on 05-02-2008 5:27 PM
Hi guys,
Have any of you imported on VisualAdmin Key storage a certificate which has a chain of certificates associated?
Why does this question pops up? Well, I'm using Seeburger AS2 Adapter and I'm trying to receive a message from my external partner. The point is that the certificate has associated a chain of certificates. I tried to import every certificate, one by one, creating three entries on the keystorage, and then specifying on the sender agreement the alias referring to the lower certificate. Meaning certificateA depends from certificateB which depends from certificateC, which is the ROOT Certificate.
certificateC
-certificateB |
-certificateA
So in the sender agreement I only have
Sender Configuration
Authentication Certificate : \AS2\certificateA
My external partner is getting AUTHENTICATION ERROR. What I think is happenning is that XI is not being able to relate the three certificates.
Do you have any ideas?
Hi !
have a look at this Blog
/people/aniket.tare/blog/2005/03/22/ssl-certificate-installation-procedure-for-sap-j2ee-engine-630-150-steps-in-visual-administrator
Regards
Abhishek
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Abhishek,
Excellent blog. Have you tried it already?
Why am I questioning? Because I didn't understood point 12. How is the relation between the several certificates done? It says, "place the cursor again ", I've done it but the result is as the same as importing one certificate at a time....
Another question, how is the 'white Space' character represented on the key storage?
Hi,
Usually, you import all the root CAs chain into the TrustedCAs key storage ...
If you're working with a sender adapter, then XI will act as an SSL server (receiver means XI is acting as a SSL client), so, depending on the auth mode (client cert requested ?), your partner (sender) will have to import XI's CA root chain too in order to authenticate your system during SSL handshake ...
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi guys,
Unfortunately the problem is yet to be solved...
I've placed the certificates in the TrustedCA's but I'm still getting the following error:
Error#1#/Applications/ExchangeInfrastructure/AdapterFramework/ThirdPartyRoot/SEEBURGER/AS2#Plain###authentication error
[LOC: authentication error.authenticate] Caused by: com.seeburger.dt.security.smime.SMIMEHelperException: signature verification failed:
com.seeburger.dt.security.smime.SMIMEHelperException: signature verification failed: CMS error:
invalid signature format in message: + content hash found in signed attributes different
Although the error is an authentication error, it is due to other factors.
I've searched the web but couldn't find any related issues...
For debugging I've tried sending a message from another test partner with his own certificate but letting the other partner's certificate configured. The error
is an authentication error/connection refused. So in the first case XI reaches to the point of validating the certificate signature.
Has any of you faced this error?
Unfortunately, I've limited knowledge of Seeburger's adapters, so I do not know whether they need additional settings to enable SSL ! I've implemented what I've explained using SOAP or HTTP plain adapters and it works fine ! According to the exception, some other security settings needs to be set or configured (S/MIME thing)
Is there any SB documentation available ?
Chris
Hi Christophe,
After reading your post, and just for checking, we've imported the chain of certificates into the TrustedCA's and the partner certificate to the created view suggested inthe master installation manual from Seeburger. Meaning, we've the lower certificate in the created view and the two root CA's in the TrustedCA's.
Do you think that all the certificates should be on th TRUSTEDCAs, even the lower one? That's my next test. I'll give you feedback in a while.
Relating to the SB documentation, it's copyright material...
Thanks Christophe
Hi Chris,
Yes, the adapter gives you the possibility of using several protocols, one of them the AS2 protocol. I'm able to encrypt the messages if I use a single certificate, with no chain associated.
Yes, "the lower one" is the certificate which has the CA chain associated, for example, CertificateRoot->CertificateCA->CertificateXPTO, in this case we would have CertificateRoot and CertificateCA in the TRUSTEDCA's and the CertificateXPTO in the created view, right?
Hi Gonçalo
I know it has been a while since you last updated this forum. We are on PI 7.0 Seeburger Adapter 1.7.2 and we are getting the exact error that you got the "AUTHENTICATION ERROR". Which version were you using and which Seeburger AS2 patch did you apply please?
Thanks in advance
Stephano
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.