on 08-13-2008 9:54 PM
Hello All,
Has any one used the Hiearchical Trust Model with the RNIF adapter?
I am trying to implement a scenario with the RNIF adapter where XI posts a message to a Business Partner and gets back the Asynch Business Signal.
Options Selected in the RNIF adapter,
1. Sign Action Message
2. Sign Business Signal.
1. I have tested my environment set up using the Rosettanet Self Test Kit. I use a Self Signed Cert for the RSTK and in this case the scenario works perfectly fine with the Direct Trust Model.
2. When I test this with my partner who uses a Equifax Signed Certificate, the Signature validation of the Business Signal Fails. I tried to use both the Direct Trust Model and the Hiearchical Trust Model and none of the options selected help. I have loaded the Cert from my Partner in the TraustedCAs, restarted the Keystore and still XI errors with the Invalid Certificate error.
The Business Partner has confirmed that they are using the right certificate to sign the message and I also copied the Signature from the RNIF Business Signal hitting XI , saved it as a p7s file and the certificate looks just as the cert loaded in the keystore.
My question here is,
1. When I use direct trust model I provide the Keystore View and Certificate Entry and it errors.
2. When I use Hiearchical Trust model, I still get the same error.
Specifically, has any one used the Hiearachical Trust Model? Is there some special entry we need to provide in our Receiver agreement. For now, my entries for the following fields looks like,
Issuer : used f4 help and the details came out had the Organization Unit, Organization and c
Subject : CommonName , Organization , Locality, State, Country
CertificateAuthorithy Keystore View : TustedCa's which contains the CA's certificate ( Equifax in my case ).
Would any one have any idea on what I might have missed. The set up works with Self Signed Certificates and hence am not sure what special we need to do to use the CA signed Certificate.
Any ideas/ thoughts, Please do let me know.
Regards,
Bhavesh
PS : My apologies if you feel asleep midway of this rather long thread
The issue seemed to be that Partner gateway was not enforcing the
content-transfer-encoding in the MIME header of the service content and so the
interpretation was open to the XI gateway and XI gives a
signature validation error even though the line is missing in the MIME
headers of the service content.
It is always a best practice to enforce the
content-transfer-encoding to avoid ambiguity at the other end.
Making sure our partner set the, Content-transfer-encoding: binary in the MIME header for the service
content seems to have resolved the signature validation error.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
An example of this issue for better understanding.
Service Content with the Content Type Missing,
Content-Type: application/xml
Content-Location: RN-Service-Content
Content-ID: <sc.1218736184007CA932001A00214419047BC050F4DA55BA6B>
Content-Description: RosettaNet-Service-Content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ReceiptAcknowledgment SYSTEM "AcknowledgmentOfReceipt_MS_V02_00.dtd">
<ReceiptAcknowledgment>
<NonRepudiationInformation>
<OriginalMessageDigest>upVLsOJgQMBzXToMpubQolvChTQ=</OriginalMessageDigest>
</NonRepudiationInformation>
</ReceiptAcknowledgment>
Service Content With Content Type available,
Content-Type: application/xml
Content-transfer-encoding: binary
Content-Location: RN-Service-Content
Content-ID: <sc.1219091041668CA932001A00221094603BC82CF1966CEEF8t>
Content-Description: RosettaNet-Service-Content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ReceiptAcknowledgment SYSTEM "AcknowledgmentOfReceipt_MS_V02_00.dtd">
<ReceiptAcknowledgment>
<NonRepudiationInformation>
<OriginalMessageDigest>2KUCNJMbc6lafg6bq60yhtkRLe8=</OriginalMessageDigest>
</NonRepudiationInformation>
</ReceiptAcknowledgment>
Hi,
I am trying to do the same (I am pretty new to PI). We will receive a rosettanet document that is digitally signed via https.
So far, I created a new view in u201CKeyStorageu201D, and added the client certificate (root, two intermediates, and client cert itself) under "entries" for that view. Is this what I am supposed to do?
I restarted KeyStorage from Visual Administrator, and then tried to configure RNIF adapter. I selected u201CAuthenticationu201D as u201CCertificate Logonu201D, and tried to access my newly created KeyStorage View, but I donu2019t see it. I am not sure of the steps that I missed. Can you please help?
Any help is greatly appreciated!
Thanks,
Archana
Hello Archana,
I was not able to use the Hierarchical Trust Model; I tried with the direct Trust Model and thereafter things worked.
As I had pointed above the issue was not with Hierarchical / Direct Trust Model but rather with the Base Encoding Missing the Rosettanet Business Signal. I can try this with Hiearchical and see how things work now that it works with Direct.
Before trying to use Hierarchical Trust Model try the same scenario with the Direct Trust Model.
All the steps you have done is correct.
One last question u2013 What are you trying here? Are you doing Server SSL with Client Auth or are you referring to the issue where you are unable to validate the signature from a partner
Regards
Bhavesh
Hi Bhavesh,
I hope, you corectly configured receiver agreement.
any how, could you please cross check with the follwoing links.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e08a2bc6-e76e-2910-69ae-d7c30c8d... (page 19-21).
warm regards
Mahesh.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.