cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AS2 sender adapter 403 forbidden error

Go to solution
Former Member

on ‎03-25-2014 7:03 PM

Hi Experts,

I have a scenario which is connecting with third party using sender AS2 adapter.

while third party sending message to PI they are getting 403 forbidden error.

sender agreements are created one for MDN reports and another particular interface for the same sender party and receiver party.

certificates are installed properly and message subjects & AS2 ID also maintained correctly.

i am using pi7.11 version and seeburger AS2 adapter.

Please suggest any configuration or setting if missed which causes this issue.

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Harish
Active Contributor
‎03-25-2014 8:43 PM
0 Kudos

Hi Mahesh,

Please check the below discussion

SEEBURGER AS2: 403 Forbidden # | SCN

according to the discussion the reason could be

1. You or your partner has entered an incorrect AS2 ID

- Please check the AS2ID's very clearly. The ID's are case sensitive.Make sure you and your partner has entered exactly the same AS2ID in the configuration.

2. A valid sender agreement is missing.

You need to select Virtual receiver in the sender agreement and provide your receiver party and service name as well. This is very important for identifying the AS2 ID's.

3. There are more then one AS2 sender agreements.

Make sure that you created only one sender agreement for your sender and receiver party. Your business service may change but make sure you have created only one sender agreement for your sender and receiver party.

4. The corresponding inbound channel is set to inactive.

    Make sure your channel is active.

also have look at below blog

Show replies
Show replies
Former Member
‎03-26-2014 9:15 AM
0 Kudos

Hi Harish,

Thanks for your reply.

i am not clear about 3 statement.

3. There are more then one AS2 sender agreements.

Make sure that you created only one sender agreement for your sender and receiver party. Your business service may change but make sure you have created only one sender agreement for your sender and receiver party.


i have different sender agreements with same sender & receiver party but communication component is different.


same scenario works in production.


can you please explain this point bit clearly.


Thanks

Mahesh

engswee
Active Contributor
‎03-26-2014 9:30 AM
0 Kudos

Hi Mahesh

When you create the sender agreement for the AS2 sender channel, you need to specify both the sender party and receiver party (use virtual receiver) as below.

In the sender party and receiver party objects, you need to set the corresponding AS2 ID.

Regardless of the Communication Component, you cannot have more than 1 sender agreement with the same combination of Sender Party and Receiver Party. This is mentioned in the Seeburger manual for the AS2 adapter.



The same sender and receiver party must not be used in more than one sender agreement.

The exceptions to this rule are:

1) The different sender AS2 channels have different "Message Subject"

2) You can have 2 sender agreement - 1 for AS2 sender channel for normal message (Message Protocol = AS2) and 1 sender channel for MDN (Message Protocol = Reports)

Rgds

Eng Swee

Former Member
‎03-26-2014 6:43 PM
0 Kudos

Hi Eng Swee,

Thanks for your reply.

I have four AS2 interfaces for four communication components like COMP1,COMP2,COMP3,COMP4 for same sender party and receiver party.

Party 1(for third party)

part2(for our own system)

i have sender agreement like this

1) this is for MDN reports(communication channel has message protocol "report" and message subject has *).

2) below is for the second sender agreement

similarly i have 3,4 & 5 have same sender agreements with different sender communication component like COMP2,COMP3,COMP4 ,sender service interfaces & namespaces but sender party & receiver party is same.

note: here communication channels for the above sender agreements have different message subjects but message protocol is AS2

virtual receiver was not used for these sender agreements.

these are working in production i can see message processing seeburger as2 monitoring tool.

i have few queries here.

1) if we create the one sender agreements for same sender party & receiver party how it identify the remaining communication component & service interface related interface.

2) suppose i have given AS2ID as A for the party(PARTY1) which is created for third party. and AS2ID  as B for our own party(PARTY2)

so which AS2ID needs to be maintain at third party end either A or B for sending message to PI.

thanks

mahesh

Harish
Active Contributor
‎03-26-2014 8:53 PM
0 Kudos

Hi Mahesh,

i have few queries here.

1) if we create the one sender agreements for same sender party & receiver party how it identify the remaining communication component & service interface related interface.

-->> The sender message first check the message subject and trigger the sender agreement which match the message subject. If no channel is matched then channel with * message subject will trigger. So the priority is message subject then to *.

2) suppose i have given AS2ID as A for the party(PARTY1) which is created for third party. and AS2ID  as B for our own party(PARTY2)

so which AS2ID needs to be maintain at third party end either A or B for sending message to PI.

-->> Sender AS2 ID is A and receiver AS2 ID is B

regards,

Harish

Former Member
‎03-27-2014 3:10 AM
0 Kudos

Hi Harish,

Thanks for your reply.

you mean when third party at sender side they have to use A as AS2ID

and when third party at receiver side they have to use B as AS2ID...

is my understanding correct...?

Thanks

Mahesh

engswee
Active Contributor
‎03-27-2014 5:26 AM
0 Kudos

Hi Mahesh

Third party AS2ID = A

Own party AS2ID = B

Third party send AS2 message to PI (own party)

Sender AS2ID = A

Receiver AS2ID = B

PI (own party) send AS2 message to third party

Sender AS2ID = B

Receiver AS2ID = A

The AS2ID is always fixed to the sender/receiver party and not dependent on direction of message.

I would like to understand your setup better. What are reasons for having 4 different AS2 channels for the same between the same third party and your system?

Can you share the screenshots for all four AS2 sender channels and sender agreements? And also let us know which ones are working in Production. I am quite surprised that you mentioned that some of the sender agreements do not have virtual receiver, but are working in Production. Having virtual receiver is mandatory for the AS2 channel to resolve the AS2 ID.

Rgds

Eng Swee

Former Member
‎03-27-2014 9:49 AM
0 Kudos

Hi Eng Swee,

Thanks for your reply

Please find the below sender agreements & corresponding CC

second one:

third one:

Fourth one

E is for the third party & M is our own party.

F,P,V,V are communication components

all these are working

engswee
Active Contributor
‎03-28-2014 2:05 AM
0 Kudos

Hi Mahesh

The configuration for the 4 interfaces in the screenshots looks ok.

For the 403 error you are facing, is it for a new 5th interface? If yes, can you also share the screenshots for the CC and agreement.

Also, is the error in the Production system or a different system (Dev/Test)? If it's in a different system, can you try the following:-

i) Ask the 3rd party to send AS2 messages on the existing 4 interfaces to the Dev/Test system

ii) Compare the configuration (CC & SA) for the 4 interfaces between Prod & Dev/Test (check AS2ID, sender/receiver party, AS2 message subject, etc)

iii) Do a search to find if there are any other Sender Agreement objects that are using the same pair of sender party and receiver party (sometimes in Dev/Test system, there can be other objects created for testing purposes but never deleted after that)

iv) If there are differences of AS2ID (of either own or 3rd party) between Production and Dev/Test system, check with third party if they are using the correct AS2ID when sending the AS2 message

Rgds

eng Swee

Former Member
‎03-28-2014 6:34 AM
0 Kudos

Hi Eng Swee,

now we don't have 5th one...

but i am getting issue in Training system for third interface(third sender agreement) in above shared screens

engswee
Active Contributor
‎03-28-2014 6:39 AM
0 Kudos

Mahesh

Maybe the error is not related to configuration then. Can you please try the 4 steps I listed above? Might be something missing or additional objects in your Training system that is causing the issue.

Rgds

Eng Swee

Former Member
‎04-03-2014 11:31 AM
0 Kudos

Hi Eng Swee,

After checking the logs & traces we found the below error log.

Error while checking inbound communication [LOC: Error while checking inbound communication.checkInboundRelation] Caused by: com.seeburger.as2.exception.AS2PluginException: Failed to get inbound configuration from DATABASE.

at com.seeburger.as2.conf.ConfigurationInbound.getInstanceInboundMessage(ConfigurationInbound.java:100)

Failed to get inbound configuration from DATABASE. [LOC: Failed to get inbound configuration from DATABASE..getInstanceInboundMessage] Caused by: com.seeburger.as2.exception.AS2PluginRetryException: OwnAddressID missing or does not exist.

at com.seeburger.as2.conf.ConfigurationCommon.loadOwnSettings(ConfigurationCommon.java:290)

engswee
Active Contributor
‎04-04-2014 3:50 AM
0 Kudos

Hi Mahesh

Failed to get inbound configuration from DATABASE. [LOC: Failed to get inbound configuration from DATABASE..getInstanceInboundMessage] Caused by: com.seeburger.as2.exception.AS2PluginRetryException: OwnAddressID missing or does not exist.

I'm guessing here that some configuration might be missing or wrong.

Can you try the following?

i) Ask the third party to confirm the sender AS2ID, receiver AS2ID, and Message Subject that they are using to send the message to your training system

ii) Check if you have a matching Sender Agreement (with virtual receiver) and corresponding AS2 channel that matches the 3 values above - sender AS2ID, receiver AS2ID and message subject

iii) Check that your AS2 channel is active

Rgds

Eng Swee




Former Member
‎06-05-2014 4:27 PM

Hi Eng Swee,

Sorry fr late reply

My issue was resolved

reason this issue is....in PI we are maitiaing the AS2ID as A for PI & B for Third party.

where as third party is maitaining C for PI & B for thirdparty due to this mismatch we were getting the error

now its resolved as per your above check list.

Thanks

Mahesh

engswee
Active Contributor
‎06-06-2014 2:10 AM
0 Kudos

Hi Mahesh

Good to know the update to this issue. Glad that it was finally resolved

Rgds

Eng Swee

Answers (4)

Answers (4)

philippeaddor
Active Participant
‎05-05-2020 6:51 PM
0 Kudos

In case somebody comes across this in 2020: My tests reveal that having a virtual receiver for AS2 Sender Agreements is not necessary anymore with PO 7.5 (SP16).

I got this error due to the fact that I entered "/" as "Expected URL Path" in the channel. Having no path extension seems unfortunately not possible. UPDATE: it is possible indeed by entering the regex value .* (which means "any character" in Regex) in this field!

Best Regards,

Philippe Addor

Show replies
Show replies
saurabhkumbhare
Active Participant
‎04-25-2014 8:01 PM
0 Kudos

Hi Mahesh,

Can you check if you have these roles assigned to the user which is being used to trigger the message.

SAP_XI_B2B_CONFIGURATOR_J2EE

SAP_XI_B2B_ADMINISTRATOR_J2EE

Besides also make sure the users PIAF<SAPSID>, PIDIR<SAPSID> and PIIS<SAPSID> are added to the Administrators group and they have role SAP_XI_ADMINISTRATOR_J2EE assigned.

Thanks

Saurabh

Show replies
Show replies
S0003485845
Contributor
‎03-28-2014 11:12 PM
0 Kudos

Hello,

if your partner receives a 403 FORBIDDEN message, this means that your partner can already reach the AS2-Adapter, so there should not be any errors related to FireWall/Proxy or similar settings...

This error is most likely related to the fact that the AS2-IDs don´t match (and possible causes for this have already been mentioned in previous posts....)

In the screenshots, I could see the CCs and the SAs, but can you also provide a screenshot with the party (where wecan see that the AS2-IDs are assigned correct to the respective Parties whic hare used as Sender/Receiver in your SA ?

Other than this, feel free to check out this blog/doc....

Regards

Stefan

Show replies
Show replies
Former Member
‎04-02-2014 7:04 AM
0 Kudos

Hi Stefan

Thanks for your reply

here is the screen shots for the parties

third party is using the ID1 as AS2 ID for sending message to pi.

Thanks

Mahesh

saurabhkumbhare
Active Participant
‎04-25-2014 7:20 PM
0 Kudos

Hi Mahesh,

Is tihis problem solved?

If yes, can you please post the solution for helping us.

Thanks

Saurabh

engswee
Active Contributor
‎03-26-2014 2:44 AM
0 Kudos

Hi Mahesh

Have you checked also on the user authentication that the 3rd party is using to send to your PI? Are they using the right logon credentials, and does the user ID have the right authorization?

Rgds

Eng Swee

Show replies
Show replies
Former Member
‎03-26-2014 3:53 AM
0 Kudos

Hi Eng swee,

they are not using any PI user id credentials.

they have used the below authentication type.

http authentication to send async MDN

Please let is this correct approch...?

engswee
Active Contributor
‎03-26-2014 4:13 AM
0 Kudos

Dear Mahesh

Can you confirm if they are accessing the AS2 adapter on PI via the following URL?

HTTPs://<your-xi-server>:5<sysnr>1/SeeburgerAS2/AS2Server

This would be the AS2 listener on the Adapter Engine. To be able to post the message to the Adapter Engine, they would need a valid service user ID to logon. This user would need the following role: SAP_XI_APPL_SERV_USER

You can refer to the following link:

http://help.sap.com/saphelp_nwpi711/helpdata/en/d4/d12940cbf2195de10000000a1550b0/frameset.htm

Rgds

Eng Swee

Former Member
‎03-26-2014 4:20 AM
0 Kudos

Hi Eng swee,

Thanks for your reply.

yep we are using HTTP://<your-xi-server>:5<sysnr>1/SeeburgerAS2/AS2Server

ok let me try with user id authentication.

thanks once again

former_member190624
Active Contributor
‎03-26-2014 9:01 PM
0 Kudos

Hi Mahesh,

did you configured Proxy in sender AS2 channel ?

If yes ,Cross check with your network team , whether party ip was allowed to communicate with your PI system or not.

If No , configure your proxy host ,port and user authentication and try again .

Thanks

Hari.

Former Member
‎03-27-2014 4:55 AM
0 Kudos

Hi Eng Swee,

we have used the pi user & password but still we are getting same error

Thanks

Mahesh

Former Member
‎03-27-2014 6:54 AM
0 Kudos

Hi Hari,

Thanks for your reply

whose proxy server details we need to maintain in sender AS2 communication channel? third party or PI

in my case third party is not maintaining any proxy server.

Thanks

Mahesh

former_member190624
Active Contributor
‎03-27-2014 9:33 AM
0 Kudos

Hello Mahesh,

Since you are receiving message through public internet, below mentioned points should be followed

1. sender AS2 communication channel should contain your PI system proxy details ( your client landscape proxy for communicating with public internet ) not 3rd party proxy details .

2. also you should allow your third party system public IP address in your system's firewall / proxy (this point will change depends on your client infrastructure  ).

First try point 1 , if still problem persist  then take your 3rd party system public ip and contact your network team for allowing messages for your 3rd party system (explained in point 2 )

Thanks

Hari.

Ask a Question