cancel
Showing results for 
Search instead for 
Did you mean: 

Need help regarding HTTPS with AS2 setup !!

former_member217888
Participant
0 Kudos

Hi All,

We have a scenario wherein we are communicating with Bank using Seeburger AS2 with HTTPS while sending data.

We have sent them our certificate chain having our public certificate in .p7b format and vice-verse they have sent their 3 chained SSL certificate in .cer format.

Now, the issue is that when we use HTTPS with AS2, we have 2 additional fields to be filled.

So,

1. I am not sure what needs to filled in these fields.

2. The received SSL certificate chain needs to installed individually in NWA or as one only

3. The location of SSL certificates in NWA. Which view should i use?

4. Is there any other setting to use SSL connection. We already have 443 SSL port enabled and in green status.

I believe once this SSL handshake is successful, the the role of AS2 certificate will come into play.

Please suggest.

Thanks

Neha

Accepted Solutions (1)

Accepted Solutions (1)

former_member217888
Participant
0 Kudos

Hi All,

After using XPI Inspector logs we found that "Bad Certificate" error while sending data to 3rd Party using AS2 with HTTPS option is coming because our certificate which we sent them was only capable of Server Authentication and 3rd party needs it to be capable of Client authentication as well.

So, we sent our certificate chain to our CA - Entrust and they Enhanced key usage to Client authentication as well.

Now, I have the updated certificate chain with me.

Can someone please guide if i need to create a new Key Pair to import this CSR response or do Import CSR response in existing Private Key/Certificate pair.

Thanks

Neha

former_member186851
Active Contributor
0 Kudos

Hello Neha,

Get the public key for authentication and import the same in PI.

former_member217888
Participant
0 Kudos

Hi,

I got 4 certificates from CA. 2 Intermediate , 1 Server and 1 Root. I imported them only in the existing Private key (PI_AS2_CERT) and it is updated with new capabilities and validity date.

But the certificate(PI_AS2_CERT-cert) associated with it is same and unchanged. DO i need to bother about tht also.

Please clarify.

Thanks

Neha

former_member186851
Active Contributor
0 Kudos

Neha,

Instead of Overwriting try importing as new ones.

former_member217888
Participant
0 Kudos

I have already imported in the same Key-pair. Ii cant undo my changes now.

Please suggest.

bhavesh_kantilal
Active Contributor
0 Kudos

As I understand, Your key pair aka private key seems to have been imported perfectly. The issue as I understand seems to be with your public certificate. What you can do is -

  1. Take a backup of PI_AS2_CERT-cert ( Export this as a public certificate )
  2. Export the Public key from PI_AS2_CERT ( Your Private Key Pair which is updated as needed )
  3. Check if the change is reflected in the Public Key that your imported from the new KeyPair.
  4. Share this with your Partner.
  5. In NWA, delete the existing Public Key -> PI_AS2_CERT-cert ( which you backed up in step1 )
  6. In NWA, import the Public Key from Step 2 with the name PI_AS2_CERT-cert.

Note : As you are performing Client Authentication with AS2, this PI_AS2_CERT-cert is not used in your PI in both configuration and runtime. You only use your Private key. Hence, performing step 5 and 6 are not really required technically but will help make sure if any future needs arises, the certificate is consistent.

Let me know if there are any issues our questions you may have ( this is a topic I am really passionate on )

Regards

Bhavesh

former_member217888
Participant
0 Kudos

Hi,

Thanks for an elaborate answer but when i try to import certificate from Private key i only have 2 options - PKCS8 or PKCS12.

With PKCS8 option i got 4 .crt files and 1 .p8 file. On the other hand the certificate exported from Step 1 is of Type - .cert.

How should i import back the public key from private key as said in Step 2.

Also, we have already shared our new certificate chain with our partner.

Please suggest.

Thanks

Neha

bhavesh_kantilal
Active Contributor
0 Kudos
  • In the 4 .crt you have exported in the PKCS8, you can choose the .crt file which corresponds to the hostname of your server. the remaining 3 .crt are the certificates of your CA. These need not be imported.
  • A .crt and a .cert extensions are the same and hence no concerns in reimporting the same.

Like I mentioned, this step is a redundant step and not required, your current set up as-is is good to go! The .cert file is just a reference created by SAP in the keystore!

Regards

Bhavesh

former_member217888
Participant
0 Kudos

Done.

I imported the server certificate only and deleted the old one.

I think we should be ok now. Will do the testing once the partner also uploads our new certificates in their server.

Thank you so much for your help.

Neha

former_member217888
Participant
0 Kudos

One last question..

Wat if i keep both public certificates in the same keystore.

This is imp because we have shared old one with our old partners using AS2 with normal HTTP and this new one is shared only with our new partner utilizing AS2 with HTTPS.

Is it possible that old partners get authentication error as the old certificate sent to them is no more in the key store.

Please suggest.

Thanks

Neha

bhavesh_kantilal
Active Contributor
0 Kudos

pls check the serial number of the old and new certificate.in my experience this should be the same as the CA just signs the cert and does not change any of its properties. If the serial number is same nothing to worry.if it is different then you need to share the new cert with the partner.

I do think that it would he same though.

former_member217888
Participant
0 Kudos

The serial numbers are different and that is why I am getting authentication failed error at MDN.

I guess we need to send all old partners our new certificate.

Answers (2)

Answers (2)

former_member217888
Participant
0 Kudos

Hi All,

I am getting below error for all my AS2 interfaces.

Transmitting the message to endpoint <local> using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: Fatal exception: javax.resource.ResourceException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Could not retrieve certificate USER/SEEBAS2/PI_AS2_CERT., SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Could not retrieve certificate USER/SEEBAS2/PI_AS2_CERT.


I havent done any changes in Certificates or Identity mgmt. PFB snapshot.



Any suggestions.


Thanks Neha

bhavesh_kantilal
Active Contributor
0 Kudos

Neha,

This is a new issue, hence typically a new post should be created.

This points to a issue where the seeburger user does not have access to the corresponding View.

Please check the seeburger configuration guide for this. They described how the user needs to be provided the corresponding access to the view.

Unfortunately i do not have access to these guides at this moment. but there is a setting that needs to be done to assign seeburger user to various views.

Regards

Bhavesh

former_member186851
Active Contributor
0 Kudos

Hello Neha,

check the below links and do the seetings accordingly.

For certificates you should import in NWA->Certificates and Keys->Trusted CAS.

Configuring the AS2 Receiver Channel - SAP NetWeaver Process Integration, business-to-business add-o...

former_member217888
Participant
0 Kudos

In TrustedCAs, should i directly import the certificate chain sent or individually import 3 certificates present in the chain?

former_member186851
Active Contributor
0 Kudos

import  individually.

check the below link

former_member217888
Participant
0 Kudos

Hi,

I have imported all the certificates in TrustedCAs view.

Now I need to know which certificate should i use in AS2 channel at below field and how to get the alias.

Thanks

Neha

former_member186851
Active Contributor
0 Kudos

Hello Neha,

Am not 100% sure on this,

Guess you need to mention the keystore here.not individual certificates.

Refer the below link and see if it helps

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d095b2df-9fa3-2d10-568b-d12d99828...

nitindeshpande
Active Contributor
0 Kudos

Hello Neha,

You need to upload the certificates with the private key under TrustedCAs. I hope you have received the certificates with private key from your 3rd party.

Once you have done this in NWA, you must use the same in your channel.

Regards,

Nitin

former_member217888
Participant
0 Kudos

Hi Nitin,

We have a Bank as our 3rd party. They have already sent us their 3 chained public SSL certificates which i have imported in PI NWA - TrustedCAs keystore.

Why will they send us the private key. Can you plz elaborate more on this.

Also, I referred Root certificate out of the the 3 certificates in the channel but am again n again getting "Bad Certificate" error.

Please suggest.

Thanks

neha

former_member186851
Active Contributor
0 Kudos

Hello Neha,

You will get public key not private key.