Hi All,

I am getting following Error for Inbound EDI Message our customers are submiting to EDIINT:receive.

wm.EDIINT:receive com.wm.app.b2b.server.AccessException: [ISS.0084.9004] Access Denied

It is working fine in Dev but when we deployed in QA our customers are not able to send EDIINT.

I reset the cache for EDIINT receive also but still it is throwing Access Denied Exception?

Any thoughts it will be great help.

Thanks in Advance,
Jsree

Hi all,

we sort out this one, wm.EDIINT:receive ACL should change to TNPartners defualt it is set Internal user after changing it is working fine.
Thanks,
Jsree

Hi, I am working on EDIINT AS2 Https connectivity. Just to give breif Introduction, we exchanged the certificates with the Partner. I gave them my Public certificate which is .der extension. we received Partner public certificate and installed on our IS. Finally, when partner is trying to send the EDI Data I can see it TN Transaction analysis invoking EDIINT Document type. In the Activity Log of EDIINT doc type it is displaying the Error “processed/error: authentication-failed” ( Signature Verification Failed). 1. Do i need to send the partner, our public certificate with .cer extension or .der should be fine? 2. When i install the Partner certificate Do i need to have Partner CA certificate if so which ones root or Intermediate? Or just public certificate from Partner should be fine? 3. Do i need to do configuration changes regarding the Certificates installation on IS or TN ( related to the partner profile security tab)? Could anyone provide me suggestions or help will be really aprreciated. Thanks in advance, capri_lak

1. Do i need to send the partner, our public key with .cer extension or .der should be fine?
   —send .cer extension one.It also depends on whether their system accept .der or .cer formats.

2. When i install the Partner certificate Do i need to have Partner CA certificate if so which ones root or Intermediate? Or just public certificate from Partner should be fine?
   ----ask for Intermediate CA,public key from TP

3.Do i need to do configuration changes regarding the Certificates installation on IS or TN ( related to the partner profile security tab)?
—TN

Also make sure you have these in the IS Extended settings if not add it and restart IS to get effected.

watt.security.ssl.client.ignoreEmptyAuthoritiesList=true
watt.security.ssl.ignoreExpiredChains=true
watt.security.cert.wmChainVerifier.trustByDefault=true
watt.security.ssl.cacheClientSessions=false

Also did you change EDIINT:receive Execute ACL to Anonymous?

HTH,
RMG

Hi RMG, Thanks a lot for you reply. Also i would like to mention that i forgot. i.e The partner sent me the Unsigned Public certificate. So it should be a signed public certificate? or Unsigned will be manageable? If so, what i need to take care in both IS and TN to take process the Unsigned Certificate? As you mentioned to send the .cer extension to the partner does it mean both Public and Intermediate while sending to partner? Thanks in Advance, Capri_lak

hth,
rmg

Hi Rmg, Thanks for the Info. As mentioned in your first reply, about configuring the extended settings watt.security.ssl.client.ignoreEmptyAuthoritiesList=true watt.security.ssl.ignoreExpiredChains=true watt.security.cert.wmChainVerifier.trustByDefault=true watt.security.ssl.cacheClientSessions=false we already have a partner using the certificates and i didn’t see them configured in the past. I am just wondering if i make the change does the one existing will be affected or not? 2. Actually, just to make sure as i mentioned I am converting the .cer certificate coming from the Partner to .der using the certificate tool kit. Could you please advise me is this is the right approach to do that? 3. About the configuration change in the TN–> Coming to the partner profile, I added the certificates in the Sign/very , decrypt/encrypt tabs of the Security tab is that enough or do i need to take care of anything related to my enterprise profile? 4. When i look into the wm.EDINT.rules:processmsg service in detail it is getting failed while processing the Verify Step displaying Signature verification Failed. Could you please suggest me what i need to do? Thanks in advacne, Capri_lak

Hi RMG, Thanks For your reply. Coming to the “Do i need to do configuration changes regarding the Certificates installation on IS”. The reason is we are using Reverse Invoke server as our point of contact with the partner. The URL that we gave to the partner to post is the port configured on the RI server and following the webMethods standards i created the registered port related to that proxy port. Eventually i configured the partner certificates on both RI and Internal IS. I am just wondering that am I doing the right process? Or Do i need to take care of any thing else regarding the IS? This is the follwoing error the partner is getting: Message Disposition Notification Reporting-UA: webMethods Integration Server Original-Recipient: rfc822; Final-Recipient: rfc822; Original-Message-ID:ssss Disposition: automatic-action/MDN-sent-automatically; processed/error: authentication-failed MDN for - Message ID: ssss From: 111 To: 112 Received on: 2009-02-03 at 10:27:19 (EST) Status: processed/error: authentication-failed Comment: This is not a guarantee that the message has been completely processed or understood by the receiving translator… Thanks in advance, Capri_lak

As your TP hitting the EDIINT:receive TN service it make sense one has to configure certs in the TP profile Security tab section…Even if you configure the certs in the ISAdmin Certs wizard it shouldn’t hurt the http/s authentication process to TN.

Also did you contacted your partner and involve network folks while you do HTTP/S communication testing both sides and enabling the logs,underlying network/firewall layer aswell?

HTH,
RMG

Hi RMG, Right now we are testing the Inbound Connectivity from the Partner and concerned authentication has been given to the partner at the firewall level and i would like to let you know that network layer is already taken care. The only concern right now as i mentioned in my previous post, while verifying the signature authentication is getting failed and sending the error i posted in my previous message on the Partner Side. I think i am clear on what i said. Could you please let me know your suggestions. Thanks, Capri_lak

Can you check whether you are sending/TP requested for Signed or Unsigned MDN in your setup?

HTH,
RMG

Hi RMG, Actually according to the partner requirement doc, they need Signed MDN. I am not sure. “Can you check whether you are sending/TP requested for Signed or Unsigned MDN in your setup?”—> Could you please let me know where i need to check in my set up? Thanks, Capri_lak

Normally in the EDIINT:send service or in the TransactionAnalysis Activity log processing rule steps…

But why did they send unsigned public key while expecting signed MDN receipt?

HTH,
RMG

HI,

In addition to that check your i.e Enterprise Private Certificate is Configured properly in the Trading Networks Security tab.

RMG I am just wandering it is ht-ting internal TN means it request is coming through firwall–>RI–TN. I think Ports are open may be I am wrong? please correct if I am Wong,

Thanks,
JSree

hth,
rmg

Hi RMG, Basically the partner is using that way of processing.we asked them to send their CA certificate and the partner is working on that right now. Thanks, Capri_lak

Hi Rmg, Do we need to define My enterprise private key in the Partner profile in the Sign/Verify tab under the Security tab? Thanks, Capri_lak

Yes you are right…

Hi RMG, Thanks for the reply. I am also wondering, when we get the public Key certificate from the Partner do we need to Install the Certificate on our local machine to get rid off the warning " Certificate is not valid OR windows doesnt have the information" and sometimes there is a message with Some warning in the Certification path Tab. Once i click on the Install certificate it is automatically installed in Microsoft Certificate store on my Local machine and the warning will go off. 1 . I am just wondering about is it safe to install the Partner(External Party) public certificate on my local machine after that copying it to dev/prod IS servers as well. 2. Could you please provide your suggestion regarding this approach that am I doing it right or do i need to follow different approach. If so could you also provide me the Instructions to do that. Thanks, Capri_lak

1.I am just wondering about is it safe to install the Partner(External Party) public certificate on my local machine after that copying it to dev/prod IS servers as well.
—You shouldn’t have any issues incase of doing this procedure…

Once you configure the required certs in TN as we discussed so far and do a test dry run the inbound/outbound https process and see how this goes.

HTH,
RMG

Hi RMG, Thanks for your reply. I am going to perform the test and see how it goes. Thanks, Capri_lak

Hi Capri_lak,

you got Sucess or not?

Thanks,
JSree

we are still working with the partner. I will keep posted the updates. Thanks, Capri_lak

Hi Rmg, I am just wondering about the changing the wm.EDIINT:receive ACL to Trading partners or Anonymous. Is it a safety measure to change the ACL’s as the default comes as Internal. If so which is better pick Anonymous or Trading partners? Could you please advise me. Thanks, Capri_lak

I don’t see any problem after setting to Anonymous as the connection is already a secured http/s communication (RI–>IS/TN)…We did this before and works fine…

HTH,
RMG

Hi Rmg, Thanks a lot for sharing the Information and it worked fine. I do have a question related to the flow under this situation: 1. we have two different trading partners which does HTTPs/Http post to our service–> wm.EDIINT:receive service. In the Processing rules i created new processing rule when we receive the doc from these two partners i am executing a common custom flow service which will be called in asynchronously. Since the two services calling the same service what would happen if they do the post same time. I am just wondering about the execution will there be a conflict in sharing the service? Is it going to process one after the other? Do i need to do some changes? If so could you please advise me the steps i need to take care of. Thanks for your help, Capri_lak