Ksetup: Enforce use of AES256-CTS-HMAC-SHA1-96 fails

Similar Messages

• HMAC (SHA1) key longer than 81 characters not possible?

  Not sure whether I'm in the correct forum...
  To sign a message for a specific application with HMAC-SHA1 hash I need a 83 character key.
  My problem: the function module 'SET_HMAC_KEY' throws the exception "param_length_error". After I've testet with several key length, I found out, that the maximum valid length is 81. Is there any reason for this?
  With 3rd party libraries (ie. Python and Javascript) longer keys are working.
  Code:
  CALL FUNCTION 'SET_HMAC_KEY'
    EXPORTING
      generate_random_key         = ' '
      alg                         = 'SHA1'
      keycstr                     = 'cB1phTHISISATESTVuZMDmWCz1CEMy82iBC3HgFLpE&7857T...YFqV93gRJQ'
      client_independent          = ' '
    EXCEPTIONS
      unknown_alg                 = 1
      param_length_error          = 2
      internal_error              = 3
      param_missing               = 4
      malloc_error                = 5
      abap_caller_error           = 6
      base64_error                = 7
      calc_hmac_error             = 8
      rsec_record_access_denied   = 9
      rsec_secstore_access_denied = 10
      rsec_error                  = 11
      rng_error                   = 12
      record_number_error         = 13
      OTHERS                      = 14.
  Best regards, Uwe
  Edited by: Julius Bussche on Aug 5, 2010 10:19 PM
  I truncated the key further because in a coding tag it toasts the formatting when too long.

  Hi,
  yes, we can :-). Let say that SAP implementation supports a key with size more than 81 bytes. Then according to specification if the key is longer than block size of hash function (64 bytes for SHA-1) then it would use hash function to reduce original key to new key with size equals to output size of hash function (20 bytes for SHA-1). Therefore doing this step manually before calling SET_HMAC_KEY is equal to calling SET_HMAC_KEY which supports keys longer than 81 bytes.
  The easiest way how to check this is to compare some HMAC-SHA1 implementation with the result produced by my proposed logic.
  DATA: text TYPE string,
          key_str TYPE string,
          hash TYPE hash160x,
          key TYPE xstring,
          hmac TYPE hash512_base_64.
    text = 'Hello'.
    key_str = '012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789'.
    CALL FUNCTION 'CALCULATE_HASH_FOR_CHAR'
      EXPORTING
        data  = key_str
      IMPORTING
        hashx = hash.
    key = hash.
    CALL FUNCTION 'SET_HMAC_KEY'
      EXPORTING
        generate_random_key = space
        alg                 = 'SHA1'
        keyxstr             = key
        client_independent  = space.
    CALL FUNCTION 'CALCULATE_HMAC_FOR_CHAR'
      EXPORTING
        alg        = 'SHA1'
        data       = text
      IMPORTING
        hmacbase64 = hmac.
    WRITE: / hmac.
  Javascript version
  var hmac = Crypto.HMAC(Crypto.SHA1, "Message", "Secret Passphrase");
  var hmacBytes = Crypto.HMAC(Crypto.SHA1, "Message", "Secret Passphrase", { asBytes: true });
  var hmacString = Crypto.HMAC(Crypto.SHA1, "Message", "Secret Passphrase", { asString: true });
  Both implementations return "qsXNz/wecK4PMob6VG9RyRX6DQI=".
  Cheers
  Sorry for formatting but it looks like something is broken.
  Edited by: Martin Voros on Aug 6, 2010 10:34 PM

• HMAC SHA1 Signature for google

  Hi,
  I need to build a google signature using HMAC SHA1 and find a way to do it on our WAS 6.20 system
  You can see the google explaination underhttp://code.google.com/apis/maps/documentation/premier/guide.html#URLSigning.
  I Beleive I can use FM SSFC_BASE64_ENCODE and SSFC_BASE64_DECODE to do the base64 parts.
  However, I don't know how to do the HMAC SHA1 part.
  We don't have FM's like CALCULATE_HMAC_FOR_RAW in our system so I think I'll have to create a new FM but I have no idea how to build this.
  Any ideas?

  Hi James (or anybody else out there),
  Did you ever determine an answer or solution to this?...some feed back whether you were successful or not would be interesting...
  Note that we too would like to leverage the Google Enterprise / Google Map API for Business but have not (yet) figured out how to deal with SHA1 in ABAP.

• Hmac sha1 signature generation error.

  I'm using Flex Builder 4 for accessing cloudstack api and for getting responses. When i execute my flex program, the url is generated with commands, api and the signature. But the Xml is showing an error as below:
  <?xml version="1.0" encoding="UTF-8"?>
  -<listzonesresponse cloud-stack-version="4.0.1.20130201075054">
  <errorcode>401</errorcode><errortext>unable to verify user credentials and/or request signature
  </errortext></listzonesresponse>
  Is it the problem of encoding signature.? I'm using Hmac Sha1. When i did the process in python i got the output as list of zones. 
  Can anyone help me to correct the error?
  Thanks in advance!

  Hi James (or anybody else out there),
  Did you ever determine an answer or solution to this?...some feed back whether you were successful or not would be interesting...
  Note that we too would like to leverage the Google Enterprise / Google Map API for Business but have not (yet) figured out how to deal with SHA1 in ABAP.

• LABVIEW HMAC-SHA1 implementation

  Hello all,
  We have need of an HMAC-SHA1 implementation in Labview. Can anyone help?
  Thanks,
  Josh

  Hello Josh,
  We have a Community example that uses HMAC-SHA1 that might help you get started.  
  SHA-1 Cryptographic Hash Function
  Searching the Community Code Exchange might be a good place to find additional code that has implemented HMAC-SHA1 in LabVIEW.
  Regards,
  M. Whitaker
  ni.com/support

• HMAC-SHA1 ???

  Hello,
  I have to implement a key derivation using HMAC-SHA1.
  Does anybody know where I can find a java class for this
  algorithm?

  Thanks, but I cannot find an Implementation for HMAC/SHA1 in
  javax.crypto.Mac. I got an NoSuchAlgorithmException for every
  constellation of Mac.getInstance() I have tried.
  Mac mac = Mac.getInstance("HmacSHA");     
  mac.update(pkcs5Bytes);
  mac.update(salt);
  tmp = mac.doFinal();Algorithm HmacSHA not available
       at javax.crypto.Mac.getInstance(DashoA12275)

• Enforce using service name

  Naturally, it's not needed to use listener service to establish the new connection to database server.
  I am trying to configure oracle database server in such a way that enforce each connection to use service name. Logging each connection in listener log is the main objective for the configuration.
  Let's consider the following alternavites to establish the connection for database server:
  #1. [oracle@server folder]$sqlplus user/pwd@IP:port/sid (connecting to remove database server)
  #2. [oracle@server folder]$sqlplus user/pwd@SID (connecting locally)
  #3. Connecting to database server via link server
  #4. [oracle@server folder]$sqlplus user/pwd@(.............connection description...........) connecting via jdbc think client.
  #5. [oracle@server folder]$sqlplus / as sysdba (connecting locally)
  #6. [oracle@server folder]$sqlplus user/pwd (connecting locally)
  #5 and #6 doesn't use listener for database connection but listener is needed for #1 to #4.
  Could you please suggest me to configure to enforce using listener so that all the connection will be logged to listener log?
  I want to apply this approach in standalone and RAC environment.
  Thanks in advance.
  Suresh

  Hi Suresh,
  You can force that via Logon Trigger at database level by putting the condition you like on UserENV using Sys_context.
  Just for example when you connected using listener/Net8, Userenv will be having protocol and ip address. even though its coming from same as db server.You can always validate in logon trigger who can or can't connect.
  Test1 : connect using NET8
  [oracle1@gridcluster03 ~]$ sqlplus sys@DB as sysdba
  SQL*Plus: Release 11.1.0.7.0 - Production on Fri Dec 18 15:49:57 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Enter password:
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
  With the Partitioning, Real Application Clusters, OLAP, Data Mining
  and Real Application Testing options
  SELECT sys_context('USERENV', 'IP_ADDRESS') "IP_ADDRESS", sys_context('USERENV', 'NETWORK_PROTOCOL') "PROTOCOL" from dual ;
  IP_ADDRESS PROTOCOL
  10.10.12.3 tcp
  TEST2 : Connect Locally :
  [oracle1@gridcluster03 ~]$ sqlplus "/ as sysdba"
  SQL*Plus: Release 11.1.0.7.0 - Production on Fri Dec 18 15:43:48 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
  With the Partitioning, Real Application Clusters, OLAP, Data Mining
  and Real Application Testing options
  SQL> column "IP_ADDRESS" format a20
  column "PROTOCOL" format a20SQL>
  SQL> SELECT sys_context('USERENV', 'IP_ADDRESS') "IP_ADDRESS", sys_context('USERENV', 'NETWORK_PROTOCOL') "PROTOCOL" from dual ;
  IP_ADDRESS PROTOCOL
  When connecting locally no information passed to environment.
  =========================
  Hope this is useful and answer your question.
  Regards
  Krishan JAglan

• I used time machine, now my drive has failed and all my files are lost.

  i used time machine, now my drive has failed and all my files are lost. any one know how to get the max osx to see the drive again so i can retrive my files

  kabb30 wrote:
  i used time machine,
  Ok, check
  now my drive has failed
  Which one, the TM drive or the internal boot drive?
  all my files are lost.
  Where? on both drives or just TM or the internal drive?
  any one know how to get the max osx
  yea, if we knew more details of your machine and what you had before and later
  to see the drive again so i can retrive my files
  I don't know what drive failed.
  I'm thinking here your internal drive failed? Was it replaced?
  You have a blank internal drive and a TimeMachine drive and your asking how to reinstall OS X so you can restore from the TimeMachine drive?
  How are you getting here? Another machine or device and what is it?
  We need more details of your situation please.

• Have tried to copy ratings over to a new computer using the export playlist function and this fails... can anyone suggest why?

  have tried to copy ratings over to a new computer using the export playlist function and this fails... can anyone suggest why?

  Because ratings don't travel with the files or the playlist.
  These are two possible approaches that will normally work to move an existing library to a new computer.
  Method 1
  Backup the library with this User Tip.
  Deauthorize the old computer if you no longer want to access protected content on it.
  Restore the backup to your new computer using the same tool used to back it up.
  Keep your backup up-to-date in future.
  Method 2
  Connect the two computers to the same network. Share your <User's Music> folder from the old computer and copy the entire iTunes library folder into the <User's Music> folder on the new one. Again, deauthorize the old computer if no longer required.
  Both methods should give the new computer a working clone of the library that was on the old one. As far as iTunes is concerned this is still the "home" library for your devices so you shouldn't have any issues with iTunes wanting to erase and reload.
  I'd recommend method 1 since it establishes an ongoing backup for your library.
  If you have an iOS device that syncs with contact & calendar data on your computer you should migrate this information too. If that isn't possible create a dummy entry of each type in your new profile and iTunes should offer to merge the existing data from the device into the computer, otherwise the danger is that it will wipe the information from the device.
  If your media folder has been split out from the main iTunes folder you may need to do some preparatory work to make it easier to move. See make a split library portable.
  Should you be in the unfortunate position where you are no longer able to access your original library, or a backup of it, then see Recover your iTunes library from your iPod or iOS device for advice on how to set up your devices with a new library with the maximum preservation of data. If you don't have any Apple devices then see HT2519 - Downloading past purchases from the App Store, iBookstore, and iTunes Store.
  tt2

• My iMac keeps on losing internet connection. Webpages get stuck after a minute or so. If I check the internet connection via diagnostics it seems to work just fine. Others, like the iPad use the same wifi connection and never fail. What can I do?

  Running 10.6.8 on Intel dual core iMac, it keeps on losing internet connection. Webpages get stuck after a minute or so. If I check the internet connection via diagnostics it seems to work just fine. Others, like the iPad use the same wifi connection and never fail. What can I do?

  Greetings,
  I've never seen this issue, and I handle many iPads, of all versions. WiFi issues are generally local to the WiFi router - they are not all of the same quality, range, immunity to interference, etc. You have distance, building construction, and the biggie - interference.
  At home, I use Apple routers, and have no issues with any of my WiFi enabled devices, computers, mobile devices, etc - even the lowly PeeCees. I have locations where I have Juniper Networks, as well as Aruba, and a few Netgears - all of them work as they should.
  The cheaper routers, Linksys, D-Link, Seimens home units, and many other no name devices have caused issues of various kinds, and even connectivity.
  I have no idea what Starbucks uses, but I always have a good connection, and I go there nearly every morning and get some work done, as well as play.
  You could try changing channels, 2.4 to 5 Gigs, changing locations of the router. I have had to do all of these at one time or another over the many years that I have been a Network Engineer.
  Good Luck - Cheers,
  M.

• I have bought used I phone 4s. I cloud fails to accept my apple ID, which is accepted by I tunes. In fact it says that I have used maximum number of user accounts. Kindly help me in this matter.

  I have bought used I phone 4s. I cloud fails to accept my apple ID, which is accepted by apple store and I tuned.
  It says that I have already used maximum number of user accounts. Kindly help to resolve this problem.

  Hello Renvin29,
  It sounds like you need to disable your iPhone remotely. I'm sorry to hear about your phone! The only way to do this with is Apple services is if you had Find my iPhone enabled. You have 2 options:
  You can use this article to put the phone into Lost Mode and preserve your data on it, but prevent access to it:
  iCloud: Use Lost Mode
  http://support.apple.com/kb/PH2700
  Or you can just erase it remotely outright:
  iCloud: Erase your device
  http://support.apple.com/kb/PH2701
  You should also take a look at this article for additional info on what to do about this situation:
  If your iPhone, iPad, or iPod touch is lost or stolen
  http://support.apple.com/kb/HT5668
  Thank you for using Apple Support Communities.
  Take care,
  Sterling

• I just changed my Adobe password and now I am trying to update Adobe flash player - it calls for a password - I just updated it - I use it again to install and it fails ??? What gives?

  I just changed my Adobe password and now I am trying to update Adobe flash player - it calls for a password - I just updated it - I use it again to install and it fails ??? What gives?

  Hi,
  Please see What userid & password do I need to install Flash Player?.
  Maria

• Problem in using HMAC SHA1

  Hi,
  I have written an applet to sign with ALG_HMAC_SHA1. I'm testing it with the CREF given with the Javacard Kit 2.2.2 but it does not work.
  The getInstance just throw the exception.
  the Code is :
  public OTP_RFC4226() {   
          try{
          hmacSha1 = Signature.getInstance(Signature.ALG_HMAC_SHA1, false);---
  If any one have an idea i would be please.
  Thx.
  Cauch

  I have one good news and one bad news for your guys;-
  The Bad news: The Javacard API has ALG_HMAC_SHA1;ALG_HMAC_SHA_256;ALG_HMAC_SHA_384;ALG_HMAC_SHA_512 support on paper, but more less only on paper. Not much cards support them. ( I found one Renesas card which support it, feel free to correct me)
  The Good news: almost all the Javacard support ALG_SHA, please read ALG_HMAC_SHA1 algorithm to see how to impletment your own ALG_HMAC_SHA1 base on ALG_SHA. ( It is easy pieces of cake)

• Enforcing use of class word as naming standard via data modeler preferences

  Using data model preferences, I have set both the "attribute" and "column" naming standards to have mandatory name parts of both "prime word" and "class word". I have also used data model preferences to specify a glossary that has several terms of type "class word" defined.
  My assumption is that if I set a column naming standard preference to have class word as a mandatory name part, then I can apply the default design rules in my relational model and it will list an error "column with wrong naming standards" if any of my column names don't have a name part that is on the list of class words in the specified glossary. Is that assumption correct? If so, it doesn't seem to be working for me...
  How does SDDM determine if a class word is missing? I.e., how can I enforce a naming standard that all attribute/column names must have a class word from our approved list of class words?
  Thanks!

  My assumption is that if I set a column naming standard preference to have class word as a mandatory name part, then I can apply the default design rules in my relational model and it will list an error "column with wrong naming standards" if any of my column names don't have a >name part that is on the list of class words in the specified glossary. Is that assumption correct? yes it's correct.
  If so, it doesn't seem to be working for me...one of the settings cannot be changed - it's "Abbreviated only" in "Preferences>Data Modeler>Naming Standard". So only abbreviated part from glossary is taken into account - I logged bug for that.
  You can change it - it's in dl_settings.xml file in your design's directory - find - abbreviated_only="true".
  How does SDDM determine if a class word is missingIt needs glossary and separator setting.
  You can read more here http://www.oracle.com/technetwork/developer-tools/datamodeler/datamodelernamingstandards-167685.pdf
  Also can look at examples here Data Modeler: Naming
  Philip

• How dows one enforce use of WS-RM policy?

  Hello,
  In the documentation it is stated (in the table under the description of wsrmp:RMAssertion) that:
  *Table B-32 Attributes of <wsrmp:RMAssertion>*
  optional: Specifies whether the Web Service requires the operations to be invoked reliably. Valid values for this attribute are true and false. Default value is false.>
  No matter what I set the attribute to, I never get an error while invoking the web service, even without WS-RM! For example:
  <?xml version="1.0"?>
  <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
       <wsrmp:RMAssertion
                 xmlns:wsrmp="http://docs.oasis-open.org/ws-rx/wsrmp/200702"
                 wsrmp:optional="false" >
            <wsrmp:DeliveryAssurance>
                 <wsp:Policy>
                      <wsrmp:ExactlyOnce />
                 </wsp:Policy>
            </wsrmp:DeliveryAssurance>
       </wsrmp:RMAssertion>
  </wsp:Policy>How can I prevent a web service from being called from a non-reliable client?

  Actually, after fiddling around for a day, I need to blush and retract the question. It turns out that I was using JAX-WS and therefore the reliable messaging policy was being ignored altogether (WLS only supports it for JAX-RPC web services).