Вы находитесь на странице: 1из 21

SEEBURGER AG

AS2 Certificate Handling


- How To Guide -
Platform: PI
Release: 7.1x/7.3x
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 2/21 19.03.2013
Inhalt
AS2 CERTIFICATE HANDLING 4
Creating a Keystore View 4
Importing certificates 5
Creating a new private key and certificate 5
Exporting a certificate 7
Granting Keystore View access to adapter users 8
CONFIGURATION ERRORS 11
General 11
Errors in the Runtime-Workbench 11
No encryption certificate 11
Could not retrieve certificate \USER\ABC\XYZ 12
No signature certificate 12
MDN requested, but appropriate report channel is missing 13
Unrecognized SSL message 14
No trusted certificate found 14
Errors in the SEEBURGER-Workbench 16
Decryption certificate missing 16
Decryption failed 16
Authentication error 17
Authentication certificate missing 17
Key invalid in message 18
MDN not signed 19
MDN not authenticated 19
APPENDIX 21
Further Information 21

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 3/21 19.03.2013
Icons
Symbol Description

Caution

Warning

Note

Recommendation

Requirements

Information

Example

Code
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 4/21 19.03.2013
AS2 Certificate Handling
Note:
The following instructions do not replace the official SEEBURGER documentation. Please
follow the documents outlined in Further Information
Creating a Keystore View
All certificates and private keys for signed and encrypted communication have to be stored in the SAP
Key Storage. For this purpose a new Keystore View has to be created.
Go to http://<servername>:<port>/nwa and open the SAP Netweaver Administrator. From the start
page switch to Configuration Management > Security > Certificates and Keys.

In the Keystorage Content tab click Add View.

Fill in View Name and Description for the new view. Click Create.

The result should look like this.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 5/21 19.03.2013

Importing certificates
To be able to verify signed messages from trading partners their certificates have to be imported in the
new Keystore View.
To import a certificate from a trading partner click the Import Entry button in the Key Store View
Details pane.

Choose X.509 Certificate, select the certificate file from the file system and click Import.

Note:
The name of the imported certificate can be changed using the Rename button.
Creating a new private key and certificate
Select the Keystore View and click Create in the Key Storage View Details pane.

Fill in an Entry Name and check Store Certificate to create a certificate (otherwise only a private key
will be created). Click Next.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 6/21 19.03.2013

Fill in the Subject Properties. If required, properties can be added or removed by clicking the Add or
Remove button. Skip Step 3 and 4 by clicking the Finish button.

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 7/21 19.03.2013

The result should look like this.

Exporting a certificate
Export own certificates to provide them to trading partners by selecting the certificate which shall be
exported and clicking the Export Entry button.

Select the preferred export format and click the Download link.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 8/21 19.03.2013

Granting Keystore View access to adapter users
To be able to use the certificates and keys stored in the Keystore View within the SEEBURGER
communications adapters, the adapter users need access to the view.
Go to Configuration Management > Security > Identity Management.

Search for see* to get a list of adapter users.
Note:
The adapter users must be created before.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 9/21 19.03.2013

Select the user seeas2 and switch to the Assigned Roles tab in the Details of User pane. Click
Modify.

Search for the Role view-creator*. Select the role of the Keystore view and Add it to the user. Save
the changes.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 10/21 19.03.2013


SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 11/21 19.03.2013
Configuration Errors
General
Note:
The following errors were provoked by an AS2 adapter but can be devolved to every other
SEEBURGER adapter using encryption and signing.
Errors in the Runtime-Workbench
No encryption certificate
Error:

Solution:
Check your Receiver Agreement


SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 12/21 19.03.2013
Could not retrieve certificate \USER\ABC\XYZ
Error:

Solution:
Check the adapter user in the Identity Management of the Netweaver Administrator (NWA). There has
to be an assigned role to the Keystore view which contains the certificates and private keys.

No signature certificate
Error:

Solution:
Check your Receiver Agreement
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 13/21 19.03.2013

MDN requested, but appropriate report channel is missing
Error:

Solution:
Check if a Report channel and the corresponding Sender Agreement are configured.

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 14/21 19.03.2013

Unrecognized SSL message
Error:

Solution:
No trusted certificate found
Error:

Solution:
Check your SSL configuration in the communication channel

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 15/21 19.03.2013
and make sure the SSL certificate is in the Key Storage and valid.

Caution:
If a SSL certificate is newly imported a restart of the J2EE Engine is required in order that the
changes take effect.

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 16/21 19.03.2013
Errors in the SEEBURGER-Workbench
Decryption certificate missing
Error:

Solution:
Check the Decryption Key in your Sender Agreement.

Decryption failed
Error:

Solution:
Check the Decryption Key in your Sender Agreement.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 17/21 19.03.2013

Authentication error
Error:

Solution:
Check the Authentication Certificate in your Sender Agreement.

Authentication certificate missing
Error:

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 18/21 19.03.2013
Solution:
Check the Authentication Certificate in your Sender Agreement.

Also check if the system property mail.mime.multipart.bmparse is set to false.
Go to SEEBURGER Workbench > System Status > Important Server Properties

Caution:
If not OK, apply SAP Note 1287778.
Key invalid in message
Error:

SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 19/21 19.03.2013
Solution:
Check if the Unlimited Strength Policy files are installed on all server nodes.

Caution:
If not OK, see SeeMasterInstallationGuide.pdf chapter 4 Note on Cryptography and
SAP Note 989517.
MDN not signed
Error:

Solution:
Check the Signing Key in your Sender Agreement.

MDN not authenticated
Error:

Solution:
Check the Authentication Certificate in your Sender Agreement for the Report channel.
SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 20/21 19.03.2013


SEEBURGER AG
AS2 Certificate Handling
How To Guide
Seite 21/21 19.03.2013
Appendix
Further Information
Information:
For further information refer to the SEEBURGER Master Configuration Guide and the Adapter
manuals coming with the solution release.