cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RNIF adapter, Hiearchical Trust Model?

bhavesh_kantilal
Active Contributor

on ‎08-13-2008 9:54 PM

0 Kudos

Hello All,

Has any one used the Hiearchical Trust Model with the RNIF adapter?

I am trying to implement a scenario with the RNIF adapter where XI posts a message to a Business Partner and gets back the Asynch Business Signal.

Options Selected in the RNIF adapter,

1. Sign Action Message

2. Sign Business Signal.

1. I have tested my environment set up using the Rosettanet Self Test Kit. I use a Self Signed Cert for the RSTK and in this case the scenario works perfectly fine with the Direct Trust Model.

2. When I test this with my partner who uses a Equifax Signed Certificate, the Signature validation of the Business Signal Fails. I tried to use both the Direct Trust Model and the Hiearchical Trust Model and none of the options selected help. I have loaded the Cert from my Partner in the TraustedCAs, restarted the Keystore and still XI errors with the Invalid Certificate error.

The Business Partner has confirmed that they are using the right certificate to sign the message and I also copied the Signature from the RNIF Business Signal hitting XI , saved it as a p7s file and the certificate looks just as the cert loaded in the keystore.

My question here is,

1. When I use direct trust model I provide the Keystore View and Certificate Entry and it errors.

2. When I use Hiearchical Trust model, I still get the same error.

Specifically, has any one used the Hiearachical Trust Model? Is there some special entry we need to provide in our Receiver agreement. For now, my entries for the following fields looks like,

Issuer : used f4 help and the details came out had the Organization Unit, Organization and c

Subject : CommonName , Organization , Locality, State, Country

CertificateAuthorithy Keystore View : TustedCa's which contains the CA's certificate ( Equifax in my case ).

Would any one have any idea on what I might have missed. The set up works with Self Signed Certificates and hence am not sure what special we need to do to use the CA signed Certificate.

Any ideas/ thoughts, Please do let me know.

Regards,

Bhavesh

PS : My apologies if you feel asleep midway of this rather long thread

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

bhavesh_kantilal
Active Contributor
‎08-19-2008 2:02 PM
0 Kudos

The issue seemed to be that Partner gateway was not enforcing the

content-transfer-encoding in the MIME header of the service content and so the

interpretation was open to the XI gateway and XI gives a

signature validation error even though the line is missing in the MIME

headers of the service content.

It is always a best practice to enforce the

content-transfer-encoding to avoid ambiguity at the other end.

Making sure our partner set the, Content-transfer-encoding: binary in the MIME header for the service

content seems to have resolved the signature validation error.

Show replies
Show replies
bhavesh_kantilal
Active Contributor
‎08-19-2008 2:22 PM
0 Kudos

An example of this issue for better understanding.

Service Content with the Content Type Missing,

Content-Type: application/xml

Content-Location: RN-Service-Content

Content-ID: <sc.1218736184007CA932001A00214419047BC050F4DA55BA6B>

Content-Description: RosettaNet-Service-Content

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ReceiptAcknowledgment SYSTEM "AcknowledgmentOfReceipt_MS_V02_00.dtd">

<ReceiptAcknowledgment>

<NonRepudiationInformation>

<OriginalMessageDigest>upVLsOJgQMBzXToMpubQolvChTQ=</OriginalMessageDigest>

</NonRepudiationInformation>

</ReceiptAcknowledgment>

Service Content With Content Type available,

Content-Type: application/xml

Content-transfer-encoding: binary

Content-Location: RN-Service-Content

Content-ID: <sc.1219091041668CA932001A00221094603BC82CF1966CEEF8t>

Content-Description: RosettaNet-Service-Content

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ReceiptAcknowledgment SYSTEM "AcknowledgmentOfReceipt_MS_V02_00.dtd">

<ReceiptAcknowledgment>

<NonRepudiationInformation>

<OriginalMessageDigest>2KUCNJMbc6lafg6bq60yhtkRLe8=</OriginalMessageDigest>

</NonRepudiationInformation>

</ReceiptAcknowledgment>

Former Member
‎09-21-2008 5:23 PM
0 Kudos

Hi,

I am trying to do the same (I am pretty new to PI). We will receive a rosettanet document that is digitally signed via https.

So far, I created a new view in u201CKeyStorageu201D, and added the client certificate (root, two intermediates, and client cert itself) under "entries" for that view. Is this what I am supposed to do?

I restarted KeyStorage from Visual Administrator, and then tried to configure RNIF adapter. I selected u201CAuthenticationu201D as u201CCertificate Logonu201D, and tried to access my newly created KeyStorage View, but I donu2019t see it. I am not sure of the steps that I missed. Can you please help?

Any help is greatly appreciated!

Thanks,

Archana

bhavesh_kantilal
Active Contributor
‎09-21-2008 5:49 PM
0 Kudos

Hello Archana,

I was not able to use the Hierarchical Trust Model; I tried with the direct Trust Model and thereafter things worked.

As I had pointed above the issue was not with Hierarchical / Direct Trust Model but rather with the Base Encoding Missing the Rosettanet Business Signal. I can try this with Hiearchical and see how things work now that it works with Direct.

Before trying to use Hierarchical Trust Model try the same scenario with the Direct Trust Model.

All the steps you have done is correct.

One last question u2013 What are you trying here? Are you doing Server SSL with Client Auth or are you referring to the issue where you are unable to validate the signature from a partner

Regards

Bhavesh

vk_k3
Participant
‎08-24-2012 10:05 PM
0 Kudos

HI Bhavesh,

I ran into the same situation where the Content-Transfer-Encoding  should be "Base64" for the trading partner but we are sending "Binary".

Can you please let me know if there was some update on ur OSS note from SAP and how was this resolved ?

Regards,
Vkjoat

former_member859847
Active Contributor
‎08-14-2008 6:45 AM
0 Kudos

Hi Bhavesh,

I hope, you corectly configured receiver agreement.

any how, could you please cross check with the follwoing links.

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e08a2bc6-e76e-2910-69ae-d7c30c8d... (page 19-21).

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/709a019d-b3e6-2a10-b79d-f964136c...

warm regards

Mahesh.

Show replies
Show replies
bhavesh_kantilal
Active Contributor
‎08-14-2008 2:44 PM
0 Kudos

Hi Mahesh,

Have done everything just as the way I think it has to be done.

Also looked into the monitoring guide, but no luck.

Will be raising a OSS with SAP today to see if they can help. Will keep the forum informed.

Regards,

Bhavesh

Ask a Question