Entering content frame

Procedure documentation Getting Key Storage Service Locate the document in its SAP Library structure

Use

The Key Storage Service uses an independent code and user-based security to protect its entries – both views and certificates.

·        The used code permission implementation is com.sap.engine.lib.security.EnginePermission, with the permission target EnginePermission.TARGET_KEYSTORE and permission actions in the format:

<type>:<command>[:<view_alias>[:<entry_alias>]]

·        The code-based permissions check is done even with no active security manager and only against the protection domains of J2EE application. Services and libraries all have code based permissions by default

·        The main interface for security management iscom.sap.engine.interfaces.keystore.SecurityConnector. It is obtained from the KeystoreManager:

SecurityConnector securityConnector = keystoreManager.getSecurityConnector();

To use the SecurityConnector methods, the current user must be mapped to the “Administrators” SAP J2EE Engine security role. If the J2EE application creates a view or an entry, the appropriate code and user-based permissions will be granted automatically – for this purpose, the J2EE applications’ protection domain and the current user will be used.

The Key Storage service consists of two parts:

·        Interface – a SAP J2EE Engine interface component, which usually represents a public face of a service.

The interface part is located in  ../bin/ interfaces/keystore_api/keystore_api.jar. The main interface is com.sap.engine.interfaces.keystore.KeystoreManager. The Service or J2EE application reference name and the lookup name is keystore_api

·        Service - a SAP J2EE Engine Key Storage Provider service component

The Service part is located in ../bin/services/keystore/keystore.jar. The main interface is com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper. The Service or J2EE application reference name and the lookup name is keystore.

Recommendation

The Key Storage Service can be used fully from its Service part, but we recommend that you use it via the Interface part.

The Keystore Interface component is a set of interfaces, which are the public face of the Service Key Storage component. That is, it is not a separate object in the JNDI naming space. The Key Storage Service implements the Keystore Interface component and binds the implementation to the ObjectRegistry and JNDI.

Procedure

As the KeystoreManagerWrapper extends KeystoreManager, the service or J2EE application must have references to the Key Storage Service and Keystore Interface components.

...

       1.      From other Service – via the Service Framework API:

public void start(ApplicationServiceContext serviceContext)

   throws ServiceException {

     

      ...

     

   (KeystoreManager) serviceContext.getContainerContext().getObjectRegistry().getProvidedInterface("keystore_api");

     

       ...

   }

Since ObjectRegistry.getProvidedInterface() method is not synchronized with the start/stop phases of the services, the caller’s service may be started before the Key Storage Service. In this case, the returned object is null.

There are two ways to resolve this:

¡        The calling service has a hard reference to the Key Storage Service:

<reference type="service" strength="hard">keystore</reference>

and the calling Service will not start before the Keystore Service is started.

¡        The calling service registers a ContainerEventListener implementation, and listens for the interfaceAvailable event:

public void interfaceAvailable(String interfaceName, Object interfaceImpl) {

   if (interfaceName.equals("keystore_api")) {

      keystoreManager = (KeystoreManager) interfaceImpl;

   }

}

       2.      From J2EE application – via JNDI only:

ClassLoader old_context_classloader =

   Thread.currentThread().getContextClassLoader();

try {

   Thread.currentThread().setContextClassLoader(

      this.getClass().getClassLoader());

   InitialContext ctx = ...;

   km = (KeystoreManager) ctx.lookup("keystore");

} finally {

   Thread.currentThread().setContextClassLoader(old_context_classloader);

}

Example

General Usage

An example usage of the Key Storage Service:

KeystoreManager keystoreManager =...;

if (!keystoreManager.existKeystoreView("my_view")) {

   keystoreManager.createKeystoreView("my_view", null);

}

KeyStore myKeyStore = keystoreManager.getKeystore("my_view");

All Key Storage Service methods are not cluster synchronized – this means that when the above code fragment is executed on multiple server cluster elements, createKeystoreView() may throw a KeyStoreException“View already exists” on some of the servers.

getKeystore(..) returns a fully initialized Key Storage instance, there is no need for myKeyStore.load(..) or myKeyStore.store(..).

Usage Through Portal Applications:

The reference string for a Portal application to refer to the Key Storage Service is "SAPJ2EE::service:keystore" for the service and "SAPJ2EE::service:keystore_api" for the interface.

The Portal runtime tells the J2EE Engine all code domains of loaded parts of the Portal, where “parts" stand for JARs. This way there is no need to grant permissions to the whole J2EE application Enterprise Portal, but it is possible to grant them to specific JARs.

This graphic is explained in the accompanying text

It is not currently possible to access the Key Storage Service from the Portal via the service's interface keystore_api, since J2EE interface references are not yet supported by the PRT.

 

See also:

 

Performing Code-Based Security Checks

Key Storage Actions

 

 

Leaving content frame