cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Seeburger: keyStorage: import chain of certificates

Go to solution
Former Member

on ‎05-02-2008 5:27 PM

0 Kudos

Hi guys,

Have any of you imported on VisualAdmin Key storage a certificate which has a chain of certificates associated?

Why does this question pops up? Well, I'm using Seeburger AS2 Adapter and I'm trying to receive a message from my external partner. The point is that the certificate has associated a chain of certificates. I tried to import every certificate, one by one, creating three entries on the keystorage, and then specifying on the sender agreement the alias referring to the lower certificate. Meaning certificateA depends from certificateB which depends from certificateC, which is the ROOT Certificate.

certificateC

-certificateB

-certificateA

So in the sender agreement I only have

Sender Configuration

Authentication Certificate : \AS2\certificateA

My external partner is getting AUTHENTICATION ERROR. What I think is happenning is that XI is not being able to relate the three certificates.

Do you have any ideas?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-02-2008 5:45 PM
0 Kudos

Hi !

have a look at this Blog

/people/aniket.tare/blog/2005/03/22/ssl-certificate-installation-procedure-for-sap-j2ee-engine-630-150-steps-in-visual-administrator

Regards

Abhishek

Show replies
Show replies
Former Member
‎05-02-2008 6:24 PM
0 Kudos

Hi Abhishek,

Excellent blog. Have you tried it already?

Why am I questioning? Because I didn't understood point 12. How is the relation between the several certificates done? It says, "place the cursor again ", I've done it but the result is as the same as importing one certificate at a time....

Another question, how is the 'white Space' character represented on the key storage?

Answers (1)

Answers (1)

Former Member
‎05-02-2008 6:37 PM
0 Kudos

Hi,

Usually, you import all the root CAs chain into the TrustedCAs key storage ...

If you're working with a sender adapter, then XI will act as an SSL server (receiver means XI is acting as a SSL client), so, depending on the auth mode (client cert requested ?), your partner (sender) will have to import XI's CA root chain too in order to authenticate your system during SSL handshake ...

Chris

Show replies
Show replies
Satyagadadas
Active Participant
‎05-02-2008 7:14 PM
0 Kudos

y u are not using rootcertificate

like : Authentication Certificate : \AS2\certificateC

Former Member
‎05-05-2008 9:20 AM
0 Kudos

Hi Christophe,

That was my last guess on Friday. After reading your post I'm positive it will work . Unfortunately I wasn't able to test during the weekend. I'll give you some feedback in a minute.

Thanks for the reply

Former Member
‎05-05-2008 5:30 PM
0 Kudos

Hi guys,

Unfortunately the problem is yet to be solved...

I've placed the certificates in the TrustedCA's but I'm still getting the following error:

Error#1#/Applications/ExchangeInfrastructure/AdapterFramework/ThirdPartyRoot/SEEBURGER/AS2#Plain###authentication error

[LOC: authentication error.authenticate] Caused by: com.seeburger.dt.security.smime.SMIMEHelperException: signature verification failed:

com.seeburger.dt.security.smime.SMIMEHelperException: signature verification failed: CMS error:

invalid signature format in message: + content hash found in signed attributes different

Although the error is an authentication error, it is due to other factors.

I've searched the web but couldn't find any related issues...

For debugging I've tried sending a message from another test partner with his own certificate but letting the other partner's certificate configured. The error

is an authentication error/connection refused. So in the first case XI reaches to the point of validating the certificate signature.

Has any of you faced this error?

Former Member
‎05-05-2008 9:07 PM
0 Kudos

Unfortunately, I've limited knowledge of Seeburger's adapters, so I do not know whether they need additional settings to enable SSL ! I've implemented what I've explained using SOAP or HTTP plain adapters and it works fine ! According to the exception, some other security settings needs to be set or configured (S/MIME thing)

Is there any SB documentation available ?

Chris

Former Member
‎05-06-2008 12:39 PM
0 Kudos

Hi Christophe,

After reading your post, and just for checking, we've imported the chain of certificates into the TrustedCA's and the partner certificate to the created view suggested inthe master installation manual from Seeburger. Meaning, we've the lower certificate in the created view and the two root CA's in the TrustedCA's.

Do you think that all the certificates should be on th TRUSTEDCAs, even the lower one? That's my next test. I'll give you feedback in a while.

Relating to the SB documentation, it's copyright material...

Thanks Christophe

Former Member
‎05-06-2008 12:52 PM
0 Kudos

Normally, TrustedCAs will only contain certification authorities certificates ... What do you call "lower" one is no CA ?

Does this adapter perform msg encryption or similar, so you may have to configure something else ?

Rgds

Chris

Former Member
‎05-07-2008 9:24 AM
0 Kudos

Hi Chris,

Yes, the adapter gives you the possibility of using several protocols, one of them the AS2 protocol. I'm able to encrypt the messages if I use a single certificate, with no chain associated.

Yes, "the lower one" is the certificate which has the CA chain associated, for example, CertificateRoot->CertificateCA->CertificateXPTO, in this case we would have CertificateRoot and CertificateCA in the TRUSTEDCA's and the CertificateXPTO in the created view, right?

Former Member
‎05-07-2008 9:31 AM
0 Kudos

You're right ... But I don't know why you get this SMIME exception in the seeburger adapter !

If you disable msg encryption but only keep the SSL feature, does it work (better) ?

Chris

Former Member
‎05-13-2008 9:25 AM
0 Kudos

Hi Christophe,

Sorry for the late reply but I was away from the project in the last few days.

I've posted a note to SAP and it seems to be a bug in the adapter, they've updated with a patch, hope it works.

I'll be giving you feedback.

Thanks Christophe

Former Member
‎05-29-2008 4:31 PM
0 Kudos

Hi Christophe,

I've been waiting for my external partner availability in order to perform the corresponding tests.

Finally we were able to test it. Like I posted earlier, it was indeed a bug on the adapter.

Once again thanks Christophe

Former Member
‎10-15-2009 7:58 AM
0 Kudos

Hi Gonçalo

I know it has been a while since you last updated this forum. We are on PI 7.0 Seeburger Adapter 1.7.2 and we are getting the exact error that you got the "AUTHENTICATION ERROR". Which version were you using and which Seeburger AS2 patch did you apply please?

Thanks in advance

Stephano

Ask a Question