webM’s: IS: V6.5 TN: V6.5 EDI’s: 6.5.2

Issue: wm.EDIINT.receive (execute ACL=TNpartners -vs- =Anonymous)

OverView:
>We are already trading EDI documents with one customer using AS2, and all works perfectly.
The software that they are using is similar to webM’s, in that their partner setup form includes separate fields for the AS2 Identifier, AS2 URL, Login Name, Password, etc.
Problem:
>We are trying to add a new customer, to send them 810’s & receive 997’s back, via AS2
>All works fine, IF wmEDIINT.receive’s execute ACL is set to: anonymous. When the execute ACL is set to: TNPartners (as is the case in our production system),
the new partner receives our 810, but gets an ‘Access Denied’ when trying to send us the 997. The partner has been added to the TNPartners group in IS.
>The software the new customer is using does not have a place to enter a username & password, so he is trying to pass it in the URL, to no avail.
>The URL they are sending is in this format:

[URL=“http://ourusername:ourpassword@ourIP:5556/invoke/wm.EDIINT/receive”][FONT=Times New Roman][SIZE=3]http://ourusername:ourpassword@ourIP:5556/invoke/wm.EDIINT/receive[/size][/font][/URL]

Question:
>Has anyone encountered this issue before, and how was it solved?

Any help would be appreciated.

…

Hi DON,
wm.EDIINT:receive service is having execute ACL as ‘internal’ and by default ‘internal’ ACL includes only two groups i.e. ‘Administrator’ and ‘Developer’ . Your partner is having ACL other than ‘Administrator’, ‘Developer’ and ‘TNPartners’ . Now if you want your partner to execute this service then do not give ACL as ‘Anonymous’ as in this way security is becoming less. You need to see first that your partner belongs to which group then same group you add to the ‘Allowed’ list of ‘internal’ ACL. In this way your issue will be resolved.

Thank you Vikas, but the issue is that the customer’s incoming data (997) is not recognized as TNpartner data (or any group for that matter). I have sidestepped the problem by having our network administrator open up a new port restricted to incoming data from our new customer’s IP only, and made a standalone version of EDIINT.receive for the new customer, with its’ execute ACL set to anonymous. I then had the customer modify the URL he was generating to reflect the new port & EDIINT.receive service. Seems to work just fine.

EDIINT.receive for the new customer, with its’ execute ACL set to anonymous – Yes this should be it unless you and partner mutually understood the security risk which is lit common to adjust the gateway service.

HTH,
RMG