Access AS Java Keystore from SAP PI/PO Adapter Module

Access AS Java Keystore from SAP PI/PO Adapter Module

SAP AS Java provides a keystore to manage public certificates and private keys used to digitally-sign, encode, decode and validate messages. Unfortunately accessing the key storage from a SAP PI/PO adapter module is not fully covered by SAP documentation and can pose a challenge.

The code snippet below retrieves a reference to interface ISsfProfile. Once you retrieve the reference you can call methods getPrivateKey and getCertificate to access the private key and the public certificate respectively.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
private ISsfProfile getPrivateKeyProfile() throws ModuleException {
	String SIGNATURE = "getPrivateKey( )";
	try {
		String keystoreView = getParameterValue("keystoreView");
		String keystoreEntry = getParameterValue("keystoreEntry");
		location.infoT(SIGNATURE, "Read configured private key now. Key Store : {0} Name: {1}",
			new Object[] { keystoreView, keystoreEntry });
		SAPSecurityResources secRes = SAPSecurityResources.getInstance();
		KeyStoreManager ksMgr = secRes.getKeyStoreManager(PermissionMode.SYSTEM_LEVEL,
			new String[] { "sap.com/modules.pi.XMLDSig" });
		java.security.KeyStore ks = ksMgr.getKeyStore(keystoreView);
		if (ks == null) {
			throw new ModuleException(String.format("Key store view \"%s\" cannot be retrieved", keystoreView));
		}
		// Since code based permission is used no password needs to be supplied
		ISsfProfile privKeyProf = ksMgr.getISsfProfile(ks, keystoreEntry, null);
		if (privKeyProf == null) {
			throw new ModuleException(String.format("Key store entry \"%s\" cannot be read", keystoreEntry));
		} else {
			return privKeyProf;
		}
	} catch (Exception e) {
		throw new ModuleException(e);
	}
}

private String getParameterValue(String paramName) throws ModuleException {
	String paramValue = moduleContext.getContextData(paramName);
	if (paramValue == null) {
		String errMsg = String.format("%s parameter is not set.", paramName);
		throw new ModuleException(errMsg);
	}
	return paramValue;
}

Usage

Copy the provided methods to your Adapter Module class. Replace sap.com/modules.pi.XMLDSig in line 10 with your module’s bean name.

Keystore View and Keystore Entry are retrieved from Adapter Module’s parameters (in my module they are named keystoreView and keystoreEntry, but you can choose any other names). The parameters are read with a helper method getParameterValue. Make sure the parameters are maintained in the Communication Channel in Integration Directory.

To be able to compile the code you have to add com.sap.security_2.0.0*.jar (* is a version number and can be different on your system) to your project’s classpath in NWDS. You’ll find the jar in your NWDS installation path in plugins folder (e.g. com.sap.security_2.0.0.160803115025.jar)

Leave a Reply

Your email address will not be published. Required fields are marked *