Interoperability with Axway - Signed Acknowledgements

[cheggers]

Hi,

I'm trying to use Hermes against an instance of Axway Interchange.
I'm getting an error when using signed acknowledgments.

This relates to message being sent from Hermes to Axway, then Axway
trying to send a signed acknowledgment back.

I have configured the partnership within Hermes and setup my
certificate for signing the outbound message. This seems to work ok
and I have successfully tested this against another instance of
Hermes.

Within the partnership I have set "Acknowledgement Requested" and
"Acknowledgement Signed Requested" to true.

I have loaded the public key of the Axway client into the partnership
as the verification certificate. As stated, I have tested the setup
against anther instance of Hermes so I have some confidence the
configuration is ok.

However when I receive the acknowledgment from Axway I'm getting the
following error in the ebms.log...

2009-12-07 16:37:16 [Thread-777 ] <INFO > <cecid.ebms.spa> <Sign the
message: 20091207-1...@123.146.23.34>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<setEnvelope, using algorithm: rsa-sha1>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<addDocument URI: cid:Payload-0, contentType: text/xml>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<start signing>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<got private key from keystore>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<created DocumentResolver>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<created Transform>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<added main document (envelope)>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<added 1 attachment documents>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<got the certificate chain from keystore>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<added the certificate chain to signature>
2009-12-07 16:37:16 [Thread-777 ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
<message signed>
2009-12-07 16:37:16 [Thread-777 ] <INFO > <cecid.ebms.spa> <Send
message 20091207-1...@123.146.23.34 to http://123.123.123.123:61076/exchange/232510151>
2009-12-07 16:37:17 [http-8080-5 ] <INFO > <cecid.ebms.spa> <Incoming
ebxml message received:
M1260203839...@123.123.123.123_te4657024897899789539>
2009-12-07 16:37:17 [http-8080-5 ] <ERROR> <cecid.ebms.spa> <Please
upload the certificate>
2009-12-07 16:37:17 [http-8080-5 ] <ERROR> <cecid.ebms.spa> <Error in
finding the certificate>
java.lang.RuntimeException: Please upload the certificate
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.findSenderCert
(InboundMessageProcessor.java:1513)
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.checkSignature
(InboundMessageProcessor.java:1566)
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.processIncomingMessage
(InboundMessageProcessor.java:127)
at
hk.hku.cecid.ebms.spa.handler.MessageServiceHandler.processInboundMessage
(MessageServiceHandler.java:276)
at hk.hku.cecid.ebms.spa.listener.EbmsInboundListener.processRequest
(EbmsInboundListener.java:59)
at hk.hku.cecid.ebms.spa.listener.EbmsAdaptor.processRequest
(EbmsAdaptor.java:42)
at hk.hku.cecid.piazza.commons.soap.SOAPHttpAdaptor.processRequest
(SOAPHttpAdaptor.java:132)
at
hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.processRequest
(HttpDispatcher.java:126)
at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.doPost
(HttpDispatcher.java:277)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke
(AuthenticatorBase.java:433)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service
(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
454)
at java.lang.Thread.run(Unknown Source)
2009-12-07 16:37:17 [http-8080-5 ] <ERROR> <cecid.ebms.spa> <Error in
verifying signature>
hk.hku.cecid.ebms.spa.handler.MessageServiceHandlerException: Error in
finding the certificate
by java.lang.RuntimeException: Please upload the certificate
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.findSenderCert
(InboundMessageProcessor.java:1518)
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.checkSignature
(InboundMessageProcessor.java:1566)
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.processIncomingMessage
(InboundMessageProcessor.java:127)
at
hk.hku.cecid.ebms.spa.handler.MessageServiceHandler.processInboundMessage
(MessageServiceHandler.java:276)
at hk.hku.cecid.ebms.spa.listener.EbmsInboundListener.processRequest
(EbmsInboundListener.java:59)
at hk.hku.cecid.ebms.spa.listener.EbmsAdaptor.processRequest
(EbmsAdaptor.java:42)
at hk.hku.cecid.piazza.commons.soap.SOAPHttpAdaptor.processRequest
(SOAPHttpAdaptor.java:132)
at
hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.processRequest
(HttpDispatcher.java:126)
at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.doPost
(HttpDispatcher.java:277)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke
(AuthenticatorBase.java:433)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service
(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:
454)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: Please upload the certificate
at
hk.hku.cecid.ebms.spa.handler.InboundMessageProcessor.findSenderCert
(InboundMessageProcessor.java:1513)


Has anyone seen this before? Can anyone provide an clues as to what
the error might be?

Thanks

Gavin.

[Kit]

Hi Gavin,

did u uploaded the "Certificate For Verification" in the hermes2
partnership?
From the log, it seems that the hermes2 did not have the cert to
verify the signature in the Acknowledgment.

Regards,
Kit Yuen, Software Engineer
Apacus Software - Innovate, Simplify

Email: kit....@apacus.com
Site: http://www.apacus.com

On Dec 8, 9:43 pm, cheggers <gavin.r...@btinternet.com> wrote:
> Hi,
>
> I'm trying to use Hermes against an instance of Axway Interchange.
> I'm getting an error when using signed acknowledgments.
>
> This relates to message being sent from Hermes to Axway, then Axway
> trying to send a signed acknowledgment back.
>
> I have configured the partnership within Hermes and setup my
> certificate for signing the outbound message.  This seems to work ok
> and I have successfully tested this against another instance of
> Hermes.
>
> Within the partnership I have set "Acknowledgement Requested" and
> "Acknowledgement Signed Requested" to true.
>
> I have loaded the public key of the Axway client into the partnership
> as the verification certificate.  As stated, I have tested the setup
> against anther instance of Hermes so I have some confidence the
> configuration is ok.
>
> However when I receive the acknowledgment from Axway I'm getting the
> following error in the ebms.log...
>
> 2009-12-07 16:37:16 [Thread-777  ] <INFO > <cecid.ebms.spa> <Sign the

> message: 20091207-142844-39...@123.146.23.34>

> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <setEnvelope, using algorithm: rsa-sha1>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <addDocument URI: cid:Payload-0, contentType: text/xml>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <start signing>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <got private key from keystore>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <created DocumentResolver>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <created Transform>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <added main document (envelope)>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <added 1 attachment documents>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <got the certificate chain from keystore>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <added the certificate chain to signature>
> 2009-12-07 16:37:16 [Thread-777  ] <DEBUG> <pkg.pki.ApacheXMLDSigner>
> <message signed>
> 2009-12-07 16:37:16 [Thread-777  ] <INFO > <cecid.ebms.spa> <Send

> message 20091207-142844-39...@123.146.23.34 tohttp://123.123.123.123:61076/exchange/232510151>

> 2009-12-07 16:37:17 [http-8080-5 ] <INFO > <cecid.ebms.spa> <Incoming
> ebxml message received:

> M1260203839944.11674...@123.123.123.123_te4657024897899789539>

[Ronnie Kwok]

Gavin,

In the partnership page, next to the field "Certificate for
Verification", can you see the cert information? If not, it could be
the cert cannot be inserted into the partnership properly.

Regards,
ronnie

On Dec 10, 10:44 am, Kit <kit.y...@apacus.com> wrote:
> Hi Gavin,
>
> did u uploaded the "Certificate For Verification" in the hermes2
> partnership?
> From the log, it seems that the hermes2 did not have the cert to
> verify the signature in the Acknowledgment.
>
> Regards,
> Kit Yuen, Software Engineer
> Apacus Software - Innovate, Simplify
>

> Email: kit.y...@apacus.com

[cheggers]

Thanks Both for your responses.

Yes, I have uploaded the certificate for verification and can see it
in the Partnership. When I use this against another instance on
Hermes it works ok which makes be believe this is configured
correctly.

However, when I then re-point to Axway I get the error.

Gavin.

[Kit]

Hi Gavin,

maybe we can try a simpler case first.
have u tried the asking Axway side to send a signed message to the
Hermes2?

and do u have the Axway keystore for signing? if yes, u can repeat the
above trial with Two Hermes2 instances.

Regards,
Kit Yuen, Software Engineer
Apacus Software - Innovate, Simplify

Email: kit....@apacus.com
Site: http://www.apacus.com

[cheggers]

Ok, the issue is resolved. We were actually being sent an ebXML
"MessageError" message from Axway, not an "Acknowledgement" as we were
told.

So I added a partnership for the "MessageError" action with the
certificate for verification and it is now working.

Thanks for the responese.

Gavin