AS2 Certificate Handling - How To in SAP PI

SEEBURGER AG

AS2 Certificate Handling

- How To Guide -

Platform: PI

Release: 7.1x/7.3x

SEEBURGER AG AS2 Certificate Handling

– How To Guide –

Seite 2/21 19.03.2013

Inhalt

AS2 CERTIFICATE HANDLING 4

Creating a Keystore View 4

Importing certificates 5

Creating a new private key and certificate 5

Exporting a certificate 7

Granting Keystore View access to adapter users 8

CONFIGURATION ERRORS 11

General 11

Errors in the Runtime-Workbench 11 No encryption certificate 11 Could not retrieve certificate \USER\ABC\XYZ 12 No signature certificate 12 MDN requested, but appropriate report channel is missing 13 Unrecognized SSL message 14 No trusted certificate found 14

Errors in the SEEBURGER-Workbench 16 Decryption certificate missing 16 Decryption failed 16 Authentication error 17 Authentication certificate missing 17 Key invalid in message 18 MDN not signed 19 MDN not authenticated 19

APPENDIX 21

Further Information 21



Seite 3/21 19.03.2013

Icons

Symbol Description

Caution

Warning

Note

Recommendation

Requirements

Information

Example

Code



Seite 4/21 19.03.2013

AS2 Certificate Handling

Note:

The following instructions do not replace the official SEEBURGER documentation. Please

follow the documents outlined in Further Information

Creating a Keystore View

All certificates and private keys for signed and encrypted communication have to be stored in the SAP

Key Storage. For this purpose a new Keystore View has to be created.

Go to http://<servername>:<port>/nwa and open the SAP Netweaver Administrator. From the start

page switch to Configuration Management > Security > Certificates and Keys.

In the Keystorage Content tab click Add View.

Fill in View Name and Description for the new view. Click Create.

The result should look like this.



Seite 5/21 19.03.2013

Importing certificates

To be able to verify signed messages from trading partners their certificates have to be imported in the

new Keystore View.

To import a certificate from a trading partner click the Import Entry button in the Key Store View

Details pane.

Choose X.509 Certificate, select the certificate file from the file system and click Import.

Note:

The name of the imported certificate can be changed using the Rename button.

Creating a new private key and certificate

Select the Keystore View and click Create in the Key Storage View Details pane.

Fill in an Entry Name and check Store Certificate to create a certificate (otherwise only a private key

will be created). Click Next.



Seite 6/21 19.03.2013

Fill in the Subject Properties. If required, properties can be added or removed by clicking the Add or

Remove button. Skip Step 3 and 4 by clicking the Finish button.



Seite 7/21 19.03.2013

The result should look like this.

Exporting a certificate

Export own certificates to provide them to trading partners by selecting the certificate which shall be

exported and clicking the Export Entry button.

Select the preferred export format and click the Download link.



Seite 8/21 19.03.2013

Granting Keystore View access to adapter users

To be able to use the certificates and keys stored in the Keystore View within the SEEBURGER

communications adapters, the adapter users need access to the view.

Go to Configuration Management > Security > Identity Management.

Search for see* to get a list of adapter users.

Note:

The adapter users must be created before.



Seite 9/21 19.03.2013

Select the user seeas2 and switch to the Assigned Roles tab in the Details of User pane. Click

Modify.

Search for the Role view-creator*. Select the role of the Keystore view and Add it to the user. Save

the changes.



Seite 10/21 19.03.2013



Seite 11/21 19.03.2013

Configuration Errors

General

Note:

The following errors were provoked by an AS2 adapter but can be devolved to every other

SEEBURGER adapter using encryption and signing.

Errors in the Runtime-Workbench

No encryption certificate

Error:

Solution:

Check your Receiver Agreement



Seite 12/21 19.03.2013

Could not retrieve certificate \USER\ABC\XYZ

Error:

Solution:

Check the adapter user in the Identity Management of the Netweaver Administrator (NWA). There has

to be an assigned role to the Keystore view which contains the certificates and private keys.

No signature certificate

Error:

Solution:

Check your Receiver Agreement



Seite 13/21 19.03.2013

MDN requested, but appropriate report channel is missing

Error:

Solution:

Check if a Report channel and the corresponding Sender Agreement are configured.



Seite 14/21 19.03.2013

Unrecognized SSL message

Error:

Solution:

No trusted certificate found

Error:

Solution:

Check your SSL configuration in the communication channel



Seite 15/21 19.03.2013

and make sure the SSL certificate is in the Key Storage and valid.

Caution:

If a SSL certificate is newly imported a restart of the J2EE Engine is required in order that the

changes take effect.



Seite 16/21 19.03.2013

Errors in the SEEBURGER-Workbench

Decryption certificate missing

Error:

Solution:

Check the Decryption Key in your Sender Agreement.

Decryption failed

Error:

Solution:

Check the Decryption Key in your Sender Agreement.



Seite 17/21 19.03.2013

Authentication error

Error:

Solution:

Check the Authentication Certificate in your Sender Agreement.

Authentication certificate missing

Error:



Seite 18/21 19.03.2013

Solution:

Check the Authentication Certificate in your Sender Agreement.

Also check if the system property mail.mime.multipart.bmparse is set to false.

Go to SEEBURGER Workbench > System Status > Important Server Properties

Caution:

If not OK, apply SAP Note 1287778.

Key invalid in message

Error:



Seite 19/21 19.03.2013

Solution:

Check if the Unlimited Strength Policy files are installed on all server nodes.

Caution:

If not OK, see SeeMasterInstallationGuide.pdf chapter 4 Note on Cryptography and

SAP Note 989517.

MDN not signed

Error:

Solution:

Check the Signing Key in your Sender Agreement.

MDN not authenticated

Error:

Solution:

Check the Authentication Certificate in your Sender Agreement for the Report channel.



Seite 20/21 19.03.2013



Seite 21/21 19.03.2013

Appendix

Further Information

Information:

For further information refer to the SEEBURGER Master Configuration Guide and the Adapter

manuals coming with the solution release.

AS2 Certificate Handling - How To in SAP PI

Documents

Transcript of AS2 Certificate Handling - How To in SAP PI