on 11-26-2014 6:08 AM
Hi Experts,
We have configured AS2 from SAP B2B Add-on as part of our SAP PI 7.31 Dual Stack installation. I was able to successfully send AS2 messages to the partner by configuring the appropriate Receiver Channel.
We have a CA Signed certificate which is uploaded in a KeyStore View in NWA. The partner's public certificates are also uploaded on NWA TrustedCA Keystore and also the KeyStore where we store AS2 certificates (some partners use the same certificate, others have different certificates for SSL Handshake and Data Encryption/Signature Authentication).
However, after configuring the appropriate Sender Channel and the associated Configuration Scenario objects, when the partner sends data to us, they are receiving a 401 Unauthorized Error. I have instructed them to send the data to https://server:443/AS2/B2B. I have sent them our public certificate and everything is still failing on their end.
Any help will be appreciated.
Best Regards,
Rommel
Hi Rommel,
By default, AS2 adapter requires basic authentication. If your partner is not using correct user/password then he will get HTTP 401 exception.
If you want to skip basic authentication step then please follow the steps given in SAP Note 1828575.
Thanks & regards,
Piyush
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Piyush,
Thanks a lot - that resolved our authentication issue. Now we have a different issue - AS2 cannot decrypt the inbound messages sent to us encrypted by our public certificate. Thing is we are using the same certificate for client-server authentication as well as encryption and signature.
Not sure why it is failing - any inputs?
Here is the error we are receving:
Error occured while decrypting the AS2-message: Cannot decrypt message: org.bouncycastle.cms.CMSException: key invalid in message.
Not sure if we missed another configuration.
Regards,
Rommel
Hi Piyush
Why you say by default it requires basic authentication? I am having a similar error but on the logs I see that all login modules (including BasicPasswordLoginModule)are flagged as SUFFICIENT and not REQUIRED .
I will llike the ClientCertLoginModule to deal with the authentication. Not Basic authentication. Maybe you can give me a clear explanation on this.
context.table | LOGIN.FAILED |
User: AS2_Partner
IP Address: 200.230.490.651
Authentication Stack: sap.com/com.sap.aii.adapter.as2.app*AS2
Authentication Stack Properties:
policy_domain = /AS2
auth_method = basic
realm_name = B2BAS2Apps
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule SUFFICIENT ok exception true Received no SAP Authentication Assertion Ticket.
#1 ume.configuration.active = true
2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 ume.configuration.active = true
3. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false
#1 Rule1.getUserFrom = wholeCert
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok exception true Authentication did not succeed.
Sorry for writing over this thread, if you like I can open a new discussion... so I can reward you with points.
Regards
Henry
I was just going through the documentation and found below notes regarding authorization.
The UME action AS2Deliverage must be assigned to the J2EE user created for the purpose of sending messages to the adapter’s public HTTP URL. The authentication credentials are provided to the partner in order to call the adapter using HTTP(s)
May be you can check if the user has any roles assigned which has the action "AS2Deliverage "
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hareesh,
Thank you very much for your information I'll check it out. However, we would like to use SSL authentication. Any ideas how to configure it?
I've gone so far in modifying the Authentication Stack and Properties for sap.com/com.sap.aii.adapter.as2.apps*AS2 in NWA to do client certificate authentication instead of basic but still failing as well.
Regards,
Rommel
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.