Question Re: KeyStore access from Java mapping in Technology Q&A

KeyStore access from Java mapping

former_member200339 — Sun, 23 Apr 2017 22:54:38 GMT

Dear Experts,

I am working on PI 7.3 dual stack. There is a requirement where Java Mapping will have to access the Key Store Manager and get the digital key maintained in the NWA. Please provide me any example code and the relevant jar files.

Thanks and Regards,

Rana Brata De

Re: KeyStore access from Java mapping

Andrzej_Filusz — Mon, 24 Apr 2017 07:56:56 GMT

Hi,

Here you are:

import java.rmi.RemoteException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import com.sap.engine.interfaces.keystore.KeystoreManager;
import com.sap.security.core.server.ssf.SsfProfileKeyStore;
import com.sap.aii.mapping.api.StreamTransformationException;


private static SsfProfileKeyStore getCertProfile(String alias, String password) throws StreamTransformationException {
	//	get profile from keystore service of AS Java
	InitialContext ctx = null;		
	try {
		ctx = new InitialContext();
	} catch (NamingException ex) {
		throw new StreamTransformationException("Initial context: " + ex.getMessage(), ex);
	}
	
	KeystoreManager manager = null;		
	try {		
	   manager = (KeystoreManager)ctx.lookup("keystore");
	} catch (NamingException ex) {
		throw new StreamTransformationException("Named object: " + ex.getMessage(), ex);
	}
				
	KeyStore keyStore = null;
	try {	
		keyStore = manager.getKeystore("DEFAULT");
	} catch (RemoteException ex) {
		throw new StreamTransformationException("Default keystore: " + ex.getMessage(), ex);
	}
	
	SsfProfileKeyStore profile = null;       
	try {
		profile = new SsfProfileKeyStore(keyStore, alias, password);
	} catch (KeyStoreException ex) {
		throw new StreamTransformationException("Profile: " + ex.getMessage(), ex);
	}			
			
	return profile;				
}

(...)

SsfProfileKeyStore profile = getCertProfile(alias, password);			
PrivateKey key = (PrivateKey)profile.getPrivateKey(); 			
X509Certificate[] chain = profile.getCertificateChain();

Regards,

Andrzej

Re: KeyStore access from Java mapping

former_member200339 — Tue, 25 Apr 2017 15:13:39 GMT

Dear Andrzej,

Thanks for your reply. I could reach the Key Storage and view some of the keys i.e.

securestorage, TrustedCAs, DEFAULT, WebServiceSecurity, WebServiceSecurity_Certs. We have made a similar one in the name of our company <CompanyName> and imported a certificate in it. But we cannot see that one. Our objective is to find the certificate and as well as the private-key from mapping. Do you have any suggestion on how to proceed.

Thanks and Regards,

Rana Brata De

Re: KeyStore access from Java mapping

otto_frost4 — Wed, 20 Dec 2017 13:54:43 GMT

1788571 - Protection domains for PI mapping classes

Re: KeyStore access from Java mapping

otto_frost4 — Wed, 20 Dec 2017 15:13:30 GMT

791649 - User unable to logon by ticket

Re: KeyStore access from Java mapping

otto_frost4 — Wed, 20 Dec 2017 15:14:10 GMT

the tickets didn't solve the problem

Re: KeyStore access from Java mapping

otto_frost4 — Fri, 05 Jan 2018 16:39:40 GMT

https://help.sap.com/saphelp_nw74/helpdata/en/43/a52f2e63161bbfe10000000a1553f7/frameset.htm

SAPSecurityResources

//https://help.sap.com/doc/javadocs_nw75_sps06/7.5.6/en-US/PI/com/sap/aii/af/service/resource/SAPSecurityResources.html //https://help.sap.com/saphelp_nw74/helpdata/en/43/a52f2e63161bbfe10000000a1553f7/frameset.htm

Re: KeyStore access from Java mapping

otto_frost4 — Mon, 08 Jan 2018 17:35:40 GMT

Finally got it working

The mapping class is executing as user Guest.

User Guest has no access to keystores and shouldn't have.

Therefore it's necessary to use the com.sap.aii.af.service.resource.SAPSecurityResources.getInstance().getKeyStoreManager(com.sap.aii.security.lib.PermissionMode.SYSTEM_LEVEL) API.

ISsfProfile getSsfProfileKeyStore(String keyStoreAlias, String keyStoreEntry) throws StreamTransformationException {

KeyStoreManager managerPriviliged = null;
try {
managerPriviliged = com.sap.aii.af.service.resource.SAPSecurityResources.getInstance().getKeyStoreManager(
com.sap.aii.security.lib.PermissionMode.SYSTEM_LEVEL);
} catch (KeyStoreException e) {
throw new StreamTransformationException("SAPSecurityResources", e);
}
KeyStore keyStore;
try {
keyStore = managerPriviliged.getKeyStore(keyStoreAlias);
} catch (KeyStoreException e) {
throw new StreamTransformationException("managerPriviliged.getKeyStore " + keyStoreAlias, e);
}
ISsfProfile profile = null;
try {
profile = managerPriviliged.getISsfProfile(keyStore, keyStoreEntry, null);
} catch (KeyStoreException e) {
throw new StreamTransformationException("Failed to load SsfProfileKeyStore " + keyStoreAlias + " " + keyStoreEntry, e);
}
return profile;
}

Re: KeyStore access from Java mapping

former_member276938 — Thu, 11 Apr 2019 14:18:48 GMT

Hi Otto, how are you ?

Can you please let me know how you got the library com.sap.aii.af.service.resource.SAPSecurityResources in order to execute the comand below :

managerPriviliged = com.sap.aii.af.service.resource.SAPSecurityResources.getInstance().getKeyStoreManager( com.sap.aii.security.lib.PermissionMode.SYSTEM_LEVEL)

I have been searching for this library as I want to used this command in my java mapping but I searched everywhere and could not locate it.

Thank you.