Skip to Content
0
Former Member
Aug 27, 2004 at 10:43 AM

Access keystore service from within resource adapter

96 Views

Hello,

I have some very nasty secyrity problem to access the "keystore" service from within a resource adapter application.

I have created a view holding my certificates and private keys and the idea is to use this "keystore" service to access these objects. I need them in my adaptor.

The result is that I cal lookup the service - no problem with that.

I check if my view is available using KeyStoreManager.existKeystoreView(viewName) ; result of this is true - my view exists, but when I make this call KeyStoreManager.getKeystore(viewName); I get this nasty exception :

ava.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException:

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)

at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)

at com.seeburger.ksm.xi.source.XIRepositorySourceProvider.getRepository(XIRepositorySourceProvider.java:154)

at com.seeburger.ksm.cryptoapi.impl.CryptoApi.getCertificate(CryptoApi.java:265)

at com.seeburger.ediint.util.cert.SimpleKeyManager.getCertificate(SimpleKeyManager.java:75)

at com.seeburger.as1.tasks.AS1MessageComposer.getEDIMessageBuilderConfig(AS1MessageComposer.java:259)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:126)

at com.seeburger.as1.tasks.AS1MessageComposer.compose(AS1MessageComposer.java:100)

at com.seeburger.as1.AS1Processor.sendAs1(AS1Processor.java:249)

at com.seeburger.as1.AS1Processor.execute(AS1Processor.java:179)

at com.seeburger.frame.FrameWork.syncNewData(FrameWork.java:805)

at com.seeburger.xi.as1mail.frame.AS1Processor.execute(AS1Processor.java:66)

at com.seeburger.xi.as1mail.frame.XIProcessor.call(XIProcessor.java:112)

at com.seeburger.xi.as1mail.ra.CCIInteraction.call(CCIInteraction.java:200)

at com.seeburger.xi.as1mail.ra.CCIInteraction.execute(CCIInteraction.java:107)

at com.sap.aii.af.endpoint.ModuleProcessorExitBean.process(ModuleProcessorExitBean.java:203)

at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0.process(ModuleLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:197)

at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:116)

at com.sap.aii.af.listener.AFWListenerBean.onMessage(AFWListenerBean.java:178)

at com.sap.aii.af.listener.AFWListenerLocalObjectImpl0.onMessage(AFWListenerLocalObjectImpl0.java:120)

at com.sap.aii.af.ra.ms.impl.ServicesImpl.deliver(ServicesImpl.java:243)

at com.sap.aii.af.ra.ms.impl.protocol.xi.XIEventHandler.onDeliver(XIEventHandler.java:708)

at com.sap.aii.af.ra.ms.impl.core.queue.RequestConsumer.onMessage(RequestConsumer.java:100)

at com.sap.aii.af.ra.ms.impl.core.queue.Queue.run(Queue.java:399)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:140)

Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: checkPermissions() for [{GET_VIEW xxxKeystore }] failed!

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:297)

at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:33)

at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)

... 29 more

Caused by: java.security.KeyStoreException: java.security.AccessControlException: access denied

at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:702)

at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:228)

... 31 more

Obviously it is a security problem with lacking GET_VIEW permissions

But how to set a GET_VIEW permission to this view so my resource adapter can access the content?

I did the following: I went to

EngineAdmin->Server->Services->Key Storage

I selected the repository tab and I see that I can grant permissions to the available domains. So I do so - I grant GET_VIEW permission to all domains I can associate with my application, the result is the same.

What am I missing?

Please help