- How To Guide - Platform: PI Release: 7.1x/7.3x SEEBURGER AG AS2 Certificate Handling How To Guide Seite 2/21 19.03.2013 Inhalt AS2 CERTIFICATE HANDLING 4 Creating a Keystore View 4 Importing certificates 5 Creating a new private key and certificate 5 Exporting a certificate 7 Granting Keystore View access to adapter users 8 CONFIGURATION ERRORS 11 General 11 Errors in the Runtime-Workbench 11 No encryption certificate 11 Could not retrieve certificate \USER\ABC\XYZ 12 No signature certificate 12 MDN requested, but appropriate report channel is missing 13 Unrecognized SSL message 14 No trusted certificate found 14 Errors in the SEEBURGER-Workbench 16 Decryption certificate missing 16 Decryption failed 16 Authentication error 17 Authentication certificate missing 17 Key invalid in message 18 MDN not signed 19 MDN not authenticated 19 APPENDIX 21 Further Information 21
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 3/21 19.03.2013 Icons Symbol Description
Caution
Warning
Note
Recommendation
Requirements
Information
Example
Code SEEBURGER AG AS2 Certificate Handling How To Guide Seite 4/21 19.03.2013 AS2 Certificate Handling Note: The following instructions do not replace the official SEEBURGER documentation. Please follow the documents outlined in Further Information Creating a Keystore View All certificates and private keys for signed and encrypted communication have to be stored in the SAP Key Storage. For this purpose a new Keystore View has to be created. Go to http://<servername>:<port>/nwa and open the SAP Netweaver Administrator. From the start page switch to Configuration Management > Security > Certificates and Keys.
In the Keystorage Content tab click Add View.
Fill in View Name and Description for the new view. Click Create.
The result should look like this. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 5/21 19.03.2013
Importing certificates To be able to verify signed messages from trading partners their certificates have to be imported in the new Keystore View. To import a certificate from a trading partner click the Import Entry button in the Key Store View Details pane.
Choose X.509 Certificate, select the certificate file from the file system and click Import.
Note: The name of the imported certificate can be changed using the Rename button. Creating a new private key and certificate Select the Keystore View and click Create in the Key Storage View Details pane.
Fill in an Entry Name and check Store Certificate to create a certificate (otherwise only a private key will be created). Click Next. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 6/21 19.03.2013
Fill in the Subject Properties. If required, properties can be added or removed by clicking the Add or Remove button. Skip Step 3 and 4 by clicking the Finish button.
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 7/21 19.03.2013
The result should look like this.
Exporting a certificate Export own certificates to provide them to trading partners by selecting the certificate which shall be exported and clicking the Export Entry button.
Select the preferred export format and click the Download link. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 8/21 19.03.2013
Granting Keystore View access to adapter users To be able to use the certificates and keys stored in the Keystore View within the SEEBURGER communications adapters, the adapter users need access to the view. Go to Configuration Management > Security > Identity Management.
Search for see* to get a list of adapter users. Note: The adapter users must be created before. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 9/21 19.03.2013
Select the user seeas2 and switch to the Assigned Roles tab in the Details of User pane. Click Modify.
Search for the Role view-creator*. Select the role of the Keystore view and Add it to the user. Save the changes. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 10/21 19.03.2013
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 11/21 19.03.2013 Configuration Errors General Note: The following errors were provoked by an AS2 adapter but can be devolved to every other SEEBURGER adapter using encryption and signing. Errors in the Runtime-Workbench No encryption certificate Error:
Solution: Check your Receiver Agreement
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 12/21 19.03.2013 Could not retrieve certificate \USER\ABC\XYZ Error:
Solution: Check the adapter user in the Identity Management of the Netweaver Administrator (NWA). There has to be an assigned role to the Keystore view which contains the certificates and private keys.
No signature certificate Error:
Solution: Check your Receiver Agreement SEEBURGER AG AS2 Certificate Handling How To Guide Seite 13/21 19.03.2013
MDN requested, but appropriate report channel is missing Error:
Solution: Check if a Report channel and the corresponding Sender Agreement are configured.
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 14/21 19.03.2013
Unrecognized SSL message Error:
Solution: No trusted certificate found Error:
Solution: Check your SSL configuration in the communication channel
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 15/21 19.03.2013 and make sure the SSL certificate is in the Key Storage and valid.
Caution: If a SSL certificate is newly imported a restart of the J2EE Engine is required in order that the changes take effect.
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 16/21 19.03.2013 Errors in the SEEBURGER-Workbench Decryption certificate missing Error:
Solution: Check the Decryption Key in your Sender Agreement.
Decryption failed Error:
Solution: Check the Decryption Key in your Sender Agreement. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 17/21 19.03.2013
Authentication error Error:
Solution: Check the Authentication Certificate in your Sender Agreement.
Authentication certificate missing Error:
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 18/21 19.03.2013 Solution: Check the Authentication Certificate in your Sender Agreement.
Also check if the system property mail.mime.multipart.bmparse is set to false. Go to SEEBURGER Workbench > System Status > Important Server Properties
Caution: If not OK, apply SAP Note 1287778. Key invalid in message Error:
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 19/21 19.03.2013 Solution: Check if the Unlimited Strength Policy files are installed on all server nodes.
Caution: If not OK, see SeeMasterInstallationGuide.pdf chapter 4 Note on Cryptography and SAP Note 989517. MDN not signed Error:
Solution: Check the Signing Key in your Sender Agreement.
MDN not authenticated Error:
Solution: Check the Authentication Certificate in your Sender Agreement for the Report channel. SEEBURGER AG AS2 Certificate Handling How To Guide Seite 20/21 19.03.2013
SEEBURGER AG AS2 Certificate Handling How To Guide Seite 21/21 19.03.2013 Appendix Further Information Information: For further information refer to the SEEBURGER Master Configuration Guide and the Adapter manuals coming with the solution release.