Exception in PGP Decryption

Hi ,
I updated my policy files to resolve the pgp encryption issue (com.didisoft.pgp.PGPException: error setting asymmetric cipher : Illegal key siz) it works fine ,
but when i'm building the jar and keeping the same in different server it gives the same exception again , Is there any way i can force my program to read the US_policy & local_policy jar files in my lib folder for encryption rather then reading \Java\jdk1.5.0_07\jre\lib\security\ US_policy & local_policy jar .
The issue is many other programs use that system (server) to run there jobs , I'm scared if i change US_policy & local_policy jar inside \Java\jdk1.5.0_07\jre\lib\security\ US_policy & local_policy jar for the server it might affect other jobs running on that system.
Thanks

1010273 wrote:
Hi ,
I updated my policy files to resolve the pgp encryption issue (com.didisoft.pgp.PGPException: error setting asymmetric cipher : Illegal key siz) it works fine ,
but when i'm building the jar and keeping the same in different server it gives the same exception again , Is there any way i can force my program to read the US_policy & local_policy jar files in my lib folder for encryption rather then reading \Java\jdk1.5.0_07\jre\lib\security\ US_policy & local_policy jar .
The issue is many other programs use that system (server) to run there jobs , I'm scared if i change US_policy & local_policy jar inside \Java\jdk1.5.0_07\jre\lib\security\ US_policy & local_policy jar for the server it might affect other jobs running on that system.
Thankswhat exactly does this problem (or solution) have to do with Oracle RDBMS; which is this forum's topic?

Similar Messages

PGP decryption in Receiver Channel?

Hi SAP Gurus,
We have this HR interface that needs to be encrypted so the data will not be visible within PI monitoring tools.
As solution, we are planning to use this PGP module to do the encryption and decryption.
However as much as possible, we are trying to avoid doing the encryption/decryption on partners end (as main purpose is just to hide the data within PI).
This is the scenario we have in mind:
File to File scenario
1) Partner sends the raw file
2) PI receives the raw file and encrypts it using PGP encryption module and public key installed in PI.
Sender Channel configuration (does the encryption):
ENC applyEncryption true
ENC applySignature false
ENC keyRootPath C:\usr\sap\PI\keys
ENC partnerPublicKey PIpub.asc
3) Before PI sends the file which was encrypted earlier in PI, PI decrypts the file using PGP decryption module in the Receiver Communication Channel.
Receiver Channel Configuration (does the decryption):
DEC keyRootPath C:\usr\sap\PI\keys
DEC ownPrivateKey PIprivate.asc
DEC partnerPublicKey PIpub.asc
DEC pwdOwnPrivateKey ***********
I tried to test above scenario but I'm getting below error in the receiver communication channel..
Error Exception caught by adapter framework: org.bouncycastle.openpgp.PGPPublicKeyRing found where PGPSecretKeyRing expected
Error Transmitting the message to endpoint <local> using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: org.bouncycastle.openpgp.PGPException: org.bouncycastle.openpgp.PGPPublicKeyRing found where PGPSecretKeyRing expected
Could you please confirm if above mentioned scenario is possible?
And, what is the cause of the error?
Thanks

Hi,
you can try like this,
Encryption :
1
AF_Modules/MessageTransformBean
Local Enterprise Bean
3
2
AF_Modules/DynamicConfigurationBean
Local Enterprise Bean
2
3
localejbs/PGPEncryption
Local Enterprise Bean
1
4
CallSapAdapter
Local Enterprise Bean
0
1 applyEncryption true
1 encryptionAlgo AES_256
1 keyRootPath XXXXXXX
1 partnerPublicKey XXXXXXXXX
1 pwdOwnPrivateKey ***
Regards
srinivas

PGP Decryption Error (File is no valid PGP Message)

Hi, I'm encountering an error while decrypting a pgp file. Error is MP: exception caught with cause com.sap.aii.af.lib.mp.module.ModuleException: File is no valid PGP Message, could not apply decryption.
I have tested decrypting the file using an external tool and was able to decrypt it but not in PI. Below is my configs in sender commChannel (Note: no file content conversion is involved). Any ideas on how to resolve this? Thank you.

Hi Sarah, thanks for the response. I tried arranging the sequence as you've suggested but once saved, it will re-arrange to the old order as below:
keyRootPath
ownPrivateKey
partnerPublicKey
pwdOwnPrivateKey
With regards to running XPI Inspector Tool, i will install it first.
For the meantime, are there other suggestions?
Thank you.

Can't PGP decrypt message

Hello,
I'm having problems with decrypting messages from a friend. I have his public key imported and signed as trustworthy, but I could't decrypt messages he encrypts with my key.
Enigmail says: "Error: signature verification failed", and by trying manually through gpg i get the following:
You need a passphrase to unlock the secret key for
user: "Luther Throl <[email protected]>"
4096-bit RSA key, ID 4EDC5AAA, created 2014-01-23 (main key ID C874D86F)
gpg: problem with the agent: Line passed to IPC too long
gpg: encrypted with 4096-bit RSA key, ID 4EDC5AAA, created 2014-01-23
"Luther Throl <[email protected]>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
Last edited by luther7hrol (2014-01-26 22:48:00)

luther7hrol wrote:
Hello,
I'm having problems with decrypting messages from a friend. I have his public key imported and signed as trustworthy, but I could't decrypt messages he encrypts with my key.
The way you've worded this suggests you're not clear on how public/private keypair systems work. Having your friend's public key is irrelevant to whether or not your friend can send you encrypted messages. To send you encrypted messages, there is only one requirement: that you have your private key kept secret on your destination machine, and your friend has access to your public key from their machine.
luther7hrol wrote:
Enigmail says: "Error: signature verification failed", and by trying manually through gpg i get the following:
You need a passphrase to unlock the secret key for
user: "Luther Throl <[email protected]>"
4096-bit RSA key, ID 4EDC5AAA, created 2014-01-23 (main key ID C874D86F)
gpg: problem with the agent: Line passed to IPC too long
gpg: encrypted with 4096-bit RSA key, ID 4EDC5AAA, created 2014-01-23
"Luther Throl <[email protected]>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
This doesn't say a lot without knowledge of what commands you used to generate the key and decrypt the message.
When I was learning to use GPG/PGP, I set up some dummy accounts on my machine for fake users called Alice, Bob and Eve. Then I did exercises like setting up key pairs for Alice and Bob, and have Bob create a signed message encrypted for Alice, and then see what information Eve can discover when "she" intercepts the message. You might wish to consider doing similar exercises.

PGP Decryption for SAP ECC

Hi All,
We're implementation Credit card solution for Travel and expense and will be getting encrypted credit
card transaction file from Credit card vendor.
The encryption being used is of type PGP standard RFC 4880.(http://www.openpgp.org/)
I would like to know if SAP ECC supports the Decryption for the same and if any documentation is available for the decryption.
Any pointers in this regard will be useful.
Thanks in advance.

I am not aware of in-build functionality in SAP for PGP encryption / decryption. Maybe some third party / ISV can provide code for it.
Although there are some Encryption FM available but I don't think they use PGP... For storing Credit Card number, you can check -- PTRM_WEB_CREDIT_CARD

PGP Decryption

Hi Everyone,
I neeed to decrypt the file and then process it in SAP XI. I found 4 methods by which we can do it.
Can anyone explain me how to implement any of them ?
1)PGP encryption at OS level - As per other threads,I need to install some software and run command. Which software i ned to install ? is it free ? any blog on that ?
2) PGP encryption using Module - What should i write in code ? Any sample module for PGP?
3)PGP encryption using AEDAPTIVe Module --??
4)PGP encryption using UDF ---?
Regards
Inder

Hi Inder,
Please refer document at this link -
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ac06cf-6ee2-2c10-df98-e17430ca5949?quicklink=index&overridelayout=true
This should provide help as reference in writing adapter modules for encryption/decryption of data.
Thanks,
Anoop

Sender PGP Decryption

Hi folks,
I'm configuring a scenario where I have to read a pgp encrypted file from a third party location. I have the following configuration in the module of my file (FTP) sender communication channel.
keyRootPath - \\PISERVER\usr\sap\POD\J00\sec
ownPrivateKey - secret-key-5749C889.asc
pwdOwnPrivateKey - *******
partnerPublicKey - abcrsolutions.asc
I got this error in the communication channel - com.sap.engine.services.jndi.persistent.exceptions720.NameNotFoundException: Object not found in lookup of PGPcryption.
My ping channel works fine.
I appreciate your suggestions.
Thanks
Sathish

Your path seems to be invalid..
Did you place the files on the shared drive "PISERVER"?
If it is on the PI file system then you don't need to add "PISERVER" just provide the complete path like
"/usr/sap/SID/<<Instance>>/folderpath" or relative path like
"../../../../SYS/global/folderpath"
Reference : http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0956fc4-c48f-2f10-29ba-d2ea7ae4f342?overridelayout=t…

Linux script for PGP encryption

Hello,
We are trying to do PGP encryption by giving the OS command in the File adapter. Can somebody provide me the exact linux script that we should use to do PGP encryption?
Note: We have XI-3.0 on LINUX.
Promise points for helpful answers.
Regards,
Raji.

Hi Rajashree
PGP Encryption is used to support the transmission of sensitive data to / from third party systems via XI.
Adapter modules are developed to encrypt the file using PGP.
We had a similar requirement where we used PGP encryption.The module was developed using Cryptix OpenPGP which is a Java implementation of the OpenPGP standard.When the module is called in the adapter, it uses the PGP key provided by the party that will receive the encrypted message. This module should be called prior to calling the Sap adapter
Logic Flow/Processing:
1.Read the XML payload and message for getting the needed data.
2.Read the key to be used in the encryption and log the key to be used and the beginning of the encryption.
3.Call the PGP encryption and compression method.
4.Log whether encryption has been successful.
5.Set as payload the message content encrypted, and the principal data.
6.If any error occurs, logs an exception in PGP adapter module and the error reason.
7.Return the message.
Go through This links
Is there any FTP API available from SAP?
Send Text file to FTP in binary mode with PGP encryption
http://www.webmethods.com/meta/default/folder/0000007429
Converting IDOC to XML
XI implementation
http://www1.webmethods.com/PDF/webMethods_for_SAP-wp.pdf
Current versions found at http://www.cryptix.org and http://www.bouncycastle.org.
http://www.bouncycastle.org/documentation.html
If you want to use the unix script on windows then you need cygwin. Take the shell executable and cygwin.dll and copy them to another machine and try out.
Else you write an .exe or a batch file where you will give your PGP command to encrypt and decrypt and execute it from the OS level in your adapter. Check my answer in this thread:
Re: PGP Encription
Might be useful.
PGP Encription
Re: PGP Encription
\Re: triggering encryption script with XI
Pls rewards if useful

REG: Usage of PGP(pretty good privacy) encryption

Hi all,
I need to use PGP encryption in XI. Can u suggest is it possible or not. If yes can you tell me how can it be done.

hi,
PGP Encryption is used to support the transmission of sensitive data to / from third party systems via XI.
Adapter modules are developed to encrypt the file using PGP.
We had a similar requirement where we used PGP encryption.The module was developed using Cryptix OpenPGP which is a Java implementation of the OpenPGP standard.When the module is called in the adapter, it uses the PGP key provided by the party that will receive the encrypted message. This module should be called prior to calling the Sap adapter
Logic Flow/Processing:
1.Read the XML payload and message for getting the needed data.
2.Read the key to be used in the encryption and log the key to be used and the beginning of the encryption.
3.Call the PGP encryption and compression method.
4.Log whether encryption has been successful.
5.Set as payload the message content encrypted, and the principal data.
6.If any error occurs, logs an exception in PGP adapter module and the error reason.
7.Return the message.
regards
kummari

PGP Encryption using Module in PI 7.1

Hi Experts,
We have devoloped a module for PGP Decryption and deployed as a module in our PI 7.1 server .
We have placed the public and private key certificates(Privatekey.txt,PubKey.txt) and jar files (bcpg-jdk15-1.44.jar,bcprov-ext-jdk14-146.jar,bcprov-jdk14-146.jar ) in the below path of our PI FTP server .
"/usr/sap/<SID>/DVEBMGS03/exe/sapjvm_5/jre/lib/ext"
In Module while reading the private key file it is failing to read and going to else block and throwing "Key is null"
secretkeylocation = moduleContext.getContextData("SecretKeyLocation"); //Reading the path dynamically from channel
try {
 iinKey = getClass().getResourceAsStream(secretkeylocation);
 if(inKey == null)
 throw new ModuleException("$$$$ key is null $$$$$");
NOTE:We have tried placing the pblic and private key certificates in different folder .But faced same issue again.
Above scenario we have devoloped using java mapping .Here it worked successfully
String privateKeyPath = "/com/sap/pgp/secring.skr"; //placed certificates here
inKey = getClass().getResourceAsStream(privateKeyPath); //Reading the file
Could you plz sugest ?

This was fixed by using bufferreader and converting it to inputstream

Decryption of Blowfish key

All,
I have a Blowfish key that was originally generated elsewhere, I assume with PHP. I need to use this key like so:
1. Do mysql query from db for username and password.
2. Decrypt username and password.
I am new to encryption. Not sure of a key is a keystore, a key a certifcate, etc..?
How can I load this baby and use it? I am doing my own research, but I am new to encryption, so this will take a while : (
M

I have adjusted my method, there are no exceptions, but my decrypted string looks funny:
1kgZslMOZl6M9A7AW0OpzeReMeedZ4iUqEdIw4r8zAQ=
Also, when I try to decrypt field from mysql in the same row, with the same key, I get invalid padding errors.
I get the encrypted data from mysql using:
public static Hashtable<String,String> Info(String coId)throws Exception {
 boolean isConnected = false;
 // TODO Auto-generated method stub
 Hashtable<String, String> Info = new Hashtable<String,String>();
 if (!isConnected) {
 // Makes connection
 try {
 Class.forName("com.mysql.jdbc.Driver");
 Connection connect = DriverManager.getConnection("fdfsdfdfsd","sdasd","sdad");
 isConnected = true;
 PreparedStatement s = connect.prepareStatement("SELECT ID, PASSWORD FROM WHERE CoID=? AND ID IS NOT NULL AND PASSWORD IS NOT NULL;");
 s.setString(1, coId);
 BASE64Decoder base64 = new BASE64Decoder();
 ResultSet rs = s.executeQuery();
 int keyIndex = 0;
 while (rs.next()) {
 Blob idBlob = rs.getBlob("ID");
 Blob passBlob = rs.getBlob("PASSWORD");
 (int)passBlob.length());
 InputStream inP = passBlob.getBinaryStream();
 InputStream inID = idBlob.getBinaryStream();
 byte[] p = base64.decodeBuffer(inP);
 byte[] id = base64.decodeBuffer(inID);
 String pp = new String(p, "UTF8");
 String idid = new String(id, "UTF8");
 Info.put("ID", idid);
 Info.put("PASSWORD", pp);Main Method:
public static void main(String[] args)throws Exception{
 BlowfishWorker blowfish = new BlowfishWorker();
 Hashtable<String, String> login = new Hashtable<String, String>();
 login = blowfish.salesForceInfo("Company");
 String id = login.get("ID");
 //System.out.println("print id"+id);
 String password = login.get("PASSWORD");
 //System.out.println("Before decryption");
 //String passwordDB = new String(password);
 System.out.println("----------------------------");
 System.out.println("After decryption");
 String p = blowfish.decrypt(password);
 //I get1kgZslMOZl6M9A7AW0OpzeReMeedZ4iUqEdIw4r8zAQ= for p
 System.out.println("Pass: "+p);
 System.out.println("------------------------------------");
 }Method:
public String decrypt(String item)throws Exception{
 FileReader fileReader = new FileReader("C:\\Documents and Settings\\mike\\Desktop\\key");
 BufferedReader reader = new BufferedReader(fileReader);
 String line="";
 String actualKey = null;
 String[] parts;
 Hashtable<String, String> keyLine = new Hashtable<String, String>();
 int rowCount =0;
 while((line = reader.readLine())!= null){
 //System.out.println(line);
 keyLine.put("key"+rowCount, line);
 rowCount++;
 for(int i =0;i<keyLine.size();i++){
 if(i==1){
 parts = keyLine.get("key"+i).split("=");
 actualKey = parts[1];
 //System.out.println("key:"+actualKey);
 Cipher cipher = Cipher.getInstance("Blowfish/CBC/NoPadding");
 byte[] keyBytes = actualKey.getBytes("UTF8");
 byte[] incomingBytes = item.getBytes("UTF8");
 Key myKey = new SecretKeySpec(keyBytes, "Blowfish");
 String keyAlg = myKey.getAlgorithm();
 System.out.println("Algorithm:"+keyAlg);
 String keyFormat = myKey.getFormat();
 System.out.println(keyFormat);
 AlgorithmParameterSpec iv = new IvParameterSpec(new byte[8]); // Create an IV of all zeros.
 cipher.init(Cipher.DECRYPT_MODE, myKey,iv);
 BASE64Encoder encoder = new BASE64Encoder();
 byte[] result = cipher.doFinal(incomingBytes);
 String finalResult = encoder.encode(result);
 return finalResult;
 }Edited by: ink86 on Jan 18, 2008 11:46 AM
Edited by: ink86 on Jan 18, 2008 11:50 AM

Want to decode PGP encrypted edi files with oracle soa b2b 11.1.1.6.0

I am working on a scenario where the trading parter(TP) will publish the edi to our FTP server. These edi files are encrypted using PGP software( we have to provide them our public key for this).
I have never worked with encryption\ decryption before, but I understand the theory of cryptography.
Question 1: Can we install PGP on top of soa 11g server and configure the b2b to decode the file using our private key.
Question 2: If SOA 11g server do not support PGP, then shall i install PGP at the FTP server, and use java to decode the file(using the private key) to a new location and B2B can pick the decode file from here.
These are two strategy I have planed, please guide me which one is feasible\best , and if you know the steps to implement please do share it with me.
Thanks in advance.
Syam
Edited by: user12196358 on May 10, 2013 4:28 PM

Both options are feasible but for option#1 (PGP decryption at B2B/SOA), you have to write a java callout. B2B/SOA 11g does not support PGP out-of-box but it can be achieved using java callout. I would prefer option#2, personally as in this case, PGP decryption will be done out of SOA/B2B and hence it will be hot pluggable (can be removed in future, if required, without modifying SOA/B2B configuration).
Regards,
Anuj

Decrypting encPart example? Checksum failed

I'm trying to decrypt the encrypted data part of the Kerberos ticket. My understanding of the algorithm is where I believe I'm mixed up somewhere (all code is server side):
1) The login context on the server side provides a Subject which contains the private key of the server when storeKey=true in the configuration, of type KerberosKey. This is the key that can be used to decrypt the EncryptedPart of the client's ticket.
LoginContext lc = new LoginContext(LCONF_SVR, new TextCallbackHandler());
lc.login();
Subject sub = lc.getSubject();
// Get KerberosKey from private creds
for (Iterator i = sub.getPrivateCredentials().iterator(); i.hasNext();) {
 Object o = i.next();
 if (o instanceof KerberosKey) {
 svrPrivKey = (KerberosKey)o;
 break;
}2) This KerberosKey can be used to create an EncryptionKey:
EncryptionKey privKey = new EncryptionKey(svrPrivKey.getEncoded(),
 svrPrivKey.getKeyType(),
 svrPrivKey.getVersionNumber());2) When con.requestCredDeleg(true) on the client side, after con.isEstablished()==true, con.getDelegCred() on the server side returns a GSSCredentials which, along with con.getSrcName(), can create a Subject the contains the client's KerberosTicket in it's private credentials.
Subject delegSub = GSSUtil.getSubject(con.getSrcName(), con.getDelegCred());
Set<KerberosTicket> tickets = delegSub.getPrivateCredentials(KerberosTicket.class);3) The KerberosTicket EncryptedPart can be decrypted using the server's EncryptedKey above, with "usage = 2":
for (Iterator ti = tickets.iterator(); ti.hasNext();) {
KerberosTicket kbrTicket = (KerberosTicket)ti.next();
Ticket ticket = new Ticket(kbrTicket.getEncoded());
encTicketPart = new EncTicketPart(ticket.encPart.decrypt(privKey, 2));
}There's something wrong with my understanding, as I am always getting "KrbException: Checksum Failed." from the decrypt, from down in sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt. (Where can I get the source for sun.security.krb5 packages for debugging, btw?).
Where am I going wrong? Can someone point me to example code that shows how to get from a KerberosTicket to a EncTicketPart?
Thanks!
B Atkins

Here is how I get the AP-REQ out of the byte[] received on the socket from the Client:
 * Parses the token received from the Client
 * (GSS-API InitialContextToken)
 * Encoding: ASN.1 DER
private byte[] parseToken(byte[] token) throws Exception {
 DerInputStream dis = new DerInputStream(token);
 // get the GSS sequence (set is the same, and has constructed flag)
 DerValue[] values = dis.getSet(token.length, true);
 // Look for the AP_REQ tag [APPLICATION 14] (constructed)
 for (int i=0; i<values.length; i++) {
 DerValue value = values;
if (value.isConstructed((byte)14)) {
value.resetTag(DerValue.tag_Set);
return parseApReq(value.toDerInputStream(), value.length());
throw new Exception("No AP-REQ found in GSS InitialContextToken");
}Here's the parsing of that AP-REQ: /**
* Parses tne AP-REQ PDU, which is the innerContextToken of
* the GSS InitialToken.
* Encoding: ASN.1/DER
private byte[] parseApReq(DerInputStream dis, int len) throws Exception {
// get the AP_REQ sequence (set is the same, and has constructed flag)
byte apOptions = 0;
DerValue ticket = null;
DerValue[] values = dis.getSet(len, true);
for (int i=0; i<values.length; i++) {
DerValue value = values[i];
if (value.isContextSpecific((byte)2)) {
// Get the bit string encapsulated in the
// context specific outter element.
apOptions = value.getData().getDerValue().getBitString()[0];
else if (value.isContextSpecific((byte)3)) {
// Get the value encapsulated in the
// context specific outter element.
ticket = value.getData().getDerValue();
if (ticket == null)
throw new Exception("No Ticket found in AP-REQ PDU");
return getAuthorizationData(new Ticket(ticket), serverSub, apOptions);
}Here's the part that extracts the encPart and decrypts it. The server subject passed in is from the LoginContext.getSubject() on the server side, after lc.login(). /**
* Decrypt the EncryptedData into EncTicketPart
* Encoding: ASN.1/DER
private byte[] getAuthorizationData(Ticket ticket, Subject svrSub, byte ops)
throws Exception {
EncryptionKey key;
if (useSessionKey(ops))
key = getSessionKey(svrSub);
else
key = getPrivateKey(svrSub);
byte[] cleartext = ticket.encPart.decrypt(key, 2);
if (cleartext.length <= 0)
throw new Exception("zero length decrypt");
EncTicketPart encPart = new EncTicketPart(cleartext);
byte[] authPac = parseAuthData(encPart.authorizationData.asn1Encode(), 1);
return parseAuthData(authPac, 128);
Here's the key handling part, where *both* the Session and Private keys are acquired: private EncryptionKey getSessionKey(Subject sub) throws Exception {
KerberosCreds creds = getKrbCreds(sub);
SecretKey secKey = creds.ticket.getSessionKey();
return new EncryptionKey(secKey.getEncoded(), 23, new Integer(2));
private EncryptionKey getPrivateKey(Subject sub) throws Exception {
KerberosCreds creds = getKrbCreds(sub);
return new EncryptionKey(creds.key.getEncoded(),
creds.key.getKeyType(),
new Integer(2));
* Get credentials (KerberosKey and/or KerberosTicket) from a
* Subject
private KerberosCreds getKrbCreds(Subject sub) {
// Get the Client's Kerberos ticket from the private credentials
// of the subject.
KerberosCreds ret = new KerberosCreds();
Set<Object> creds = sub.getPrivateCredentials(Object.class);
for (Iterator<Object> i = creds.iterator(); i.hasNext();) {
Object cred = i.next();
if (cred instanceof KerberosTicket)
ret.ticket = (KerberosTicket)cred;
if (cred instanceof KerberosKey)
ret.key = (KerberosKey)cred;
return ret;
}As you can see, this has turned a GSS implementation into something that's very Kerberos (and AD, for that matter) specific.
Edited by: batkins on Feb 22, 2008 12:14 PM
Edited by: batkins on Feb 22, 2008 12:17 PM

Mucho strangeness: passwords not propagating to AD, and other annoyances

Hi all,
I'm dealing with a few problems in IDM at the moment, and am looking at a small grab-bag of symptoms, which may or may not be linked to each other or to the problem at all.
The main current problem is that passwords aren't propagating into our Active Directory servers, although they did in the past.
First a quick summary of our environment, we are running IDM 5.5, we have a central mysql DB which is the source of user infromation, 3 different tables, one for each class of user. Activesync is in use to watch these tables, and we have a custom user form for each table too.
We are feeding account data into an LDAP server, which is working fine, and to a pair of Active Directory Servers, one for testing/development, and one intended to be for production, except the 'production' server isn't actually in production yet.
Password information is held in the mysql tables, in 2 different forms, 1) pre-encrypted unix hashes, and pgp-encrypted plaintext, we use the pgp-encrypted plaintext to feed the AD servers, and the unix-hashes for the LDAP.
Amongst other things the custom forms are calling locally written java code to reverse the pgp-encryption.
Because the AD boxes weren't in production, we don't know when things broke, or what may have changed to cause the breakage.
The symptoms I've found are as follows:
- account creation on AD works, including the initial password,
- password changes are not going through to the AD servers,
- changes to other fields in the mysql tables, do propagate (ie, changes to names, email adresses, vacation settings),
- Our custom user form gets run 3 times, on any change to an account within the mysql tables,
- The first time the form is run, the waveset.accountId is, sometimes, null, (maybe this is on account creation?)
- The first time the form is run, activeSync.pgp_pass (our pgp encrypted plaintext password) is always null,
- on an attempted password change, the task log doesn't show that it is trying to change the password, only that the Acocunt was 'updated',
- on changing any other field, the task log shows that it was changing that field, although it does show other fields that may have been changed,
- the catalina.out (we run tomcat), does show that the passwords are being correctly decrypted from the pgp form,
I'm stuck at this point, can anyone make any suggestions?

Hi Again,
This reply is just to let people know what happened with the issues I listed above.
- The user form being run 3 times, I don't fully understand this one, but I did reduce the amount of work the form did by turning the pgp decryption from a Expansion, to a Derivation field type.
- the empty attributes, the first time the form is run, does appear to be due to the first appearance of a user account, ie waveset.accountId is empty because it hadn't been generated yet for this user,
The basic problem of the passwords not puching out was a naming issue, when we first developed the software to decrypt the passwords, we put it in global.pass, and in the schema maps, placed entries like pass->userPasswordAt that point the system worked, then we decided to be more explicit and decided to name the attribute password instead.
Which meant the schema map was now working with the password. namespace and the password.password attribute, which in turn meant the password distribution failed, because we didn't set password.confirmPassword, or the pasword.selectAll attributes.
We were lazy, and didn't expect what looked like a attribute name change to be able to change anything, so we didn't notice the passwords stopped propagating.
As you can see from the above we are still learning how this all works :-(

Encryption

How does an OS command level encryption is different from the Adapter Module encrytption Technique?
thanks

Hi Jenni !
https://www.sdn.sap.com/irj/sdn/forums
Sample code can be found here:
http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
refre this PDFhttps://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
encryption/decryption
XI does not support PGP encryption by default,you need to write and OS level command for that and use it in File adapter.have a look at the following
Re: XI and PGP Encryption
Re: XI and PGP Encryption
How To Configure Message Level Security in SAP XI 3.0
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
like this one:
/people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
refer also
http://help.sap.com/saphelp_nw04s/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
How to achieve encryption in XI
http://help.sap.com/saphelp_nw04s/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
http://help.sap.com/saphelp_nw04s/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
/people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
How to achieve encryption in XI
Encryption in XI
XI Encryption
Deploying the SAP Java Cryptographic Toolkit
http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/frameset.htm
Key Storage Service
http://help.sap.com/saphelp_nw04/helpdata/en/e9/a1dd44d2c83c43afb5ec8a4292f3e0/frameset.htm
If these things are already done then u need juz few modification in the adapter configuration.
In FTP Connection Parameters -> command line -> FTPS (Control and Data connection)
You can also go through the blogs
Encryption(SSL)
/people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
Examples for Using Digital Signatures
http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
XI and PGP Encryption
Re: XI and PGP Encryption
Linux script for PGP encryption 
PGP Encryption is used to support the transmission of sensitive data to / from third party systems via XI.
Adapter modules are developed to encrypt the file using PGP.
We had a similar requirement where we used PGP encryption.The module was developed using Cryptix OpenPGP which is a Java implementation of the OpenPGP standard.When the module is called in the adapter, it uses the PGP key provided by the party that will receive the encrypted message. This module should be called prior to calling the Sap adapter
Logic Flow/Processing:
1.Read the XML payload and message for getting the needed data.
2.Read the key to be used in the encryption and log the key to be used and the beginning of the encryption.
3.Call the PGP encryption and compression method.
4.Log whether encryption has been successful.
5.Set as payload the message content encrypted, and the principal data.
6.If any error occurs, logs an exception in PGP adapter module and the error reason.
7.Return the message.
Go through This links
Is there any FTP API available from SAP?
Send Text file to FTP in binary mode with PGP encryption
http://www.webmethods.com/meta/default/folder/0000007429
Converting IDOC to XML
XI implementation
http://www1.webmethods.com/PDF/webMethods_for_SAP-wp.pdf
Current versions found at http://www.cryptix.org and http://www.bouncycastle.org.
http://www.bouncycastle.org/documentation.html
If you want to use the unix script on windows then you need cygwin. Take the shell executable and cygwin.dll and copy them to another machine and try out.
Else you write an .exe or a batch file where you will give your PGP command to encrypt and decrypt and execute it from the OS level in your adapter. Check my answer in this thread:
Re: PGP Encription
Might be useful.
PGP Encription
Re: PGP Encription
Re: triggering encryption script with XI
Pls reward if useful

Exception in PGP Decryption

Similar Messages

Maybe you are looking for