cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RNIF Security Configuration

Former Member

on ‎09-30-2008 6:58 PM

0 Kudos

Hi,

I am trying to configure RNIF adapter with security. I will receive a digitally signed document from trading partner to RNIF adapter. I have partner's public key.

Partner's public key has a Root, two intermediate certs, and the actual cert. Where and how do I load such certificate? I created a new view in "Key Storage", and add all certs (root, intermediate and public cert) under the same view.

However, in RNIF adapter configuration, it doesnot show up this view.

Please help!

Archana

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

bhavesh_kantilal
Active Contributor
‎10-01-2008 7:52 AM
0 Kudos

Hey Archana,

Can you let me know what you are trying to perform here?

1. Is it Server SSL, i.e, is the RNIF pip going be sent from XI / from partner using https?

2. Or do you mean Digital Signature where you need to verify your partner's signature in the Action Message / Business Signal.

For 1, you will need to load the partner's cert in the TraustedCA's view in the keystore if it is a Self Signed Cert. From what I see from your question it is not a self signed cert and hence check if the Root Cert and Intermediate Cert are already undr TrustedCA's in Keystore and if they are not just load these under TrustedCAs.

For 2, you can create a custom view as needed in the Keystore and load either the Partner's Cert Alone if you want to use Direct Model or load all 3 certs if you need to use Hierarchical.

In the RNIF adapter you will select option Sign Business Signal / Action Messages and in the Sender / Receiver Agreement you will need to provide the appropriate view and certificate.

Regards

Bhavesh

Show replies
Show replies
Former Member
‎10-01-2008 6:05 PM
0 Kudos

Hi Bhavesh,

First, let me be clear on what my scenario is:

Partner sends "RNIF pip that is digitally signed" via https.

This request sent by partner doesnt come to PI directly; instead it goes to an internal RedLine server, which in turn routes the request to PI. Hence, "HTTPS" related security should be taken care at that layer. So, what hits the following URL -

http://<host>:<port>/MessagingSystem/receive/RNIFAdapter/RNIF is RNET PIP that is "digitally signed"

I guess it is scenario 2 in your reply.

I have the partner's public cert - not self signed - that has a root and two intermediates. It is in .p7b format. I extracted the cert, root, and intermediates. I created a new view in "KeyStore" (say PartnerTest), and added these extracted certs individually as entries in this view.

Now, coming to configuration of RNIF adapter, on "Parameters" tab, there is a field called "Transport Protocol" - Assuming that this protocol is used internally by PI's Adapter Engine to post message to Integration Engine, and that this has nothing to do with partner's protocol, I selected HTTP1.1 here. CORRECT ME IF I AM WRONG!

Now, in the "Source" tab, where it says "Inbound Security Checks", I selected "HTTPS without Client Authentication"

Now, going to Sender Agreement, I see that Encryption and Decryption entries are "required" though we dont use encryption.

Also, when configuring "partner certificate for signing", and "current certificate for signing" - I dont see my newly created view (PartnerTest) to select a certificate from it.

Sorry for such a long message, but I hope that I am clear now.

Archana

bhavesh_kantilal
Active Contributor
‎10-01-2008 7:19 PM
0 Kudos

Archana,

1. Transport Protocol of your RNIF adapter, depends on how you want to Business Signal to your partner (http /https ) and which server would do this encryption portion. The Target URL and the Authentication also boils down to the intermeditary certificate and I am not sure how this fits into your requirement.

2. in the Sender agreement, make the security settingas None and then you would not need to give the Payload encryption and decryption.

3. For current cert and partner cert for signature verification, unfortunately, the Selection option will not work. Please check the service market place for the Industry Speak adapter FAQ for the reason for this. You can manually enter the keystore entry and the keystore service in the sender agreement as suggested in the note.

Regards

Bhavesh

PS : Its glad to see a well framed reply to question on SDN. I wish every poster took time framing his question as you did!

bhavesh_kantilal
Active Contributor
‎10-01-2008 7:21 PM
0 Kudos

Another question : Is there a special setting to import a .p7b cert into the Keystore?

Former Member
‎10-01-2008 10:21 PM
0 Kudos

I dont know if there is any special setting. I manually extracted all certs, and loaded them individually into the View.

Also, in Sender Agreement, under "Current Certificate for Signing", I see only SHA1 algorithm. I assume this is the place where I should specify "private" cert of our company. If yes, then our cert uses RSA. Is there any work around?

Thanks,

Archana

bhavesh_kantilal
Active Contributor
‎10-02-2008 6:40 AM
0 Kudos

Shouldnt be a case for concern.

I am not sure of the specifics of internak workings but our cert was also RSA but used SHA-1 for Signature and it worked. Never gave it a second thought, and am not a Digital Signatures Security Expert but I can assure that it will work.

Why it works, well lets hope google helps answer that part

Regards

Bhavesh

Ask a Question