ArchiveLink security: sending public key certificate by SCMS_HTTP_PUT_CERT

Similar Messages

• Importing public key certificate from external application

  Hello!
  I am trying to implement the following scenario:
  1. External client application sends it's public key certificate to SAP WAS
  2. SAP imports this certificate into its PSE
  3. External client application sends digitally signed messages to SAP (with <i>secKey</i> HTTP call parameter)
  4. SAP checks this signature and does whatever further action.
  For simplicity reason, I emulated this "external app" by using the ArchiveLink interface of the very same SAP system. So, I have one system which is at the same time client and server, but the communication works via HTTP.
  I started with step 1: The ArchiveLink (in my case "external app") uses the function SCMS_HTTP_PUT_CERT to send the public key certificate to the client via HTTP. It worked well - I received the message with HTTP service and it contained some binary content as expected (valid public key certificate - I suppose).
  Unfortunately, I was unsuccessfull with step 2: How to import the received certificate into my PSE?
  I debugged the STRUST transaction and saw that it uses the function SSFP_PUTCERTIFICATE to import public key certificate into SAP's own PSE. However, when I try to use it, I get error <i>No temporary PSE available</i>. I also tried to <i>encode-base64</i> this message with the same result. What does this mean?
  Does anyone has experience with this? Please share it.
  Thanks in advance and kind regards,
  Igor

  The key point was understanding the cleverly named parameter PROFILE in the function SSFC_PUT_CERTIFICATE. You'd never guess: it's a path to a PSE where you want to put the certificate, in my case: C:\usr\sap\NSP\DVEBMGS00\sec\SAPSYS.pse. There's one more step: updating database with the file system PSE.
  So, the test sequence that works is:
  1. SSFP_GETSAPCERTIFICATE
  2. SSFC_PUT_CERTIFICATE
  3. SSFPSE_STORE
  Regards,
  Igor
  P.S. Am I the only one playing with these things? I keep getting 0 replies to my questions.

• Renewing public key certificate used for Seeburger AS2

  My general question is when a public key certificate, used for Seeburger AS2 payload decryption and digital signatures, needs to be renewed, how carefully do the certificate renewal steps need to be coordinated for a seamless transition?  More specifically...
  1. Once we import the CSR response from the CA, will the public key currently used by our partner become invalid, or will it continue to work until its expiration date? 
  2. Will our partner be able to validate our signature after the new CSR has been imported, but prior to them applying the new public key certificate in their system? 
  3. Or can we renew the certificate, import the CSR request, provide our partner with the renewed certificate, and let them apply the certificate at their own volition, provided they do it prior to the original certificate expiration?

  Hi Kurt
  In my experience, the renewal/replacement of AS2 certificates for encryption/decryption & signing/authentication requires coordinated effort on both sides.
  This is because AS2 uses asymmetrical encryption, so both parties need to use the same pair of certificates at the same time, i.e. you encrypt on your private key, and partner decrypt on the public key matching your private key. If the keys used do not belong to the same pair, then decryption will not work.
  I'm not sure what AS2 software your partner uses and if it has the feature of automatic rollover of certificate, but PI/Seeburger does not. The approach in PI/Seeburger can either be one of the following:-
  i) import new cert replacing original cert of the same name
  ii) import new cert into new name, manually update sender/receiver agreements
  Due to the manual nature of the tasks, normally it requires coordinated effort during a cutover window.
  Rgds
  Eng Swee

• Logout from an "https client authentication (public key certificate)"

  Hi ,
  I am using an https client authentication (public key certificate) to login to my ADF faces website
  How can I logout form the application? It seems the session.invalidate() is not working because my login information is still displayed after running the logout method (below)
  Note that this logout method was working well with the Form-Based Authentication.
  Thank you
  Jamil
  public String logout() {
  ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
  HttpServletRequest request = (HttpServletRequest)ectx.getRequest();
  HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
  HttpSession session = (HttpSession)ectx.getSession(false);
  session.invalidate();
  String temp = request.getContextPath() + "/adfAuthentication?logout=true&end_url=/faces/logout";
  try {
  ectx.redirect(temp);
  FacesContext.getCurrentInstance().responseComplete();
  } catch (Exception ex) {
  System.out.println("Exception in logout()");
  return null;
  }

  Can you try with the null chk.. as this piece of code is working fine for us
  public void logout(ActionEvent evt) {> FacesContext fc = FacesContext.getCurrentInstance();
  > HttpSession session =
  > (HttpSession)fc.getExternalContext().getSession(false);
  > HttpServletRequest request =
  > (HttpServletRequest)fc.getExternalContext().getRequest();
  > HttpServletResponse response =
  > (HttpServletResponse)fc.getExternalContext().getResponse();
  > try {
  > if (session != null) {
  > session.invalidate();
  > }
  > fc.getExternalContext().redirect(request.getContextPath() +
  > "/faces/index");
  > } catch (Exception exp) {
  > try {
  > fc.getExternalContext().redirect("/faces/Error");
  > } catch (Exception ex) {
  }> }
  > }

• How to renewal SSO public key certificate ??

  hiiiiii
  How to renewal SSO public key certificate....

  Hello,
  You should replace the existing certificate before it expires as per the link provided below.
  http://help.sap.com/saphelp_nw04s/helpdata/en/5c/b7d53ae8ab9248e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/59/6b653a0c52425fe10000000a114084/frameset.htm
  Thanks,
  Siva Kumar

• Security Question - Public Key not available

  Hello! I am trying to access some online class, but I'm having difficulty accessing them. I tried looking at the log and I found this:
  4/11/14 3:59:23.215 PM secd[235]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
  Can I have any help/clue in order for this to stop? If it helps, I tried doing this in AKO (military).
  Thanks!

  Thanks Mark M - That was the issue.
  Of all the documentation in books and online i saw, basically say:
  --Create a page, give it alias PUBLIC_PAGE
  --At the page level,  set it to "page is public"
  --Change the logout URL in authentication template to redirect to the new page
  The fourth step i guess is to make sure your app level authorization is set appropriately as well.
  Thanks again.

• Sending public key to not java application

  Hi,
  I'm trying to send through a socket connection a public key encoded on X.509 standard, but the key.getEncoded() method returns a array of bytes,How can I convert this array of bytes to a sequence of characters that can be readable by any not java application???Is possible to make this public key readable for any not java application??How can I do that??
  How can I send the public key to a not java application??
  Thanks.

  Thanks for helping, but if I use Base64 encoding does the client have to use a base64 decoder before having to use the public key??
  The major problem is that my client is a perl application that uses openSSL, I think it will not understand the key if I send it in Base64(the perl application uses a openSSL API to make the received public key in X.509 back to public key)...

• Unable to retrieve public key and signature.

  Hi,
  I'am trying to send public key and signature from one client to another via server.
  Both pub_key and signature are encrypted into base64. But i cant retrieve them correctly in server side.
  I'am using ECDSA to sign message key_length 224bit. Sending and retrieving data via sockets.
  SEND DATA FUNCTION Client.java
  private static PrintWriter      output_stream = null;
  private static Scanner      input_stream           = null;
  private static void send_message(String message)
       if(user_name != null
            && message_text_area.getText().equals(SERVER_CLOSED) == false
            && message_text_area.getText().equals(SERVER_CONNECTED) == false
            && message_text_area.getText().equals(MAX_USERS_ONLINE) == false
            && message_text_area.getText().equals(CONNECTION_CLOSED) == false
            && message_text_area.getText().equals(GET_USER) == false
            && message_text_area.getText().equals(REMOVE_USER) == false
            && message_text_area.getText().equals(USER_EXISTS) == false
            && message_text_area.getText().equals(USER_NICK) == false){   
           String signature = new BASE64Encoder().encode(ecdsa_parameters.sign_message(SESSION_KEY_PAIR.getPrivate(), message_text_area.getText().trim()));
           String public_key = new BASE64Encoder().encode(SESSION_KEY_PAIR.getPublic().getEncoded());
           if (signature != null && SESSION_KEY_PAIR != null){
            synchronized(output_stream)
                output_stream.println(USER_NICK);
                output_stream.println(user_name);
                output_stream.println(user_nick);
                output_stream.println(message_text_area.getText().trim());
                      //PUblic key and signature in base64
                      output_stream.println(public_key);     
                output_stream.println(signature);
                  //length and data of them
            System.out.println(public_key.length());
            System.out.println(signature.length());          
            System.out.println(public_key);
            System.out.println(signature);
            append_message(user_nick+": "+message_text_area.getText().trim());
            message_text_area.setText(null);
           }else{
            append_message("E_C_002: Unable to generate keys or signature.");
       }else{
           append_message("User is not selected or incorrect message");
      }HANDLER.JAVA (SERVER SIDE RETRIEVE)
  private Scanner           input_data           = null;
  private PrintStream      output_data           = null;
  if(recieved_data.equals(USER_NICK)){
                 String user_name = input_data.nextLine();
                 String user_nick = input_data.nextLine();
                 String message = input_data.nextLine();
                 String public_key = "";
                 for (int i=0; i<5; i++){
                     if(i == 0){
                      public_key = public_key+""+input_data.next();
                     }else{
                      public_key = public_key+"\n"+input_data.next();
                 String signature = "";
                 for (int i=0; i<2; i++){
                     if(i == 0){
                      signature = signature+""+input_data.next();
                     }else{
                      signature = signature+"\n"+input_data.next();
                          //output length and data of key and signature
                 System.out.println(public_key.length());
                 System.out.println(signature.length());
                 System.out.println(public_key);
                 System.out.println(signature);
                 Server.users_messages.addElement(user_name+""+SEPARATOR+""+user_nick+""+SEPARATOR+""+message+""+SEPARATOR+""+public_key+""+SEPARATOR+""+signature);               
            }It seems that length of key and signature in server side are different form client.
  Maybe I'am missing something that correspond sending data in base64????
  All project is here http://fmf.vtu.lt/~knugmanov/Elliptic%20curve%20cryptography%20instant%20messenger.rar
  (import into eclypse).
  For ECC I use iaik classes.
  Thanks in adv.
  Kiril

  here is a code from
  http://www.exampledepot.com/egs/java.security/GetKeyFromKs.html
  This example retrieves from a keystore, the private and public key associated with an alias.
  private and public key are having the same alias ?
  i know a alias for my key but i believe thats for private key not for public key ......is it true that both private and public key have the same alias ?
  and KeyPair is an interface and so its difficult to get a key out of it
  public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
          try {
              // Get private key
              Key key = keystore.getKey(alias, password);
              if (key instanceof PrivateKey) {
                  // Get certificate of public key
                  java.security.cert.Certificate cert = keystore.getCertificate(alias);
                  // Get public key
                  PublicKey publicKey = cert.getPublicKey();
                  // Return a key pair
                  return new KeyPair(publicKey, (PrivateKey)key);
          } catch (UnrecoverableKeyException e) {
          } catch (NoSuchAlgorithmException e) {
          } catch (KeyStoreException e) {
          return null;
      }Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen

• Identifying Public keys??

  How to identify the public keys if there are many public keys at the client side???
  plz do let me know how to find the wanted public keys...
  asap
  thnx in advnce
  Subhash

  No a person A (other than yourself) creates a key pair. Person A submits
  his/her public key to get a certificate through a certificate request
  protocol. Once that certificate is returned to person A he/she can
  distribute his/her public key to anyone he/she wishes through whatever
  mechanisms he/she wishes. (aka email, floppy, whatever..)
  If you trust the CA who provided the certificate then it is likely you
  will trust the public key associated with it as being from person A. If
  so you can then encrypt messages to person A using his/her publickey/certificate.
  You can use keytool to take an X509 encoded public key/certificate and add
  it to your keystore locally. Once it is in your keystore you can access
  it at will for whatever operations you chose to do including encryption
  or signature verification.
  This all assumes you start out with the public certificate of the CA for
  which signed your friends public key (otherwise known as certifying) already
  on your machine. Java comes with a set of CA certificates of the most common
  CAs including verisign etc..
  If you are the CA then keep a copy of the certificate in your keystore
  and then send it to person A. Now you can get the cert from your local
  keystore anytime you need to encrypt data to be sent to person A.
  Person A should NEVER provide anyone access to his/her private key. That
  defeats the whole process. In fact person A should encrypt his/her private
  key so that should it somehow wind up exposed it is difficult for the key
  itself to be retrieved. This is typically done with PBE...

• How to send Encrypted message using public key in Business Service

  Hi,
  I have one public key (abc.cer) which is given by provider. I have to send encrypted message to Provider using public key. How to achieve it in OSB??
  Thanx
  Edited by: Vinit Ahuja on Jun 16, 2011 3:17 AM

  These are the steps needed to accomplish this:
  1. Import the public certificate in the TrustStore of the OSB Weblogic Server.
  2. Export the public certificate in PEM format. (This will be needed to embed in the custom ws policy)
  3. Create a custom WS policy, with the necessary encryption configuration information. I have placed a sample WS - Policy that I have used @ http://dl.dropbox.com/u/19901533/Sample_Custom_WSPolicy_Encryption.doc for your reference.
  Use a unique value for the wsu:Id in the policy.
  4. Apply this custom policy on the business service in the Request section (assuming you only need to encrypt the request fields)
  5. Activate the changes and then test the business service. You can enable tracing on the BS to validate the encrypted content in the logs.
  Hope this helps.
  Thanks,
  Patrick

• How Sign Message with Certificate (public key)?

  Hi, I need to to send Sign xml message by Certificate file (public key) and read sign message
  so how can i do it ??
  and i should have 2 public key ?? or what ??
  please help :)
  Thanks

  ejp has answered your question, but it seems you did not understand. This forum is not a good place to learn about public key cryptography and message encryption. You should already understand these fundamentals before asking questions here. This forum is about how to implement these crypto operations in the Java programming language. If you are cheap or poor, you can try googling for the more information; wikipedia is good starting point also. If you can afford it, I recommend you buy Practical Cryptography_ by Schneier.

• Server 2008R2 - SSL Certificate Weak Public Key Strength

  Hello -
  I'm using a Windows 2008R2 server and am working on locking the system down. We use the BeyondTrust Retina Network Security Scanner, the scanner returns two results that I'm having trouble solving.
  The first is finding is:
  'SSL Certificate Weak Public Key Strength'
  "Retina has detected that the certificate on the target supports a  cryptographically weak public key strength. An attacker may be able to leverage weaknesses in the public key strength to gain access to sensitive information."
  "Replace the current certificate with one using a high-grade public key strength of 2048 bits of higher"
  **Does anyone have any ideas how to find all the certificates loaded on the machine that aren't at 2048 bits or higher, the system is a standalone machine without internet access**
  The second finding is:
  'SSL Certificate Self-Signed'
  "Retina has detected that the certificate on target is self-signed. Self-signed certificates can provide underlying cryptographic functionality, but cannot guarantee the origin of the certificate is trusted."
  "Verify the certificate is trusted to ensure the confidentiality and integrity of prior encrypted communications. Replace the current self-signed certificate with one signed by a trusted root certificate authority."
  **Anyone have any ideas how to find 'self-signed' certificates? I've tried searching through the certificates store on the local computer, but I can't seem to find a self-issued certificate, but Retina sure found some.**
  Any help would be greatly appreciated!!
  Thanks,
  Ryan

  A self signed certificate is a certificate which Subject attribute equals Issuer attribute. You can use below script to find selfsigned certificates which is selfsigned and public key is less than 2048 bits.
  Be aware that if you search in all possible certificate stores (including Trusted Root CA store) you will find a lot of self signed certificates. Please see my notes in powershell code.
  #Find self-signed certificate which keysize less than 2048. Uncomment one of the lines below
  #$myCerts = Get-Item Cert:\CurrentUser\My #search in Current User Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\LocalMachine\My #search in Local Machine Store - Personal - this is the place to look in
  #$myCerts = Get-Item Cert:\CurrentUser\* #search in Current User Store - this will bring a lot of cert list
  #$myCerts = Get-Item Cert:\LocalMachine\* #search in Local Machine Store - this will bring a lot of cert list
  $myCerts.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
  $myCertsList = Get-ChildItem $myCerts.PSPath
  $myCertsList | where {$_.Subject -like $_.Issuer -and $_.PublicKey.Key.KeySize -lt 2048} | select * #self-signed and less then 2048
  $myCerts.Close()
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Retrieved public key not match with real public key on certificate

  //@@public key from certificate
  *30 81 89 02 81 81*
  +00 92 28 98 7b 71 5e 3b 58 93 7a 58 cd 9e b8 17 c6 8e 74 51 c7 32 be 73 c6 54 d6 e5 3b c8 3c 89 c5 6c cd 59 b2 40 58 f2 83 f4 8d c8 b0 5f 57 26 d9 27 88 ff 76 1b 2d 5e 78 8c aa 66 2e 68 1e ed 01 5a 09 c9 5f fb 11 9d 33 4d 57 f1 02 f8 61 4b 71 08 c9 da db 5c a7 c8 fa a6 ed f6 d5 1b 78 72 20 33 0b 80 6c 07 e0 14 7c 49 b5 e3 aa 39 79 28 9e 76 3f 9c 23 7b ea 5c b3 fd 79 cb d5 71 3d d4 f9 02 03 01 00 01+
  //@@retrieved public key from certificate partially not match
  *30 3F 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 3F 3F 00 30 3F 89 02 3F 3F*
  +00 92 28 98 7B 71 5E 3B 58 93 7A 58 CD 9E B8 17 C6 8E 74 51 C7 32 BE 73 C6 54 D6 E5 3B C8 3C 89 C5 6C CD 59 B2 40 58 F2 83 F4 3F C8 B0 5F 57 26 D9 27 88 FF 76 1B 2D 5E 78 8C AA 66 2E 68 1E ED 01 5A 09 C9 5F FB 11 3F 33 4D 57 F1 02 F8 61 4B 71 08 C9 DA DB 5C A7 C8 FA A6 ED F6 D5 1B 78 72 20 33 0B 80 6C 07 E0 14 7C 49 B5 E3 AA 39 79 28 9E 76 3F 9C 23 7B EA 5C B3 FD 79 CB D5 71 3D D4 F9 02 03 01 00 01+
       * Convert into hex values
       private static String hex(String binStr) {
            String newStr = new String();
            try {
                 String hexStr = "0123456789ABCDEF";
                 byte [] p = binStr.getBytes();
                 for(int k=0; k < p.length; k++ ){
                      int j = ( p[k] >> 4 )&0xF;
                      newStr = newStr + hexStr.charAt( j );
                      j = p[k]&0xF;
                      newStr = newStr + hexStr.charAt( j ) + " ";
            } catch (Exception e) {
                 System.out.println("Failed to convert into hex values: " + e);
            return newStr;
       * Get public key from keystore.
       * The public key is in the certificate.
       private static Key getPublicKey(String keyname, String keystore)
       throws IOException, KeyStoreException, NoSuchAlgorithmException,
       CertificateException {
            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(keystore), KEYSTORE_PASS.toCharArray());
            X509Certificate cert = (X509Certificate) ks.getCertificate(keyname);
            if (cert != null) {
                 return cert.getPublicKey();
            return null;
  // Read the public key from keystore certificate
                 RSAPublicKey keystorepub = (RSAPublicKey) keystorecert.getPublicKey();
                 tempPub = keystorepub.getEncoded();
                 sPub = new String( tempPub );
                 System.out.println("Public key from keystore:\n" + hex(sPub) + "\n");Italic part is match part however bold part is not match, i think should be calculation on convert hex incorrect.

  the public key on certificate can view direct in hex format although inside the certificate is in byte[] format,hence during extract public key from certificate via java code,need to convert from byte[] to hex string and then compare it.
  this is the picture of certificate that display public key in hex format
  [http://i225.photobucket.com/albums/dd135/ocibala109/cert.jpg]
  Edited by: ocibala on Oct 7, 2008 8:51 PM

• Out-of-range security question: Export a certificate with the private key

  Hi Forumers'
  As above title mention, if we doing PKI, we sure will get invovle with Certificate.
  The moment i doing WLC and ACS express appliance, where the appliances is not coming with generate CSR feature...So we use openSSL for it.
  To clear my curiousity, Why we need to export the certifiate wit the private key? Itsn't the private key cannot publish to the public ??
  Thanks
  Noel

  Because both appliances are acting as a server, and you would need to have the private key on the server. However, you don't give the private key to all the clients for sure as you mentioned you only need to provide public key to the client, not the private key. Private key should only be kept on the server, and in this case both appliances are the server.

• Certificate for the Diffie-Hellman Public Key

  Hi all
  Hey guys I have run out of ideas.I 'm trying to generate a self signed certificate for the Diffie-Hellman public key.Can anyone tell me how to do this plz.
  Thanks inadvance
  LundiE

  Does this even make sense? What would you sign it
  with? The choices provided by Sun are RSA and DSA.So you trying to tell me that its not possible to generate a self-signed certificate for the Diffie-Hellman.Becoz the way I think a certificate incorporates a public key and the certificate is signed using another keys.
  Thanx once for your input
  Cracker