Skip to Content

ArchiveLink security: what does SCMS_HTTP_PUT_CERT actually do?

Hello!

Sorry if I'm in the wrong forum. I tried with ABAPers and always get 0 replies.

I am trying to do a test program to check ArchiveLink security features. One of them is sending the public key certificate to a Content Server application. So I am calling the function SCMS_HTTP_PUT_CERT, expecting that it would send the public key certificate as the HTTP call binary content. Indeed, I catch the call with some binary content. However, I don't know how to use it. I debugged the mentioned function and saw that this content doesn't seem like a certificate, but rather a signed dummy message.

Here's what's going on there:

The SCMS_HTTP_PUT_CERT calls SCMS_URL_GENERATE which calls SCMS_URL_SIGN. And it runs code within which is worth quoting:

if uri_for_signature = space.
      iostr_input_data_l = 1.          "no data doesnot work
      it_ostr_input_data-data = '20'.
      append it_ostr_input_data.
    else.

It's faking the content! After this, SSF_KRN_SIGN_BY_AS is called, the content of IT_OSTR_INPUT_DATA is signed and its OSTR_SIGNED_DATA parameter is used as content for SCMS_HTTP_PUT_CERT.

Now, if you reply to this post "Everybody knows that signing '02' means returning certificate itself", I'll be a very happy man. But I tried to import this binary content assuming that it was a valid certificate and got an error message.

Maybe I'm getting it all wrong. Does anyone has explanation for this?

Thanks in advance!

Regards,

Igor

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Best Answer
    author's profile photo
    Former Member
    Posted on Aug 21, 2007 at 03:56 PM

    Hi

    SCMS_HTTP_PUT_CERT is used to send sap public key to Content server application. The content server application makes use of this key to verify the incoming request ie the Content Server uses the public key to check URIs and signatures.

    SAP uses the Public/Private key security concept while communicating with Content server. Basically when SAP communicates with Content server it will be sending GET, PUT, POST requests. The URL from SAP will have field called secKey which contains the security key. secKey ensures that a URL cannot be changed after it has been generated by the SAP system. The private key is used by SAP to generate the secKey.

    The content server application will use the public key provided via SCMS_HTTP_PUT_CERT to check the URL and will be able to detect if the URL has been tampered.

    Refer SAP Content Server HTTP 4.5 Interface documentation section Security for more details.

    http://help.sap.com/saphelp_nw04/helpdata/en/9b/e8c186eaf811d195580000e82deb58/frameset.htm

    Hope this helps

    Cheers,

    Samanjay

    Message was edited by:

    Samanjay Shenoy

    Add comment
    10|10000 characters needed characters exceeded

    • Hi, Samanjay!

      Thanks for your reply! Your summarization of security concept of ArchiveLink is really nice.

      However, you didn't touch my problem: My attempt to import the supposed

      certificate sent by SCMS_HTTP_PUT_CERT was unsuccessfull.

      Since I don't have a "real" content server application, I am playing with security features of Archive Link, and I use the very same SAP system to "pretend" to be a content server.

      And while doing so, I tried to use the function SCMS_HTTP_PUT_CERT to send a public key certificate which I wanted to import (like content server would do). I created a HTTP service and was able to receive the call which had some binary content. I supposed it was a valid certificate.

      However, the function SSFC_PUT_CERTIFICATE (a proven way to import certificate into

      SAP's PSE) returned error message "SSF kernel error: invalid parameter".

      It confused me, and I debugged the SCMS_HTTP_PUT_CERT function. I saw that the

      binary content is actually a signed hardcoded string "20" (hex) - please see the code extract from my initial post.

      Is this a certificate? If yes, why can't I import it (if sender's PSE is equal to receiver's, it would mean self-signing, right)?

      Please share your experience: did you actually see SCMS_HTTP_PUT_CERT working? Is signed "20" string actually a valid certificate? How can I import it?

      Thanks in advance for your effort!

      Kind regards,

      Igor