Hello together

In our developement System we have set up 2 Trading Network Systems (Buyer Seller) with Rosettanet. When I send an Message from the sellersystem to the buyersystem via http it work without problems. When I send the message via https then I’ve go the following ERROR java.io.IOException: java.io.IOException: 403 Forbidden.
On both Integration Servers are https - ports defined. Each server has his own certificate and is installed on both servers. The settings for sign, encryption, decryption and verify are made. The profiles are set up with http and https. the prefered is https. The certificate of the servers are defined in the security tab of the Integration Servers.
Does somebody know what I mad wrong?

Hi, Pascal.

403 is a protocol error for HTTP. Your problem may be related to the Inetgration Server, but I think the issue is more closely tied to permissions or target service.

What is the URL that you are trying to post to? Is it a service or a directory? For example, the URL should resemble the following:

http://[I]serverhost:serverport[/i]/invoke/folder:service

Check your permissions and URLs and let us know what you find.

Hi
we use the following entries.
[url]https://serverhost:5556/invoke/wm.ip.rn/receive[/url]

rgds

pascal

Is the https port on the receiveing end set to request or require certificates?

Require means you must import the sender’s certificate and associate with a user account.

it isn’t specified in the server, cause it is optional (webMethods IS Guide), do I have to define?

For each company profile you need a user in webMethods (typically a DUNS number) and make sure this user is in the TNPartners group. Each server needs to have the SSL ports set to ‘require certs’ then you map the cert on each side to the user associated with each profile.

Make sure the wm.ip.rn:receive method is added to the ports as an allowed service (or set the ports Access Mode to Global - allow by default). Check connectivity between servers in each direction using a remote server alias for example (without the rosettanet complexity for starters).

Will Kriski

When you create a https port, you have to specify client authentication type. The 3 options are None, Request Certificates, Require Certificates.

None means user name/password. So the sending profile would specify user/password only (no cert).

Request will ask for a cert, and if none is given fall back to user/pass. So the sending profile would specify either user/pass OR cert info.

Require will ask for a cert, and if none is given deny access. Sender profile would only specify the cert info.

Hope this helps.
Theo

Hi Will

Am I right? With user you mean the DUNS - Number.

Pascal

Hi all

does somebody know if only Port 443 is alowed to be used as https - Port. When I use this Port in one way i can start a connection and it works. Why not at other ports?

Can’t answer all the question because I’m not sure of your environment. But Definately you can use other ports than 443 for https. One project we do use port 4443 for https due to fact in unix systems you need to have root access in order to manage port 443.

HI Kim

we use W2K Servers and IS4.6
Are there any spetial settings I have to da when I want to use other https ports?

Hi we use W2K Server, TN und IS 4.6

regards

pascal

Yes I mean the DUNS number.

You can use any port for HTTPS but sometimes network people like to use 443 for the outside world - so they have to translate incoming requests from 443 to your webMethods port (5556 for example). webMethods suggests using ports above 1024 so that you don’t have to run the server as the ‘root’ user.

hi will

i have done that but it dosen’t work

Pascal - if you use 443, then you don’t have to specify the port in the URL. If you use a different port, then you do.
e.g [url]https://secure.url:5556/invoke/blah/blah[/url]

That’s the only difference (other than the root issue which is OS specific).

403 is always a permissions issue. If you send me screen shots of the port config screen on the receiving end and the TN profile protocol and security tabs on the sending end, I’ll try to help you get this thing debugged.

theo.ezell at webmethods.com

I thought a 403 was returned on any error. If the invoked service pukes (exit and signal failure, or uncaught Java exception, etc.) then the http return code is 403. Am I incorrect?

Rob - you are correct. I was thinking of standard http return codes. Sorry.

Hi,

I have two questions regarding http response:

1. from a flow or java service on IS - is it possible to control the value of the http return code (statusCode) and message (statusMessage) - or is it beyond user’s control as suggested by Rob Eamon (always 403 when service fails) ?

2. from a flow or java service on IS - is there any way to pass information back to a calling http client - at http level ( not as an XML document using output template ) ?

Regards,

Mikael

1. It has been my experience that the only http error codes returned are 200 (success) and 403 (error).

2. You can use pub.flow:setResponse to return any type of data to the client, regardless of success/failure.

1. I think by using java service you can control/set a different code for your HTTP Status code other than 403.

2. In a flow service you can call pub.flow:setResponse service which sets the HTTP response with any message (xml/non-xml) you want to send. Also don’t forget to set the content-Type.

for setting custom HTTP response code use the following java service. This service has two inputs “statusCode” and “statusMessage”.

IDataCursor pipelineCursor = pipeline.getCursor();
String statusCode = IDataUtil.getString( pipelineCursor, “statusCode” );
String statusMessage = IDataUtil.getString( pipelineCursor, “statusMessage” );

Service.getHttpResponseHeader((Values)pipeline)
.setResponse(Integer.parseInt(statusCode), statusMessage);

pipelineCursor.destroy();

Thanks Rob and PU!

After I posted my question here I decided to open a new
discussion thread instead

Integration Server & Trading Networks: Development: Http
response - can status code and message be controlled ?

where I posted the same question. Please use this thread if
you want to add to the http response discussion, thanks.
Sorry for the confusion.

/Mikael.