I have a problem with sending signed AS2 messages to a partner. Their software only accepts signed messages which includes the public key with which the signature can be verified. I cannot find anything about this in the EDIINT documentation, but I assume from the problem of this partner that the public key is not sent with the AS2 message.
Is this asumption right, and is there a way to send the public key with the digitally signed message?
I checked the S/MIME specification, and this specification provides in sending the key with the message.

Thanks
Andre.

They should have the public key by importing the cert you sent them. You need to set the “type” on wm.EDIINT:send to “signed” or “signedandEncrypted” to include the signature on the transfer…hope that helps

I have sent them the public key, and I have set the type to “signedAndEncrypted”. The issue is that they expect that not only a digital signature, but also the public key is attached to every AS2 message that is sent to them.

If you want your public key to be sent with each transaction you use HTTPS to connect to your trading partner and ask your trading partner to set up their HTTPS listener to request/require client certificates. After this request, your server (acting as the client) will present your public key to your trading partner. This can be used to authenticate you to your trading partner and allow you access to their receiving flow service. A short time later your client will send the EDIINT AS2 message. However this public key is not “attached” to the AS2 message.
When you sign a message you create the signature using your private key. Your trading partner verifies the signature using your public key (that you previously provided to them).
When you encrypt a message you do this using your trading partners public key (that they previously provided to you). Your trading partner decrypts the message using their private key.
Does this help ?

Kevin,

I think what Andre is referring to is the inclusion of certificates in the actual signature. EDIINT AS2 leverages PGP and S/MIME for securing documents (signatures and encryption). S/MIME utilizes PKCS#7/CMS for the actual content of the secured data.

When signing data with PKCS#7 the signer can optionally include the signing certificate with the data.

Andre–how is the signature being created? Are you creating it yourself or are you using Trading Networks to retrieve the certificates/keys from the partner profile?

Eduardo,

Yes, that is wat I was referring to. The signature is retrieved from the partner profile. I just set the type to “signedAndEncrypted” and let TN do the actual signing using the keys from the partner profile.

Thanks,
Andre

Andre,

I believe the default behavior for Trading Networks is to include the certificates if they’re included in your partner profile definition; although it has been some time since I worked directly with the product.

Have you tried getting a dump of the message to see if the certificates are included?

Hi Eduardo,

Can you tell me how to get a dump of the message? When I look at the message in the TN console, it only contains the signature itself, as far as I understand.

You’ll need to get your hands on a security toolkit to dump the details. OpenSSL or Cryptix will enable you to do an ASN.1 dump of the object for close inspection.

Is there any sensitive data in the signature object? If not can you post the signature?

As far as I can see, TN doesn’t store the signed message. Only the AS2 header and the EDI data is stored, TN signs and encrypts the EDI data and sends it to the partner. So how can I get my hands on the signed message? I think this is getting to complex for me.

But one other thing, in case the digital signature is verified with a public key attached to the same message that is digitally signed, is this still a secure verification? There is no guarantee whatsoever that the signature/public key combination is coming from the source you expect it to come from. It is like saying “I am Andre, and yes, it’s really me”
Isn’t it more secure if the public key is exchanged beforehand in a separate session?

The integrity/security of the message itself does not change whether you exchange certificate beforehand or not.

Exchanging the certificates ahead of time allows you to build additional assurances about the origination of the message–assuming the exchange of the certificates was done in a secure manner. Don’t get me wrong, it does make administrative and processing steps easier.

As for how to get a dump, I’d have to check into TN to see if there are additional diagnostic capabilities for capturing this. I don’t know off the top of my head.

One Quick Question:
I am getting stream of EDI data with Encrypted and Signed. Content-Transfer-Encoding: binary. Is it required to change binary encoded format… Decryption service is failed to decrypt this message. I am getting No Content data error while decrypting it… Please give some suggestions how to handle this situation…
I am using webMethods 4.0.2 version (EDIINT -AS2)…
Quick reply helps me to proceed into Production

Thanks in Advance…

Any ideas guys?

Verify that both you and your partner are using the same encryption method?
What software is your partner using?

Thanks Chris,
Yesterday we resolved the problem by changing Encryption algorithm. I don’t know the reason, webMethods not able to decrypt TriplsDES format. We changed RC2 KeyLength-40. Now i am able to decrypt it but not able to sending MDN’s back. Now i am working on this issue.

Thanks once again.

If you partner is using Cyclone there’s a setting that they have to change. I ran into a similar issue. Unfortunately I don’t remember the setting.
If I do, I will post.

Chris,
Perfect… My partner is using Cyclone… Please send your experience… It might be helpful for me to go right way…

Thankyou very much

Another small note -
If the partner ediint certificate is signed by a chain of CAs, import all the certs in CA Chain to TN Console’s CA chain Security tab

DG

I have a problem in retrieving the invalid signature in the AS2 receive service. When signature verification is done, gives error code as “4” and error message as “Signature could not be verified” and “signerCert” variable is not in the pipeline for invalid signatures. The service works fine for valid signatures and I am able to get the signature in signerCert object.
I need to retrieve the signature if it is invalid/valid and store in database for future reference.

If anybody knows how to handle this problem, please share it with me. It will be a great help for me.

Thanks,
Prasanna.

I have a quick question - does webMethods provide out-of-the-box support for the AS2 protocol and PGP encryption? It looks like it is supported, but by creating additional logic in flow services… not sure if that is correct. I’m kind of new to EDI - my client wants to exchange messages with partners using the NAESB v 1.4 EDM (used in the Retail Energy industry). If anybody else out there is using this EDM, I’d like to hear about how easy it is to set up wM to exchange messages using this EDM.

Any help will be appreciated - Thanks…

Vijai

Hello,
Well TN with EDIINT is capable of AS2 out of the box but not PGP. Good day.

Yemi Bedu

Hello Yemi,

Thank you very much for your prompt response!

I’m wondering about my options now - could you enlighten me on how I might architect a solution if I have to use AS2 and PGP? I suppose I have to use PGP before it gets to the EDIINT part… would that be a wM package to encrypt/decrpyt the message before it gets to the EDIINT piece?

Thank You,
Vijai

Hi Vijai,

I think you have two options, rebuild the wm.EDIINT:receive service to use PGP or write your own service which receives the PGP encrypted data and then call wm.EDIINT:receive, with the plain text as input.
In both cases you’re missing a lot of out-of-the box functionality, which you could use if you would use S/MIME instead of PGP.

Andre

Hi

I am trying to configure AS2 communications to a Cyclone AS2 server. I have been able to send encrypted data to them but they are unable to send encrypted data to me. I am also unable to sign documents. I have a feeling that it is a symptom of the same problem does anyone have any ideas?

I have received a Verisign cert from the keys that I generated. I am not sure whether I have configured them correctly though.

Regards

Hi,

I have two IS servers (say A, B). A is at version 6.0.1 and B at 6.5. I am trying to do AS2 communication from A to B. I have defined B as a partner for A and vice versa. I have used the same set of certificates for both A and B. When I send a outbound message from A, I receive “processed/error: decryption-failed” error on B. My detailed error logs has the following error. Can I use the same certificates for both A and B? If yes, has anyone seen this error before ? Any help is appreciated.

=====================================================
com.wm.app.tn.err.EXMLException: Signing key is not valid java.security.InvalidKeyException Invalid key usage: Certificate cannot be used for signing (key usage must permit ‘digitalSignature’ or ‘nonRepudiation’)
java.security.InvalidKeyException: Invalid key usage: Certificate cannot be used for signing (key usage must permit ‘digitalSignature’ or ‘nonRepudiation’) at iaik.security.smime.SignedContent.setSigner(Unknown Source) at com.wm.app.tn.mime.SMime.signData(SMime.java:899) at com.wm.app.tn.mime.SMime.createSignedData(SMime.java:852) at wm.tn.mime.createSignedData(mime.java:345) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.i

=======================================================

Thanks,
Aneel.

My outbound message from A is sent signed and encrypted. On further debugging the EDIINT processMsg service on the receiver side, I see that the wm.tn.mime:createMimeData serive is giving signed = “false”. Any ideas why this can happen ? Is there a way for me decode the http message and see if the data I am receiving on B is actually signed or not ??

PLEASE HELP

OK…Issue solved. I was missing a public key certificate in my corporate profile on B

webMethods 6.1 I am trying to set up AS2 Communication with a trading partner. After reading this forum I tried changing my Encryption Algorithm to RC2 40. I can now see the AS2 header and the encrypted payload. My trading partner uses Cyclone and they get an error in sending the MDN.

1. Is there a different setting needed for the MDN on my side.
2. Should I be able to see an AS2 footer after my encrypted payload
3. My trading partner can see the file and was able to process it. (except for the MDN. However on my side I get a send message error of java.net.SocketExcption: Connection reset

Any information would be helpful

You should contact webMethods support regarding this issue. It is possible your server.bat JAVA_EXE entry is directed to the wrong path.