cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CIDX Adopter Digital Certificates

Former Member

on ‎04-13-2007 4:41 PM

0 Kudos

Guys,

Here is the scenario..

We are getting the HTTPS message from external system to XI.

We are using CIDX Adopter to read external message and validate the digital certificates and map to ORDERS05 Idoc. As soon I trigger the message from external system (HTTPS message), I am seeing message in XI RWB adopter engine, when CIDX adopter is trying the validate the digital signatures somehow it is pointing to J2EE_GUSET user. And it is giving error as below mention.

<b>ERROR</b>

"Signature verification failed, alerted;Error when accessing keystore:service_ssl

Signature verification failed, alerted

Unexpected error while packing the CIDX message -

null

Message Processing caused Failure. -

BTD handler indicated processing error

Error encountered while receiving inbound action; See nested exception for detailed error message -

Message Processing caused Failure. -

Message Processing caused Failure. -

BTD handler indicated processing error

Delivery of the message to the application using connection CIDXAdapter failed, due to: Error encountered while receiving inbound action; See nested exception for detailed error message. "

<b>Regarding Digital Certificates</b>

We got the digital certificates from my external party and installed and

created the Key stores in XI Visual Administration tool.

We configured in sender agreement by selecting those key stores..

Can any one help me on how to resolve the issue, is there any problem in Visual Admin Toll, while installing the certificates..

Thanks

Murali

Message was edited by:

Murali Babu Pallabothula

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎04-14-2007 8:41 AM
0 Kudos

HI,

See the below links

HTTP* Errors /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea...

also see the below links may be useful..

See the below links

/people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi

SAP Java Cryptographic Toolkit

http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea...

http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm

http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm

Also see the below threads.

Regards

CHilla

Show replies
Show replies
Former Member
‎04-16-2007 4:55 PM
0 Kudos

Hi All,

I hope you guys had good weekend..

I totally see the 2 messages in RWB adopter engine.

One message is successful and the second is general exception.

When I going to general exception message -> details

ERROR

“Transmitting message 93510270ec2011dba498001438ee46bd to partner failed with HTTP code 500, alerted “

“Transmitting the message to endpoint http://Host/MessagingSystem/receive/CIDXAdapter/CIDX using connection CIDXAdapter failed, due to: Received HTTP response code 500..”

When I am looking into the Message content, It is giving like

“Error when checking keystore view Message is signed. Signing is not required for this message according to the agreement”

I don’t know that, are we load the digital certificates in visual administration tool proper way.

Can any one give us the step by step process to load certificates in visual admin tool.

Thanks

M

Former Member
‎04-13-2007 8:01 PM
0 Kudos

>>>"Signature verification failed, alerted;Error when accessing keystore:service_ssl..."

The adapter framework uses the XIAFUSER to access the keystore entires. I guess you've placed your certs in the "service_ssl" view.

Try this - open up VA and go to the Security Provider service. Then in "Components", look for "keystore-view.service_ssl". Then click on the "Security Roles" tab on the right. Go into change mode (pencil icon) and highlight "KeystoreAdministrator". If not selected already, select Role Type "Security Role" radio button (click OK on the warning). Click on the "Add" button and add user XIAFUSER.

Then try your scenario again.

Regards,

Jin

Show replies
Show replies
Former Member
‎04-13-2007 9:02 PM
0 Kudos

jin,

Thanks a lot we made small progress.

I did the change what you suggest me.

Now I am seeing 2 messages in RWB (1 with success and 2 is System error) it looks like it sending message to integration engine but I am not seeing any message in SXMB_MONI. But it gave error message below mention.

<b>ERROR</b>

"Transmitting the message to endpoint httpS://od0su-wad026.sun-rm.com:52101/MessagingSystem/receive/CIDXAdapter/CIDX using connection CIDXAdapter failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier."

Can you please let us know do we need to change any other setting..

I think it is failing when it is trying to send the Receipt Acknowledge to the system, Is there any way we stop the receipt acknowledge for time being.

another question is when it is sending to integration engine why it did not showed up in the SXMB_MONI.

Thanks for your time..

Thanks

M

Message was edited by:

Murali Babu Pallabothula

Former Member
‎04-13-2007 9:37 PM
0 Kudos

<i>>>>Transmitting the message to endpoint httpS://od0su-wad026.sun-rm.com:52101/MessagingSystem/receive/CIDXAdapter/CIDX...</i>;

Is <i>od0su-wad026.sun-rm.com</i> your XI host or your partner's host?

In your sender CIDX channel, what do you have configured for "URL" within "Transport Parameters". This should be the URL of your partner system (where the signal/receipt ack should be sent back to).

<i>>>>Is there any way we stop the receipt acknowledge for time being.</i>

Not that I know of...

<i>>>>another question is when it is sending to integration engine why it did not showed up in the SXMB_MONI.</i>

My guess is that b/c the ack is failing, it's not forwarding on to the integration engine. You would see a 3rd message for the one that gets forwarded on to the integration engine.

Jin

Former Member
‎04-13-2007 10:03 PM
0 Kudos

Jin,

Appreciate your time

Last time I gave wrong url for Receipt Acknowledge in the sender adopter.

Actually we are getting message from DMZ(Which is outside of the firewall)

When we are sending back Receipt Acknowledge to different system (for time being we are using XI quality system).

But I seeing the 2 messages only in RWB.

It gave below error now.

<b>ERROR</b>

Transmitting the message to endpoint http://host:port/MessagingSystem/receive/CIDXAdapter/CIDX using connection CIDXAdapter failed, due to: Received HTTP response code 401..

If possible is there any phone number I can reach you or if possible can you please reach by 248-943-4239.

Thanks a lot..

M

Message was edited by:

Murali Babu Pallabothula

Former Member
‎04-13-2007 10:15 PM
0 Kudos

Murali,

Can you please once again by changing the userid and pwd of PIISUSER?

Might be the user name and pwd is wrong.

---Satish

Former Member
‎04-13-2007 10:22 PM
0 Kudos

Satish,

Where you want me to change the uid and pwd.

is it in the Sender "Authentication"? there I am using XIAPPLUSER.

Thanks

M

Former Member
‎04-13-2007 10:52 PM
0 Kudos

Murali,

This error usually gets when we use the wrong username and password. Instead of XIAPPLUSER try using XIISUSER userid and password and check once again.

---Satish

Former Member
‎04-13-2007 10:54 PM
0 Kudos

<i>>>>When we are sending back Receipt Acknowledge to different system (for time being we are using XI quality system).</i>

You mean you're not actually sending it back to the original sender? Not sure if that would work. Unfortunately, my test systems are being patched and I can't confirm the problems this might cause.

In any case, the 401 is authentication related so in the meantime double check your user/pwd in the Authentication area as you referred to earlier.

Unfortunately, I won't be available til next week, but hopefully you can get some additional help from the forum on this.

Regards,

Jin

henrique_pinto
Active Contributor
‎04-13-2007 10:58 PM
0 Kudos

To import certificates into Key Storage service, dont use Import option. Use Load. 😛

You should be able to load .p12 or .pfx files.

Import is for when you generate key par certificate into Key Storage, create a sign request, submit it to a certification autority (such as Verysign) and then you import their sign response.

Regards,

Henrique.

Former Member
‎04-13-2007 11:07 PM
0 Kudos

Hi All,

I change the uid XIISUSER ..

still same problem..

Once it is trying to send the Receipt Acknowledge it means that it did pass the digital certificates right?

can any one help us to resolve this issue..

Thanks

M

Message was edited by:

Murali Babu Pallabothula

prateek
Active Contributor
‎04-14-2007 5:31 AM
0 Kudos

Hi Murali,

Refer to SAP Note 788690

These could also help u

SAP Note 816022 Question - 9 and 15

Also underst various related errors

/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi

Regards,

Prateek

Former Member
‎05-03-2007 6:42 PM
0 Kudos

Jin,

I hope you had nice vacation…

I am still facing the same error, can you please help us on the “How to save customer digital certificates in XI Visual Admin.” We got like 3 files from customer. 2 are .DER and 1 is .CRT.

How these files will save in the visual admin. After that how can we them in the sender agreement..

Appreciate your help..

Thanks

Murali

Former Member
‎05-04-2007 4:28 PM
0 Kudos

Hi Murali -

For loading the files, see Henrique's response above. Choose the proper view and use the load option. For the message level security (e.g. digital signature), you can create your own view in the Key Storage service and load the certificates there.

As far as the files/certs you received from your partner:

1.) One file should be to verify the digital signature on the initial message sent by your partner (in Sender Agreement, this corresponds to section "Partner Certificate for Signing".

2.) If using https to send your receipt acknowledgement back to your partner, then one file should be a root CA certificate that you load into the TrustedCAs view. Essentially, when you send the receipt acknowledgement back to your partner's server, which is SSL enabled, you need to trust the issuer/CA of the server certificate presented by your partner's system.

Don't know what the 3rd file you received is for.

Also, in the Sender Agreement, in section "Current Certificate for Signing", this is where you specify the private key that you generated and will use to sign the action/rec. acknowledgement message. Your partner would need the corresponding public key to verify the signature.

Regards,

Jin

Former Member
‎05-08-2007 5:38 PM
0 Kudos

Jin,

After we loaded our partner’s public certificate into VA we still can not see the entry in the partner certificate for signing (Sender Agreement) key store entry drop down list.

Any idea why?

Thanks

Murali

Former Member
‎05-08-2007 6:18 PM
0 Kudos

If you were able to load it successfully in VA, after selecting the correct keystore view, you should be able to see and select the entry.

Regards,

Jin

Former Member
‎05-08-2007 6:34 PM
0 Kudos

Jin,

We did successfully, we use load option to import the partner certificate.

Do you think we need to create key pair?

Thanks

Murali

Message was edited by:

Murali Babu Pallabothula

Former Member
‎05-08-2007 6:42 PM
0 Kudos

No, you don't create the key pair for your partner's certificate. They create it and send you the public key so that your system can use it to verify the signature on the message they send you (they sign with their private key).

Regards,

Jin

Former Member
‎04-13-2007 5:55 PM
0 Kudos

Murali,

Its complaining about the keys stored in the Key storage of J2EE. Check once again whether you have installed correctly or not as per this help:

http://help.sap.com/saphelp_nw04/helpdata/en/e9/a1dd44d2c83c43afb5ec8a4292f3e0/content.htm

---Satish

Show replies
Show replies
Former Member
‎04-13-2007 6:10 PM
0 Kudos

Satish,

Thanks for your quick response.

we created the Key Pair in the Visual Admin Tool (cluster -> Keystore -> create button )

is there any step by step guide for installing the certificates(which explains what type of certificates we need from external vendor, what is publickey and privatekey and all) in Visual Admin Tool and CIDX configuration...

Appreciate your time.

Thanks

M

Former Member
‎04-13-2007 6:31 PM
0 Kudos

Hi,

I think we dont have any document on this. You do have SAP help on this. Check this help out:

http://help.sap.com/saphelp_nw04/helpdata/en/36/7627aa3fe440369150a434f8137eda/content.htm

---Satish

Former Member
‎04-13-2007 6:51 PM
0 Kudos

Hi

I am looking into like which you sent me.

the other questions is, we got 3 (1 is .CER and 2 are .DER)files from my external party. do I need to generate publickey or privatekey by using the generate button in the Visual Admin Tool. or I can import these files using the import option..

we are just in confusion stage how we can install 3 files into Visual Admin Tool

Thanks

M

Former Member
‎04-13-2007 6:54 PM
0 Kudos

Murali,

You import it and that should resolve your issue.

---Satish

Former Member
‎04-13-2007 6:58 PM
0 Kudos

Satish,

Import in the sense, if you import you need key pair right?

if you import with name "TEST".

you need another "TEST-cert".

how can you import like pair. if possible can you send us the step by step .

Appreciate your time.

Thanks

M

Message was edited by:

Murali Babu Pallabothula

Ask a Question