HTTPS using SOAP and sharing certificates

Similar Messages

• Https for SOAP and HTTP Receiver adapters in PI 7.1

  Hi,
  We need HTTPS Transport protocol is required to send the message to receiver systems.
  Currently we are using below procedures for https:
  1)     HTTP with SSL (= HTTPS) without client authentication
  2)      HTTP with SSL (= HTTPS) with client authentication
  But client donu2019t want this procedure.
  Here my question is How to enable the https Transport protocol in SOAP and HTTP Receiver adapters.

  >>Here my question is How to enable the https Transport protocol in SOAP and HTTP Receiver adapters.
  What I see is your client wants PI to send communication via HTTPS transport protocol. That means you have to apply for trusted certificate and import that certificate root node in Netweaver keystore.
  Then change the transport protocol from http to https in soap and http receiver communication channel and communicate to client via certificate authentication.
  Plenty of documents available in sdn about https certificate authentication. Please go through those links.
  check this thread.. might be helpful
  Client Certificate for PI authentication when Web Dispatcher terminates SSL

• Serious resource utlization problem using SOAP and 8.0.2

  Hi,
  I'm running into a fairly serious issues whilst trying to download large attachments from a Groupwise 8.0.2 server using SOAP.
  Basically, the problem is as follows: at a client site, there's an inbox with an email that has an attached avi file of about 330mb. Our SOAP client tries to retrieve this file in chunks of 1mb in size (if you try to set the size of the chunks any larger, Groupwise will give you a 59922 error, as 1mb is apparently some sort of hard coded limit). So that attachment corresponds to roughly 330 AttachmentRequestMessage's and their responses, each with a 1mb payload.
  When we run our client, the cpu utilization of the Groupwise server takes about a dozen seconds to climb to 100%, every single time we try. Since 100% cpu utilization renders all GW clients more or less inoperable (or at least extremely slow) this is a non-starter.
  We changed our client to wait 2 secs. in between requesting each chunk of the attachment. This seemed to help initially, but by the time we had transferred 100mb of the file, cpu utilization climbed to 95% and stayed there until the file transfer was completed.
  This is a little disconcerting. We're requesting a megabyte of data from an attachment every 2 seconds, and Groupwise seems to have all sorts of problems in trying to service these requests. As you can imagine, client performance isn't that great at 95% server utilization either. I suppose we could increase the pause to something like 5 seconds, but it seems ridiculous that such simple requests are generating this amount of load.
  So my question is 2-fold:
  1. can I increase the maximum size of an attachment part chunk? 1mb is not very much at all, seeing as our server is on the same gigabit lan segment as the GW server
  2. why does cpu utilization shoot up to 95% while servicing what seem to be fairly simple requests, and how do I avoid this by some means other than increasing my pause time?
  Thanks in advance,
  Maarten
  PS I spent some time looking for the 59922 error code in the docs, but turned up nothing

  The 59922 error is just a warning.
  You should use the HTTP GET construct to get large
  attachments. It is orders of magnitude faster than
  using getAttachmentRequest.
  >>> On Friday, August 20, 2010 at 11:06 AM,
  mdirkse<[email protected]> wrote:
  > Hmm, could you perhaps point me to where in the docs?
  >
  > Because as far as I know you have to download an attachment using a
  > getAttachmentRequest ('Novell Doc: NDK: GroupWise Web Services ‑
  > getAttachmentRequest'
  >
  (http://developer.novell.com/document...a/b7m3i5b.html
  > )),
  > which takes a length parameter, and if you set that to > 1mb, Groupwise
  > returns a 59922 error which, I'm pretty sure, *isn't* in the docs.
  >
  > Ray;2013273 Wrote:
  >> You can download the complete attachment
  >> in 1 go over HTTP using a SOAP login session.
  >>
  >> It's all in the docs...
  >>
  >> Am 19.08.2010 16:06, schrieb mdirkse:
  >> >
  >> > Hi,
  >> > I'm running into a fairly serious issues whilst trying to download
  >> > large attachments from a Groupwise 8.0.2 server using SOAP.
  >> >
  >> > Basically, the problem is as follows: at a client site, there's an
  >> > inbox with an email that has an attached avi file of about 330mb.
  >> Our
  >> > SOAP client tries to retrieve this file in chunks of 1mb in size (if
  >> you
  >> > try to set the size of the chunks any larger, Groupwise will give you
  >> a
  >> > 59922 error, as 1mb is apparently some sort of hard coded limit). So
  >> > that attachment corresponds to roughly 330
  >> AttachmentRequestMessage's
  >> > and their responses, each with a 1mb payload.
  >> >
  >> > When we run our client, the cpu utilization of the Groupwise server
  >> > takes about a dozen seconds to climb to 100%, every single time we
  >> try.
  >> > Since 100% cpu utilization renders all GW clients more or less
  >> > inoperable (or at least extremely slow) this is a non‑starter.
  >> >
  >> > We changed our client to wait 2 secs. in between requesting each
  >> chunk
  >> > of the attachment. This seemed to help initially, but by the time we
  >> had
  >> > transferred 100mb of the file, cpu utilization climbed to 95% and
  >> stayed
  >> > there until the file transfer was completed.
  >> >
  >> > This is a little disconcerting. We're requesting a megabyte of data
  >> > from an attachment every 2 seconds, and Groupwise seems to have all
  >> > sorts of problems in trying to service these requests. As you can
  >> > imagine, client performance isn't that great at 95% server
  >> utilization
  >> > either. I suppose we could increase the pause to something like 5
  >> > seconds, but it seems ridiculous that such simple requests are
  >> > generating this amount of load.
  >> >
  >> > So my question is 2‑fold:
  >> > 1. can I increase the maximum size of an attachment part chunk? 1mb
  >> is
  >> > not very much at all, seeing as our server is on the same gigabit
  >> lan
  >> > segment as the GW server
  >> > 2. why does cpu utilization shoot up to 95% while servicing what
  >> seem
  >> > to be fairly simple requests, and how do I avoid this by some means
  >> > other than increasing my pause time?
  >> >
  >> > Thanks in advance,
  >> > Maarten
  >> >
  >> > PS I spent some time looking for the 59922 error code in the docs,
  >> but
  >> > turned up nothing
  >> >
  >> >

• HTTP adapter, SSL and wildcard certificate

  Hi,
  I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
  The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
  The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
  When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
  - The certificate is issued from a valid CA
  - The certificate date is valid
  - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
  Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
  In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
  ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
  Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
  I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
  Thanks in advance,
  Best regards,
  Francois Malgreve

  The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
  https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
  Regards.

• Using Lion and sharing my screen to multiple computers (8) produces a LOT of lag.. HELP!

  I am using Lion and Remote desktop.. I want to share my screen with 8-12 other computers.. I am a teacher and have a brand new iMac lab but the screen share is too laggy or pretty much freezes at times.  HELP!!!!

  I thought that wirless N is 300 mb a second?  and G is 54.
  A wired option is not possible due to the setup needed.. also, I usually only share my screen with 8 computers not the full 12.
  Any help would be useful! .. I think there is a bug in Remote desktop because i sometimes try to share my screen with 3 computers and have the same problem.

• Using DynDNS and Sharing disks over Ethernet WAN port

  I am having issues accessing the AirDisk from outside my LAN. So here are the steps that I have taken:
  In the AirPort Utility, I enable "Share disks over Ethernet WAN port".
  Created a DynDNS account at http://www.dyndns.com so my hostname points to my IP address.
  After reading a bunch of threads, mainly this one below, there are a few conflicting issues.
  http://discussions.apple.com/thread.jspa?messageID=4105319
  Someone mentioned you have to Setup Port Mapping to open up Personal File Sharing. But another said you don't have to set up Port Mapping. Well if you do, you're gonna run into a problem. This Apple article states you have to use a different port: http://docs.info.apple.com/article.html?artnum=305183
  Someone said Remote Access only works via AFP not via SMB. Is this true?
  Also do I have to enter my DynDNS hostname into the wide area bonour tab in the advanced tab?
  What am I doing wrong?
  Macbook   Mac OS X (10.4.8)   Airport Extreme N

  Are you aware of any DynDNS-like service that support Wide Area Bonjour?
  None at the moment. One might hope that Apple's .Mac service would make use of it, but I don't think Apple has announced anything about that possibility.
  Or as a practical matter is this a technology that only appears at the moment in private installations of OS X Server?
  I've found the version of dnsextd that ships in Mac OS X 10.4 (not just the server version) to be a bit flaky. One hopes it will work a lot better in Mac OS X 10.5.
  But since the AEBS doesn't support DynDNS update, as other routers do, it ends up requiring a server after all.
  Wouldn't it be nice if DynDNS and similar services allowed you to configure DNS resource records manually? That way, it wouldn't matter what your home gateway/fileserver was capable of doing— you could just edit your DNS zone accordingly.

• Using AX and sharing the internet?

  For a while I've had an Airport Express (AX) across the room from my mini, with my printer and stereo hooked up to it (called "My Network"). I recently got a Powerbook, and set up a network (called "My Mac Mini") with internet sharing on, and was able to use it to surf online, etc. Then I went to print something from my mini and realized that I had two different networks, which I didn't intentionally do, but both of them took a lot of work to get working right. With the "Mac mini" network, I couldn't print and had to switch to "My network" to get the AX connected and thus shut out my Powerbook.
  Can I combine them? Is it possible to have my mini networked with my AX and at the same time sharing it's internet connection with other wireless devices? Or do I have to get a router, hook it up to my AX and expand my network? I can't really tell when I should be changing network preferences and when I should be changing sharing options, etc. (new to the Mac world).
  Thanks for all the help!

  Pardon me for jumping in. I am sure that Tesserax will respond with more detail.
  +could the AX be that router?+
  The AX could be that router, but it will only provide an internet connection via wireless. You won't be able to connect an ethernet device to the Express as you could do if you had a wireless router that also provided 3-4 ethernet ports.
  If the mini connects well using wireless, then your AX will do the job fine. As long as the AX and mini are in close proximity, you should have a good connection using wireless. But, it won't be as "fast" as an ethernet connection. It's also possible that you may notice no real difference.
  I think the bottom line here is (as it is in most networks), you won't really know until you try.

• Website to stream to RTMP and HTTP using Android and iOS

  Hello, my name is Silvio Tavares, I'm from Brazil and the company where they work bought the Adobe Flash Media Server 5 to make the transmission of the station for the Website as well as for Android and iOS.
  I followed your tutorial step by step and nothing more than 20x ( http://www.youtube.com/watch?v=1p27xavIWQA ) .... When I try to run the transmission in Sample Video Player he simply says I'm having a problem with my playback.
  Is there anything else to be done?
  Please know it must be very busy, but my job depends on it working here.
  I am using Windows Server 2012.
  In this tutorial does not say you have to configure any file, only the conf.xml Adone Media Live Encoder.
  Please help me!

  Hello, my name is Silvio Tavares, I'm from Brazil and the company where they work bought the Adobe Flash Media Server 5 to make the transmission of the station for the Website as well as for Android and iOS.
  I followed your tutorial step by step and nothing more than 20x ( http://www.youtube.com/watch?v=1p27xavIWQA ) .... When I try to run the transmission in Sample Video Player he simply says I'm having a problem with my playback.
  Is there anything else to be done?
  Please know it must be very busy, but my job depends on it working here.
  I am using Windows Server 2012.
  In this tutorial does not say you have to configure any file, only the conf.xml Adone Media Live Encoder.
  Please help me!

• Using fusion and sharing files with mac

  I am getting a Mac Airbook and am going to be running Fusion from VMWare.  I have an external Western Digital drive that I want to use to transfer my files to the Mac.  Two questions:
  1.  Will the Passport software or at least the files - be recongnized by the Mac?
  2.  Does the Mac share the files with Fusion or do I need separate folders?

  Welcome to the Apple Support Communities
  1. Your Mac will recognize the external drive without any problem if it's formatted with FAT, NTFS or exFAT. Note that OS X can't write into NTFS drives.
  2. Your Mac can share files with a virtual machine if you install VMware Tools onto the virtual machine

• HTTP 2 SOAP Scenario

  Hi Experts ,
                My scenario is http 2 soap.then soap url will be call to the sap(bapi).i dont have idea on that.can u please any body help me.if there is any links  r there provide me.
  Regards
  Syed

  Hello Syed,
  Give a hit in sdn, you get tons of data.
  However go [LINK|http://www.sdn.sap.com/irj/scn/advancedsearch?query=httptosoap]
  /people/praveen.gujjeti/blog/2010/01/14/calling-abap-proxies-using-soap-and-http-adapters-in-sap-xi30pi70
  riyaz.net/blog/xipi-a-guide-to-using-sap-xi-soap-adapter/technology/sap/113/
  Regards
  Pothana

• SOAP and ConsoleOne synch problem

  I've been making some simple params modifications on a user and I found that fields have different values for the soap invocations and in a ConsoleOne view:
  I've change persistence field in Junk properties group for a user but there was no difference in ConsoleOne. I've rerun program which uses soap and I can see new values. ConsoleOne don't see new values even after turning it off and start one more. If I change value in ConsoleOne I don't see any changes in my application.
  Any idea what it or I do wrong?

  You need to use the Admin API to effect values stored
  in ConsoleOne.
  >>> On Wednesday, February 24, 2010 at 2:46 AM, testowy
  email<[email protected]> wrote:
  > I've been making some simple params modifications on a user and I found
  > that fields have different values for the soap invocations and in a
  > ConsoleOne view:
  > I've change persistence field in Junk properties group for a user but
  > there was no difference in ConsoleOne. I've rerun program which uses
  > soap and I can see new values. ConsoleOne don't see new values even
  > after turning it off and start one more. If I change value in ConsoleOne
  > I don't see any changes in my application.
  >
  > Any idea what it or I do wrong?

• SOAP and MiniShall

  How do I check to see if we are using SOAP and how do I check to see if Mini Shall is on or off?

  Originally Posted by jmarton
  On Wed, 23 Sep 2009 17:26:01 +0000, redcoat wrote:
  > How do I check to see if we are using SOAP
  Telnet to the server on port 7191, see if it connects.
  > and how do I check to see if
  > Mini Shall is on or off?
  set tcp minshall algorithm
  Joe Marton
  Novell Knowledge Partner
  SUSE Linux Enterprise 11 is ready for action.
  the telnet didnt work

• Version Control of APEX Pages and Shared Components

  Background:
  My organisation has a large customer base and over the last 2 years we have migrating from a forms to an apex user presentation layer. We have had a number of customers live on the apex front end for close to a year now.
  Our current method of releasing apex objects is at the application level (ie applications are exported for version control in PVCS and then released to Test etc). We now want to investigate exporting pages and shared components individually. Hence, I have a few questions:
  1. If I export a page and this is checked into PVCS and I forget to export a 'List of Values' shared component. What happens when the page in PVCS is created in another environment (ie Test). I guess the ‘Page Import’ would still succeed but the reference to the ‘List of Values’ would be some large made up number.
  How would we detect the missing dependency after import ?
  2. Regarding New or Changed Templates. Once again, if a page references a new template and is then exported, checked into PVCS and imported into test but the template is missed for migration to test, would the import succeed but the template reference would be broken, like in number 1.
  3. How can Application level objects be locked (reserved) when undergoing modification.
  Any comments would be appreciated especially if there are any sites using pages and shared component exports for version control and releases.
  For anyone who's interested, the method we are thinking of using is:
  ..Page Export script will be version controlled
  ..ALL the shared component export scripts will be added to 1 main SQL script
  Hence we only end up with 2 configurable objects in PVCS.

  Nigel,
  1. If I export a page and this is checked into PVCS and I forget to export a 'List of Values' shared component. What happens when the page in PVCS is created in another environment (ie Test). I guess the ‘Page Import’ would still succeed but the reference to the ‘List of Values’ would be some large made up number.
  For component export/import, the source and target worskpace ID and application ID must be identical. You can achieve the workspace "sameness" by exporting and importing the workspace from one database to another, thus preserving the workspace's numeric ID, aka security group ID. Similarly applications must be exported/imported/installed without changing their IDs in the installed-into instance. More fundamentally, the application you import/install components into must be an identical copy of the source application with respect to the internal object IDs, allowing only for differences that incent you to migrate changes from a higher rev level of the application into a copy that is at a lower rev level.
  As to the specific question, if you copied a page but didn't copy an LOV into the target application then if the LOV referenced by the page already existed in the target application then page would simply reference the existing, perhaps down-level, LOV in the application. If the LOV did not already exist but had been newly created in the source application, then the target application page would contain an invalid reference and would produce a runtime error.
  How would we detect the missing dependency after import ?
  I don't know of any reports that would tell you this. There are several types of omissions that you need to watch out for, not all of which can be detected by inspection of the target application in isolation.
  2. Regarding New or Changed Templates. Once again, if a page references a new template and is then exported, checked into PVCS and imported into test but the template is missed for migration to test, would the import succeed but the template reference would be broken, like in number 1.
  Yes, same case.
  3. How can Application level objects be locked (reserved) when undergoing modification.
  There is no provision for this as there is for pages.
  For anyone who's interested, the method we are thinking of using is:
  ..Page Export script will be version controlled
  ..ALL the shared component export scripts will be added to 1 main SQL script
  Hence we only end up with 2 configurable objects in PVCS.
  So you propose to have one script of all pages and another script for everything else? I'm not sure I got that right.
  Scott

• Sender SOAP and HTTP adatper setting.

  Hi,
      I've a scenerio, where I send purchase order(PO) file to external partner via a HTTPS url. I use  receiver SOAP adapter with transport protocol "HTTP", Message protocol "SOAP 1.1" and in the Target URL I use the https://url  also I've the " Do Not Use SOAP Envelope" check box selected in the Conversion Parameters. This scenerio is working fine.
  Now the external partner wants to send back the purchse order response (POR) file and he gave the http URL to pick the files. Now the question, Is there a straight simple configuration in sender SOAP adapter or sender HTTP adpter to pick POR
  file(s) from the URL?
  Can you please let me know whether is it possible? Any link showing the setup will be helpful.
  Thanks.

  what you need is a HTTP GET call which is not supported by the HTTP adapter until PI 7.3
  So refer this : http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/28487 [original link is broken] / Michal's PI tips: Exchange Rates from an XML file on a web page - REST, AXIS
  Edited by: Shabarish Vijayakumar on Mar 5, 2012 10:01 PM

• Problem using SmartCard with 2 Certificates stored and SunPKCS11

  Hi,
  I'm trying to access one SmartCard token in Java 1.5 using SunPKCS11 provider for crypt, decrypt and digital signature operations.
  I have 2 certificates stored on Token:
  - CertA;
  - CertB.
  There are also 2 PIN:
  - PIN1;
  - PIN2.
  I use:
  - PIN1 for logging into the token;
  - PIN1 for operation involving CertA;
  - PIN2 for operation involving CertB;
  There is no problem to logging into the token using Java and, without any troubles, I can read certificates and key from the
  cryptographic card.
  There is no problem using CertA for all my operation, but every attempt of using Private Key of CertB (for the same operations) returns with an Exception:
  java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
  Here there's an extract of my source code.
  public void loginToken() {
  Provider UserProvider = new sun.security.pkcs11.SunPKCS11(C:\\pkcs11.cfg);
  Security.addProvider(UserProvider);
  try {
  KeyStore ks = null;
  X509Certificate UserCert = null;
  PrivateKey UserCertPrivKey = null;
  PublicKey UserCertPubKey = null;
  //PIN
  char PIN1[] = "11111".toCharArray();
  char PIN2[] = "22222".toCharArray();
  //logging into token
  ks = KeyStore.getInstance("PKCS11", UserProvider);
  ks.load(null, PIN1);
  //enumeration alias
  String alias = "";
  Enumeration e = ks.aliases();
  while (e.hasMoreElements()) {
  alias = (String) e.nextElement();
  //Certificate
  UserCert = (X509Certificate) ks.getCertificate(alias);
  //PublicKey
  UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
  if (alias.compareToIgnoreCase("Cert1") == 0) {
       //PrivateKey reference     
  UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN1);
  } else if (alias.compareToIgnoreCase("Cert2") == 0) {
  //PrivateKey reference
  UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN2);
  } else {
  System.out.println("ALIAS UNKNOW");
  System.exit(1);
  //Signature Test
  if (!MakeSignature(UserCertPrivKey, UserProvider))
  System.out.println(" *** SIGNATURE OK *** ");
  else
  System.out.println(" *** SIGNATURE KO *** ");
  catch (Exception ex) {
  System.out.println("ERROR: " + ex);
  public boolean MakeSign(PrivateKey PrivKey, Provider p) {
  try {
  //File I/O
  FileInputStream txtfis = new FileInputStream("C:\\Test.txt");
  FileOutputStream sigfos = new FileOutputStream("C:\\Test_Signature.txt");
  //Signature Obj init
  Signature dsa = Signature.getInstance("SHA1withRSA", p.getName());
  dsa.initSign(PrivKey);
  //Update data
  BufferedInputStream bufin = new BufferedInputStream(txtfis);
  byte[] buffer = new byte[1024];
  int len;
  while (bufin.available() != 0) {
  len = bufin.read(buffer);
  dsa.update(buffer, 0, len);
  bufin.close();
  //Make signature
  byte[] realSig = dsa.sign();
  //save signature on file
  sigfos.write(realSig);
  sigfos.close();
  return true;
  catch (Exception ex) {
  System.out.println("ERROR: " + ex);
  return false;
  Any help would be grateful...
  Thanks in advance.
  P.S. Sorry for my English

  This is the same my initial problem.
  I resolved it using IAIK-PKCS#11Wrapper (it is FREE) insted of sun.security.pkcs11.SunPKCS11.
  You can find it here:
  http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/pkcs_11_wrapper
  Here an exemple of code.
  The main class:
  import iaik.pkcs.pkcs11.Module;
  import iaik.pkcs.pkcs11.DefaultInitializeArgs;
  import java.util.Hashtable;
  import iaik.pkcs.pkcs11.Token;
  import iaik.pkcs.pkcs11.Slot;
  import iaik.pkcs.pkcs11.Session;
  import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
  import java.util.Vector;
  import iaik.pkcs.pkcs11.objects.PrivateKey;
  import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
  import java.util.Enumeration;
  import iaik.pkcs.pkcs11.objects.Key;
  import java.security.cert.CertificateFactory;
  import java.io.ByteArrayInputStream;
  import iaik.pkcs.pkcs11.Mechanism;
  import java.security.Security;
  import org.bouncycastle.jce.provider.BouncyCastleProvider;
  import java.io.File;
  import java.io.FileInputStream;
  import org.bouncycastle.cms.CMSSignedDataGenerator;
  import org.bouncycastle.cms.CMSProcessableByteArray;
  import java.util.ArrayList;
  import java.security.cert.CertStore;
  import java.security.cert.CollectionCertStoreParameters;
  import org.bouncycastle.cms.CMSSignedData;
  import java.io.FileOutputStream;
  import java.security.cert.X509Certificate;
  import iaik.pkcs.pkcs11.TokenInfo;
  import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
  public class MakeSignature {
    public static void main(String[] args) {
       String USER_PIN = "12345678";
       String DLL_NAME = "C:\\windows\\system32\\dll_P11_name.dll";
       String OBJ_LABEL1 = "CNS0"; //this is the label of my 1th cert
       String OBJ_LABEL2 = "CNS1"; //this is the label of my 2th cert
       String INPUT_FILE = "C:\\Temp\\test.txt";
       String OUTPUT_FILE = "C:\\Temp\\test.p7m";
      try {
         // ********** INITIALIZE PKCS#11 MODULE WITH DEFAULT PARAMETERS **********
        Module pkcs11Module = Module.getInstance(DLL_NAME);
        pkcs11Module.initialize(new DefaultInitializeArgs());
         // ********** SELECT TOKEN **********
        Slot[] slotsWithToken = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
        Token[] tokens = new Token[slotsWithToken.length];
        Hashtable tokenIDtoToken = new Hashtable(tokens.length);
        long tokenID = -1;
        Token tokenUsed = null;
        //enum readers
        for (int i = 0; i < slotsWithToken.length; i++) {
          tokens[i] = slotsWithToken.getToken();
  tokenID = tokens[i].getTokenID();
  tokenIDtoToken.put(new Long(tokenID), tokens[i]);
  System.out.println("Active tokens:");
  System.out.println("Token ID: " + tokenID);
  if (tokens.length == 0) { //No SC found
  System.out.println("No SC presents");
  else {
  System.out.println("Using token: " + tokens[0].getTokenID());
  tokenUsed = tokens[0];
       //Note: if you have more reader and more SC inserted, you have to write
       //here the code for select the right token
       // ********** OPEN SESSION VS THE TOKEN AND IF REQUIRED SUBMIT PIN **********
  TokenInfo tokenInfo = tokenUsed.getTokenInfo();
  Session session = tokenUsed.openSession(Token.SessionType.SERIAL_SESSION, false, null, null);
  if (tokenInfo.isLoginRequired()) {
  session.login(Session.UserType.USER, USER_PIN.toCharArray());
       // ********** SET SEARCH TEMPLATE FOR THE P11 OBJECT **********
  RSAPrivateKey privateSignatureKeyTemplate = new RSAPrivateKey();
  privateSignatureKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
  privateSignatureKeyTemplate.getLabel().setCharArrayValue(OBJ_LABEL2.toCharArray());
       // ********** SEARCH P11 OBJECT USING TEMPLATE **********
  Vector keyList = new Vector(4);
  session.findObjectsInit(privateSignatureKeyTemplate);
  Object[] matchingKeys;
  while ( (matchingKeys = session.findObjects(1)).length > 0) {
  keyList.addElement(matchingKeys[0]);
  session.findObjectsFinal();
       //Try to find the corresponding certificates for the signature keys
  Hashtable keyToCertificateTable = new Hashtable(4);
  Enumeration keyListEnumeration = keyList.elements();
  while (keyListEnumeration.hasMoreElements()) {
  PrivateKey signatureKey = (PrivateKey) keyListEnumeration.nextElement();
  byte[] keyID = signatureKey.getId().getByteArrayValue();
  X509PublicKeyCertificate certificateTemplate = new X509PublicKeyCertificate();
  certificateTemplate.getId().setByteArrayValue(keyID);
  session.findObjectsInit(certificateTemplate);
  Object[] correspondingCertificates = session.findObjects(1);
  if (correspondingCertificates.length > 0) {
  keyToCertificateTable.put(signatureKey, correspondingCertificates[0]);
  session.findObjectsFinal();
       //There are three cases now: 1 no obj found; 2 found only one obj, 3 found more obj
  Key selectedKey = null;
  X509PublicKeyCertificate correspondingCertificate = null;
  //no object found for template
  if (keyList.size() == 0) {
  System.out.println("No object found for template");
  throw new Exception("No object found for template");
  //Founf only one object
  else if (keyList.size() == 1) {
  selectedKey = (Key) keyList.elementAt(0);
  // create a IAIK JCE certificate from the PKCS11 certificate
            correspondingCertificate = (X509PublicKeyCertificate)keyToCertificateTable.get(selectedKey);
  System.out.println("One object Found");
  //Found more object ... user can select one
  else {
       System.out.println("Many obj found!!!");
  //write here the code for select the right object
       // ********** GET THE OBJECT **********
  RSAPrivateKey signerPriKey = (RSAPrivateKey) selectedKey;
  java.security.cert.CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
  byte[] derEncodedCertificate = correspondingCertificate.getValue().getByteArrayValue();
  //Cast to java.security.cert.X509Certificate
  java.security.cert.X509Certificate signerCert = (java.security.cert.X509Certificate) certificateFactory.
  generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
       // ********** SIGNATURE OPERATION **********
  //Add BouncyCastle as provider
  Security.addProvider(new BouncyCastleProvider());
  //initialize signature operation
  session.signInit(Mechanism.RSA_PKCS, (PrivateKey) signerPriKey);
  //get input data
  File src = new File(INPUT_FILE);
  int sizecontent = ( (int) src.length());
  byte[] contentData = new byte[sizecontent];
  FileInputStream freader = new FileInputStream(src);
  freader.read(contentData, 0, sizecontent);
  freader.close();
       //calculate digest of the input data
  byte[] toEncrypt = buildBits(contentData); //I've already posted the code for this function
  //make signature
  byte[] signature = session.sign(toEncrypt);
       // ********** MAKE P7 WELL FORMAT DOCUMENT **********
  //CMSSignedDataGenerator fact = new CMSSignedDataGenerator();
  Signature2CMSSignedData fact = new Signature2CMSSignedData();
  CMSProcessableByteArray content = new CMSProcessableByteArray(contentData);
  //Creation of BC CertStore
  ArrayList certList = new ArrayList();
  certList.add(signerCert);
  CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
  //Signature Alg
  String algorithm = CMSSignedDataGenerator.DIGEST_SHA1;
  //add element to P7
  fact.addSignature(signature, signerCert, algorithm);
  fact.addCertificatesAndCRLs(certs);
  //generate enveloped using Bouncycastle provider
       CMSSignedData envdata = fact.generate(PKCSObjectIdentifiers.data.getId(), content, true);
  byte[] enveloped = envdata.getEncoded();
  //Write P7 file
  FileOutputStream efos = new FileOutputStream(OUTPUT_FILE);
  efos.write(enveloped);
  efos.close();
  // ********** END **********
  session.closeSession();
  pkcs11Module.finalize(null);
  catch (Exception ex) {
  ex.printStackTrace();
  }Main class uses buildBits function (already posted in this topic) and Signature2CMSSignedData class.import java.io.ByteArrayInputStream;
  import java.io.ByteArrayOutputStream;
  import java.util.ArrayList;
  import java.util.Iterator;
  import java.util.List;
  import java.security.cert.CertStore;
  import java.security.cert.X509CRL;
  import java.security.cert.X509Certificate;
  import org.bouncycastle.asn1.ASN1EncodableVector;
  import org.bouncycastle.asn1.ASN1InputStream;
  import org.bouncycastle.asn1.ASN1OctetString;
  import org.bouncycastle.asn1.ASN1Sequence;
  import org.bouncycastle.asn1.ASN1Set;
  import org.bouncycastle.asn1.BERConstructedOctetString;
  import org.bouncycastle.asn1.DEREncodable;
  import org.bouncycastle.asn1.DERNull;
  import org.bouncycastle.asn1.DERObject;
  import org.bouncycastle.asn1.DERObjectIdentifier;
  import org.bouncycastle.asn1.DEROctetString;
  import org.bouncycastle.asn1.DERSet;
  import org.bouncycastle.asn1.cms.ContentInfo;
  import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
  import org.bouncycastle.asn1.cms.SignedData;
  import org.bouncycastle.asn1.cms.SignerIdentifier;
  import org.bouncycastle.asn1.cms.SignerInfo;
  import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
  import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
  import org.bouncycastle.asn1.x509.CertificateList;
  import org.bouncycastle.asn1.x509.TBSCertificateStructure;
  import org.bouncycastle.asn1.x509.X509CertificateStructure;
  import org.bouncycastle.cms.CMSProcessable;
  import org.bouncycastle.cms.CMSSignedData;
  * class for generating a RSA pkcs7-signature message.
  public class Signature2CMSSignedData2 {
  CertStore certStore;
  List certs = new ArrayList();
  List crls = new ArrayList();
  List signerInfs = new ArrayList();
  List signers = new ArrayList();
  public static final String DATA = PKCSObjectIdentifiers.data.getId();
  public static final String ENCRYPTION_RSA = "1.2.840.113549.1.1.1";
  private byte[] signatureData = null;
  private X509Certificate cert = null;
  private String digestOID = null;
  private String encOID = null;
  public Signature2CMSSignedData2() {
  public void addSignature(byte[] signatureData, X509Certificate cert, String digestOID) {
  this.signatureData = signatureData;
  this.cert = cert;
  this.digestOID = digestOID;
  this.encOID = ENCRYPTION_RSA;
  public void addCertificatesAndCRLs(CertStore certStore) throws Exception{
  try {
  Iterator it = certStore.getCertificates(null).iterator();
  while (it.hasNext()) {
  X509Certificate c = (X509Certificate) it.next();
  certs.add(new X509CertificateStructure((ASN1Sequence) makeObj(c.getEncoded())));
  Iterator it2 = certStore.getCRLs(null).iterator();
  while (it2.hasNext()) {
  X509CRL c = (X509CRL) it2.next();
  crls.add(new CertificateList((ASN1Sequence) makeObj(c.getEncoded())));
  catch (Exception e) {
  throw new Exception(e.getMessage());
  private DERObject makeObj(byte[] encoding) throws Exception {
  if (encoding == null) {
  return null;
  ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
  ASN1InputStream aIn = new ASN1InputStream(bIn);
  return aIn.readObject();
  public CMSSignedData generate(String signedContentType, CMSProcessable content, boolean encapsulate) throws Exception {
  try {
  ASN1EncodableVector digestAlgs = new ASN1EncodableVector();
  ASN1EncodableVector signerInfos = new ASN1EncodableVector();
  DERObjectIdentifier contentTypeOID = new DERObjectIdentifier(signedContentType);
  // add the SignerInfo objects
  Iterator it = signerInfs.iterator();
  AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(digestOID), new DERNull());
  AlgorithmIdentifier encAlgId;
  encAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(encOID), new DERNull());
  digestAlgs.add(digAlgId);
  ASN1Set signedAttr = null;
  ASN1Set unsignedAttr = null;
  ASN1OctetString encDigest = new DEROctetString(signatureData);
  ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getTBSCertificate());
  ASN1InputStream aIn = new ASN1InputStream(bIn);
  TBSCertificateStructure tbs = TBSCertificateStructure.getInstance(aIn.readObject());
  IssuerAndSerialNumber encSid = new IssuerAndSerialNumber(tbs.getIssuer(), tbs.getSerialNumber().getValue());
  signerInfos.add(new SignerInfo(new SignerIdentifier(encSid), digAlgId, signedAttr, encAlgId, encDigest, unsignedAttr));
  ASN1Set certificates = null;
  if (certs.size() != 0) {
  ASN1EncodableVector v = new ASN1EncodableVector();
  it = certs.iterator();
  while (it.hasNext()) {
  v.add( (DEREncodable) it.next());
  certificates = new DERSet(v);
  ASN1Set certrevlist = null;
  if (crls.size() != 0) {
  ASN1EncodableVector v = new ASN1EncodableVector();
  it = crls.iterator();
  while (it.hasNext()) {
  v.add( (DEREncodable) it.next());
  certrevlist = new DERSet(v);
  ContentInfo encInfo;
  if (encapsulate) {
  ByteArrayOutputStream bOut = new ByteArrayOutputStream();
  content.write(bOut);
  ASN1OctetString octs = new BERConstructedOctetString(bOut.toByteArray());
  encInfo = new ContentInfo(contentTypeOID, octs);
  else {
  encInfo = new ContentInfo(contentTypeOID, null);
  SignedData sd = new SignedData(new DERSet(digestAlgs), encInfo, certificates, certrevlist, new DERSet(signerInfos));
  ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.signedData, sd);
  return new CMSSignedData(content, contentInfo);
  catch (Exception e) {
  throw new Exception(e.getMessage());
  }Bye.