I have a connection to Ariba receiving cXmlorders over http.
How do I configure webMethods to received these docs over https ?

Thanks for any help

Gerald

Do you have orders coming on https already, by default you ought to… open up the https port on your webMethods server and make the ariba service available on this port. Also ensure that you have assigned a user to this package, put it in an ACL and make is available on the new port list
On the ASN you will have set up a url for the orders to come in on. make sure that you change this to https:// .

You might have to get a certificate from Verisign or similar vendors so that you can have SSL (https). Install the certificate in the IS and you should be ready to go.
Good Luck!
Thanks

I opened port 5050 for https accessmode “allow by default”
ipaccess “global”.
I still do no receive the ariba messages.
I receive message from other market places over https already.
I have also changes the URL on ASN

Thanks for help

Gerald

1. check your firewall(s) allows a connection from the ariba address to your server:port 5050.
2. confirm from firewall logs, packet sniffers, that the ariba connection does indeed try to initiate to your port. Verify this by also retrying this through your working http connection.
3. if you have a DMZ/internal zone setup then you need to check through these zones.
4. are you requesting/requiring client certs ?. You may want to turn this off temporarily for your testing.

regards

Kevin

Thanks for your reply.

Firewall is ok log shows that ariba tries to initiate connection on port 5050.
I do not require authentication.
Do I have to change something in “AribaOnRamp”?

thanks

From the firewall logs can you see if you get past the SSL negotiation phase and actually get an HTTP(s) POST being attempted.
You may have to deduce this from an HTTPS session you know works.
If you don’t get the POST then check your IS cert. chain is one that will be accepted by ariba.

Sorry I can’t advise on “AribaOnRamp” as I don’t have an ariba account now and it was a couple of years ago that I did work with it (I wasn’t using wM for it either). Hopefully someone else will respond on this.

regards

One more suggestion if you can get two instances of IS with the ariba package running and get one sending an order to the other internally. Just use HTTP initially to get it working, then switch to HTTPS and verify it is working.
Use a packet sniffer/tcp viewer to get a feel for what the conversation looks like at the tcp level.
Then you will be armed with some good data to check out the external ariba connection.

Good points Kevin. Gerald - see if your Ariba receive URL (the one provided by your OnRamp) is listed in this section:
“Security > Ports > Edit Access Mode > HTTPSListener@5050”

You can get there by clicking on ‘Access Mode’ under ‘Ports’.

Did you try copying the URL that you gave for Ariba Punchout and Receive orders to a browser and trying to hit that?
This will confirm whether the URL is functional or not.
Good Luck!

When i try the url in a browser, i get the certificate popup
but then the browser displays “Page cannot be displayed”.

Thanks for futher help

Are you browsing using a machine that is outside of your firewall? If you are getting “Page cannot be displayed” then it looks like an issue with your certificate. Have you got the correct url setup on Ariba?[the url will have to include the port number, of course]

Gerald - Did you check if your Ariba URL was listed in “Security > Ports > Edit Access Mode > HTTPSListener@5050” ?

If it’s listed, you have a few more things you can check. First, if you’re using a browser for debugging, I’d advise using the latest alpha build of mozilla (from http://mozilla.org) – this build can show the HTTP headers for a page. Next make sure the port setting isn’t ‘require certificates’ – generally, if WM does not like the remote entity’s certificates, it silently terminates the connection with no logging (you’ll get some junk on the HTTP connection that browser cannot display - however Mozilla gives you an option to save it to disk).

Since Gerald is getting a page cannot be displayed error after the certificate message is displayed, I would think there is nothing wrong with the certificate or the web page.

Make sure that in the certificate that you generated, the “Issued To” field has to match your URL domain ie. your ip address. Please make sure that this is correct.
Thanks and good luck!

hold on a sec - my 2 cents would be that ‘Page cannot be displayed’ means that the url being typed is incorrect. By this I am presuming that Gerald is seeing the standard IE message from when an incorrect url is typed - Gerald would you confirm this? To set up order receipt from Ariba is a relatively straight forward job that should not take more than a day to fully configure, test and go-live

“Page cannot be displayed” is being shown becoz the URL being accessed needs an xml as input. Since we are just trying to access the URL and there is no xml input, the URL returns an error which makes the browser return the message “page cannot be displayed”.

Anyways, configuration of Ariba as G said is easy and hope you crack this one fast!
Good Luck!

“Page cannot be displayed” is being shown becoz the URL
being accessed needs an xml as input. Since we are just
trying to access the URL and there is no xml input, the URL
returns an error which makes the browser return the message
“page cannot be displayed”. - VR if Gerald has some error checking going on this should bring a page saying that no data has been sent. Is Geral2d branching on node to confirm input? there are alot of unanswered questions which would resolve this query very quickly… Ariba would send the xml as a node which can be transformed to a boundNode and xmldata [depending on how Gerald is manipulating the data]
c’est facile ne c’est pas…?

Gerald, where in the world are you?
Give us some anwers here!

nee mungiyo mone?

Hi there

THANKS FOR YOUR REPLIES. i AM OUT OFF THE OFFICE FOR A COUPLE OF DAYS. I WILL ONLY BE ABLE TO GO ON WITH TESTINGS SOMETIME NEXT WEEK.

HAVE A GOOD TIME

Guys:

For many errors, Internet Explorer indiscriminately displays an internal error page that says “Page cannot be displayed” and then “Cannot find server or DNS Error” at the bottom.

IE displays this internal error page for:

1. Server DNS entry not found
2. Server DNS entry found but server is not listening on port
3. Server and port are up, but HTTP connection attempt was made to HTTPS port
4. Server and port are up, but HTTPS connection attempt was made to HTTP port
5. The page required an X.509 client certificate for authentication, but an HTTPS connection attempt was made without a certificate or using a faulty certificate.

[ In case of a 404 error response, IE may display a shorter, different internal message: “The page cannot be found”, or the site’s custom page may be displayed]

Since Mozilla is a developer focused browser, it makes for a much better debugging tool. For example, in the case #5 above (X.509 certificate), Mozilla explicitly popped up a dialog saying:
“Could not establish an encrypted connection… certificate rejected… Error code:-12771”. IE, in contrast just showed its misleading “Cannot find server or DNS Error” error page (when in fact the server was up). Mozilla also lets you save the SSL response from the server in case #4 above.

Gerald was getting a certificate message from his server - if he uses Mozilla, he should be able to figure out what exactly is going on with his connection (handy, given that WM’s logging seems non-existent for HTTPS/ X.509 connections)

VR, you said:
> Make sure that in the certificate that you generated, the
> “Issued To” field has to match your URL domain ie. your ip
> address. Please make sure that this is correct.’

This is best practise, and most browsers (eg: IE) do carry out this check. I believe however, as far as WM is concerned, the “Is certificate CN = DNS entry?” check is not done for incoming connections authenticating with X.509 certificates. I am not sure about the WM check for outbound deliveries (i.e. Does WM check the remote server certificate = it’s DNS entry) – however, I would be surprised if it did. The reason for this laxity could be the performance hit reverse-resolving IP addresses to DNS entries, and that some organizations put machines on the Internet only specified by their IP address (i.e. they have only an IP address with no corresponding DNS entry). If Gerald is doing a browser based test Mozilla should just let him in with just a warning.

Sonam, Ariba does a certificate validity check. If the Issued To" field doesnt match your URL domain ie. your ip
address, the certificate generated is rejected by Ariba.

And the error page generated is not page cannot be displayed, it is "The XML page cannot be displayed "

Thanks

VR:

> Sonam, Ariba does a certificate validity check. If the Issued To"
> field doesnt match your URL domain ie. your ip
> address, the certificate generated is rejected by Ariba.

You’re right - I dug around a bit, and found this Ariba notice from March about migrating the remaining HTTP customers to HTTPS by June.

It looks like Ariba requires the Certificate Common Name (the “CN” portion in the WM certs web admin screen) to be the server DNS name. That’s how we have it here anyway.

Ariba seem to not accept IP addresses though, so I am not sure what you mean by “URL domain/IP address”.

Event ID: 172045 - Ariba Supplier Network Notice of Migration to HTTPS

Ariba strongly recommends certificates that support 128-bit encryption
(common encryption strengths are 40, 56 and 128 bits). The domain name
in the certificate must be identical to the name you enter in the
Configuration area of your Ariba SN account or the name contained in
your cXML profile response. You cannot provide IP addresses in the
Configuration area of your Ariba SN account. Certificate names are not
dependent on the Web server port, so multiple Web server instances on
different ports can use the same certificate. Multiple Web servers
cannot share a single certificate.

The immediate problem for Gerald though, seem to be an faulty WM IS settting.

> And the error page generated is not page cannot be displayed, it
> is "The XML page cannot be displayed "

I was going on the error Gerald reported, which was “page cannot be displayed”. I got a similar message in IE 6, for those 5 cases listed above.

Give Mozilla a go sometime - I sincerely think you’d find it the better debugging browser.

Hi Sonam,
Ariba does accept URL’s for punchout and order submission. For example, the URL for Ariba users to punchout could be something like
[url=“http://https://100.100.100.100:5566/invoke/punchoutpackage.punchout:punchoutflow”]https://100.100.100.100:5566/invoke/punchoutpackage.punchout:punchoutflow[/url]
And if the Certificate is issued for the name of the server (in this case with the ip address 100.100.100.100), let us assume the name of the server is “universe”, then Ariba will reject the certificate saying that the certificate is issued to “universe” and not to the ip 100.100.100.100.

Hope this helps.
thanks

Hello there

I’m back with my https problem with Ariba…

I got a certificate from verisign
when i try to start the port 5050 i get the following error message:

Failed to start HTTPSListener@5050: Can’t parse PrivateKeyInfo

I think my certs a ok and the certificate config in WM also.

I believe i have a missunderstanding somewhere.

any help is very appreciated.

thanks

Hi,

I do not think IS 4.6 accepts anything but PKCS1 compatible DER encoded RSA private keys.

bruno