans.mapping.MappingServiceObjectImpl0_0.processFunction(MappingServiceObjectImpl0_0.java:131)
at sun.reflect.GeneratedMethodAccessor267.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:62)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.sap.engine.services.ejb.session.stateless_sp5.ObjectStubProxyImpl.invoke(ObjectStubProxyImpl.java:187)
at $Proxy218.processFunction(Unknown Source)
at sun.reflect.GeneratedMethodAccessor266.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:62)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.call(RFCDefaultRequestHandler.java:284)
at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.handleRequest(RFCDefaultRequestHandler.java:219)
at com.sap.engine.services.rfcengine.RFCJCOServer$J2EEApplicationRunnable.run(RFCJCOServer.java:254)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: User is not authorized to execute keystore operation[{GET_VIEW Serasa }]
at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkUserPermission(UserBasedSecurityConnector.java:889)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkUserPermission(SecurityRestrictionsChecker.java:52)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.isUserAuthorized(SecurityRestrictionsChecker.java:148)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:174)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 28 more
Caused by: java.security.KeyStoreException: (thread: SAPEngine_Application_Thread[impl:3]_56,view:Serasa, entry: , user: J2EE_GUEST) - checkPermissions 'getView': com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkFailed(UserBasedSecurityConnector.java:1097)
at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkPermissions_getView(UserBasedSecurityConnector.java:773)
at com.sap.engine.services.keystore.impl.security.UserBasedSecurityConnector.checkUserPermission(UserBasedSecurityConnector.java:823)
... 33 more
{/code}
Thank you very much
Hi Fabio,
please find our way Below of the keystore and certificate generation.
The keystore used is limited to be in the format of PKCS12 and the
certificate inside should be signed in SHA1 algorithm. You will need
to prepare a private key and a signed certificate and combine it into
a PKCS12 keystore.
Firstly, we will need to generate the private key,
"Openssl genrsa -out server.key 1024"
Secondly, we will generate a CSR,
"Openssl req -new -key server.key -out server.csr"
Finally, we will generate a self-signed certificate as follows,
"Openssl x509 -req -days 60 - in server.csr -signkey server.key -sha1 -
out server.crt"
This statement will generate a self-signed certificate, using SHA1 as
the signing algorithm and having an alias called "hello".
To combine the certificate and the key into a PKCS12 keystore, we
issue the follwing command,
"openssl pkcs12 -name haha -export -in server.crt -inkey server.key -
out server.p12"
This will generate the keystore in the format of PKCS12 and having a
key alias named "haha".
The command below will export the certificate from the keystore
provided.
"openssl pkcs12 -in server.p12 -out /tmp/default_pub.crt -clcerts -
nokeys"
Also Please refer to the below links for reference:
http://groups.google.com/group/cecid-hermes2/browse_frm/thread/8f85c948cb00cc3
Thanks and regards,
Naveen.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Fabio,
first of all have you checked if standard functions to verify digital signature for pi adpaters would work for you?
We have used the following code to access the Keystore in a custom adapter. It accesses the keystore with the access rights of a JEE application (it has a reference to the sample adapter "sap.com/com.sap.aii.adapter.sample.ra"). Check out if it works in your mapping, too.
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.util.HashMap;
import java.util.Map;
import javax.resource.ResourceException;
import com.sap.aii.af.service.resource.SAPSecurityResources;
import com.sap.aii.security.lib.KeyStoreManager;
import com.sap.aii.security.lib.PermissionMode;
public class XIKeystoreAccessor {
private static final XITrace TRACE = new XITrace(XIKeystoreAccessor.class.getName());
static XIKeystoreAccessor instance = null;
SAPSecurityResources securityResources;
KeyStoreManager keystoreManager;
Map<String, KeyStore> keystores = null;
private XIKeystoreAccessor() throws ResourceException {
final String SIGNATURE = "XIKeystoreAccessor()";
TRACE.entering(SIGNATURE);
keystores = new HashMap<String, KeyStore>();
securityResources = SAPSecurityResources.getInstance();
try {
keystoreManager = securityResources.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL,
new String[] { "sap.com/com.sap.aii.adapter.sample.ra" });
} catch (KeyStoreException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
}
TRACE.exiting(SIGNATURE);
}
/**
* Get a key from AS Java keystore
*
* @param view
* @param alias
* @param password
* @return
* @throws ResourceException
*/
public Key getPrivateKey(String view, String alias, String password) throws ResourceException {
final String SIGNATURE = "getPrivateKey()";
TRACE.entering(SIGNATURE);
KeyStore keystore = getKeystore(view);
Key privateKey = null;
try {
privateKey = keystore.getKey(alias, password.toCharArray());
if (privateKey == null) {
throw new ResourceException("Key not found. alias=" + alias);
}
} catch (KeyStoreException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
} catch (NoSuchAlgorithmException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
} catch (UnrecoverableKeyException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
}
TRACE.exiting(SIGNATURE);
return privateKey;
}
public PublicKey getPublicKey(String view, String alias) throws ResourceException {
final String SIGNATURE = "getPublicKey()";
TRACE.entering(SIGNATURE);
KeyStore keystore = getKeystore(view);
PublicKey publicKey = null;
try {
publicKey = keystore.getCertificate(alias).getPublicKey();
if (publicKey == null) {
throw new ResourceException("Key not found. alias=" + alias);
}
} catch (KeyStoreException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
}
TRACE.exiting(SIGNATURE);
return publicKey;
}
/**
* Get a keystore i.e. a view from AS Java
*
* @param view
* @return
* @throws ResourceException
*/
public KeyStore getKeystore(String view) throws ResourceException {
final String SIGNATURE = "getKeystore()";
TRACE.entering(SIGNATURE);
KeyStore keystore;
try {
if (keystores.containsKey(view) == true) {
keystore = keystores.get(view);
} else {
keystore = keystoreManager.getKeyStore(view);
if (keystore == null) {
throw new ResourceException("Keystore not found. view=" + view);
}
keystores.put(view, keystore);
}
TRACE.exiting(SIGNATURE);
return keystore;
} catch (KeyStoreException e) {
TRACE.catching(SIGNATURE, e);
throw new ResourceException(e);
}
}
static public XIKeystoreAccessor getInstance() throws ResourceException {
if (instance == null) {
instance = new XIKeystoreAccessor();
}
return instance;
}
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Problem solved.
My local J2SE libraries were Java 1.6 and my app server is 1.4.2.
I just changed the application libraries to the old ones and it works now. I had to change the keystore access for the methods given by Jochen Damzog because the methods I was calling were not available in Java 1.4.2
Thanks
Hi Daniel,
I think the code from above tells you
import com.sap.aii.af.service.resource.SAPSecurityResources;
import com.sap.aii.security.lib.KeyStoreManager;
import com.sap.aii.security.lib.PermissionMode;
maybe this link also helps you [http://help.sap.com/javadocs/pi/SP3/xpi/com/sap/aii/af/service/resource/package-summary.html]
HI Daniel,
I've used the libraries from Jochen Damzog's example. But I had to add Apache Santuario's libraries: http://santuario.apache.org/ Because Java 1.4.2 does not have XML security libraries.
Regards,
Fabio
User | Count |
---|---|
81 | |
9 | |
9 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.