Hello Chris,

I placed the CA in the TrustedCAs View and created a new View for the Client Certificate. Is this the error, shall I try to use the standard View?

Regards

Christian

Christian,

Not sure, but give a try after relocating the client cert and to see if it is available for selection in the SOAP adapter ...

If still not ok, try to restart the J2EE, because, for me, I'd had to do that to take new certs into account

Rgds

chris

Hello Chris,

thank you for your suggestions. I tried and put the certificate into the Standard Views and also restarted the J2EE-Server. But they still do not show up in the Directory. If I create a test key, then it shows up in the directory list.

Do you have any other suggestion? Do you use certificates for Authetication?

Regards

Christian

Damned ... So the "key" you've imported does not show up, whereas the key you've created is available for selection ? Could you check the encryption algorithm for both keys, are they the same (DSA ? RSA ?)

Chris

Just to be clear. I created a key with corresponding certificate and the key shows up. But I want to authenticate with a certificate....

The algorithms are all RSA.

Edited by: Christian Schroeder on May 6, 2008 11:25 AM

This seems a little bit tricky to handle ! What I've noticed is that only key with type "PRIVATE KEY" are available when configuring SOAP client cert ... Is the imported cert's type like this ?

I'll try to perform other tests later

Chris

No. I guess that is the problem. It is a certificate. But in our Business Connector it can be used to login.... Thank you very much for your help till now. I really appreciate it.

I used to use BC too, with client certificates ... Maybe I can try to get one of its certificate and see if I can do like you did

Chris

PS: one last thought, are you able to get your certificate in a PKCS format (check which flavors are supported by the KeyStorage service thru VA) ? It seems to be the only way to export a certificate and its corresponding private key (which is required to be used a client certificate) ...

Edited by: Christophe PFERTZEL on May 6, 2008 10:24 PM

Hello Chris,

if I look at those certificates they do not show any private key. Although there seems to be noe Key in them they work to authenticate with our partners. (using the "Client certificates" View in BC).

Hm. Do you know any tool to examine the certificates en detail? Maybe there is some Key, which is part of the Client Certificate file?!

Regards

Christian

Christian,

I'm running out of ideas, but another confirmation please : your scenario is :

you -> xi -(soap)-> partner

or

partner -(soap)-> xi -> you ?

Your last statement confuses me, cuz if I remember right, the "client certs" in BC are used to authenticate external partners againt BC user (in this case, it would be a sender system in XI world) ... I'm not sure though, because I've stopped using BC a long time ago

Chris

Edited by: Christophe PFERTZEL on May 7, 2008 12:11 PM

Hello Chris,

it is me -> xi -(soap)-> partner.

Hm. This specific BC is used to send data but not receive.

Or is it possible that it is used by the receiving BC to verify the certificates?!

Regards

Hi again,

Thanks for confirming I've checked BC's help file, and here is what it says about "client certificates" :

"Use the Client Certificates screen to view the list of clients whose certificates are accepted by your server. You also use this screen to add (import) and delete certificates from this list.

Note: If your SSL port is configured to "require" client certificates, the port will accept requests from only those clients whose certificates are in this list."

So you're right, it is used to authenticate you, as client, when reaching your target thru SSL (meaning target requires certificate from you instead of user/pwd or nothing)

For you, who and how was this certificate generated ?

Chris

Edited by: Christophe PFERTZEL on May 7, 2008 12:26 PM

Hi

I am using certificates to authenticate with an external provider. I have no certificate configuration in the adapter, but in Visual Admin there is a service called SSL Provider. Here you can choose Dispatcher -> Active Sockets. For each active socket choose the tab client authentication -> tick the radiobutton "Request Client Certificate" and add your certificate from the Trusted CAs view. This is enough for me to make this work...

regards Ole

Hello Chris,

we got the certificates from our partners. Including the root certs.

Regards

Isn't this done only for incoming connections?!

Hey

Jepp you are right. I may have misunderstood your scope, but for us this is all we need to establish SSL connection with the external system/partner. The response is not received until the configuration I mentioned above is done.

Ole

Christian,

I've reviewed my own configuration for receiver HTTPS adapter (I think SSL settings must be done the same way for SOAP, as technical layer is the same), and here is what I've done :

1 - imported all root CAs chain (sent by our partner, but also retrieved using IE when test their url) ! Note : their client (lowest) certificat has not been loaded into the KeyStore

2 - I've created XI's SSL server certificat issued (using CSR) by VeriSign and assigned it to SSL provider as its server identity

3 - I've sent XI SSL certificate (client cert + its VeriSign root CA) to our partner

4 - they have imported our client cert into their own system

5 - I have assigned the created SSL key (private key) to the HTTP adapter

Now, it is working fine this way:

1 - when we sent them a document, XI checks partner's server certificate against its known root CAs from its TrustedCAs view,

2 - XI presents its own certificate to the partner, that checks our certificate is trusted on their side (root CAs) and is mapped against an internal user with required credentials,

3 - SSL handshage is successful, HTTPS link created

Is there any difference with your own implementation ?

Chris

Henrique,

Thanks for confirming/clarifying Maybe I haven't been able to explain my implementation correctly, but client certificate (public key) is only used to "show" your identity (trusted or not) to the target point of the connection.

In order to encrypt the flow, private keys (I admit I often misused the term "certificate" for both types) must be used internally, but public key are also involved to "decrypt"

Chris

Hello,

thank you all for your posts. I just misunderstood the concept of SSL I think. We now imported our private key corresponding to the certificates which we gave to our partners and everything works fine.

What still is a bit ugly, is that when you import the private key the VA asks twice for the password and certificate chain... And you need to press "Cancel" to end him asking for more certificates.

Regards

Christian