B2B-51075 Missing signer certificate receiving AS2 through reverse proxy

Similar Messages

• X.509 client certificate not working through Reverse proxy

  Dear expert,
  We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
  As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
  Listen 1081
  <VirtualHost *:1081>
  SSLEngine on
  SSLCertificateFile  "D:/Apache24/conf/server.cer"
  SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
  SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
  SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
  SSLVerifyClient optional
  SSLVerifyDepth  10
  SSLProxyEngine On
  SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
  SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
  AllowEncodedSlashes On
  ProxyPreserveHost on
  RequestHeader unset Accept-Encoding
  <Proxy *>
       AddDefaultCharset Off
       SSLRequireSSL
       Order deny,allow
       Allow from all
  </Proxy>
  RequestHeader set ClientProtocol https
  RequestHeader set x-sap-webdisp-ap HTTPS=1081
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_S_DN  ""
  RequestHeader set SSL_CLIENT_I_DN  ""
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
  ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
  proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
  We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
  thanks,
  Best regards,
  Xian' an

  Hi Samuli,
  Really thanks for your reply.
  Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
  Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
  Best regards,
  Xian' an

• WebDynpro applications not working through Reverse Proxy

  Hi All,
  I have configured a Reverse Proxy using apache 2.2.4 and when i access my Portal (NW04s EP 7.0 SPS08) through reverse proxy i'm not able to display any webdynpro application (e.g. Identity Management). I'm getting Page can not be displayed. I think reverse proxy is not able to convert the request into absolute URLs.
  If someone had the same problem,please let me know.
  Regards
  Vaib

  I resolved the problem on my own by adding webdynpro directive to the httpd.conf.
  Thanx
  Vaib

• CA-Signed certificate: Received fatal alert: bad_certificate

  Hello. I am still trying to get rmi ssl to work in the way I want (see my post http://forums.sun.com/thread.jspa?threadID=5351278&tstart=15 ).
  I read that CA signed certificates are preferred to self signed certificates due to several reasons. Due to the fact, that I want to run a lot of different services, each with an own certificate, it is out of question to let them be signed by a real CA (for now all is in a testing environment and once I have solved all the problems this might become an option).
  So for now, I create my own certificate authority and sign the certificates for my services (who interact with each other via ssl).
  If there is a flaw in my setup, please tell me. If not continue reading.
  In my scenario, a service A is querying a server S to discover a service B. S sends all the information about B back to A, including the certificate of B (so A can use ssl to talk to B). I use client authentication.
  Each component uses a keystore, which acts as a truststore at the same time.
  When I use self signed certificates and import them to the other keystores (using keytool) everything works as it should.
  My setup using ca-signed certificates fails.
  At the beginning the server has all the certificates in his keystore (A & B & S, which were signed with the servers secret key, who acts as my CA). A contains the servers certificate and his own, which has been signed with the servers private key (A &S). B contains the servers certificate and his own, which has been signed with the servers private key (B & S).
  As far as I understand ssl, if A wants to talk to B, it needs the certificate of B (and needs to trust it).
  In my scenario, A is receiving the certificate of B, when it queries the server for information about B. The certificate is imported into As keystore (works), but the method call fails with:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
  Is rmi ssl creating and using selfsigned certificates from the private keys in the keystore? Maybe I made a mistake, but I don't see it.
  A has a certificate of B (and trusts it, because it was signed by an authority whose certificate is trusted from the beginning). B should trust the certificate of A (because it was signed by the same authority). So why is there a bad certificate?
  My guess is, in the ssl handshake, A is using his private key to create a self signed certificate and is sending this to B. B has no reason of trusting a self-signed certificate and the handshake fails.
  If you have any ideas, I appreciate them a lot.

  ejp wrote:
  So for now, I create my own certificate authority and sign the certificates for my services (who interact with each other via ssl).So all you have to do is ensure that every client trusts your CA.This is done by importing the CA's certificate into each trust store.
  Each component uses a keystore, which acts as a truststore at the same time.That's a really bad idea. They serve completely different purposes. Don't do that.Ok, I will change that. So the trust store is used for certificates I trust (which then can be used by ssl), the keystore is used to store secret keys or if I want to do "cryptography by hand".
  As far as I understand ssl, if A wants to talk to B, it needs the certificate of B (and needs to trust it).That's true if B is a server. If A is the server in this scenario it is B that needs to trust A.
  In my scenario, A is receiving the certificate of B, when it queries the server for information about B. The certificate is imported into As keystore (works)Should be truststoreI will change that it's only imported into the trust store (-> will do the separation of trust/key store).
  but the method call fails with:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificateSo there is something wrong with the certificate that B sent.Yes, but I don't know why. I created a certificate signing request (csr) for B (using keytool) and then used openssl to create the certificate. When I use a private key and openssl to create a selfsigned certificate e.g. create csr for B, export private key of B, use openssl to create the certificate with the private key of B), it has the same checksum as a self signed certificate using keytool.
  The trust store of B contains the CA signed certificate of B and the CA certificate. I don't understand why it is a "bad certificate".
  Maybe separating key and trust store will solve the problem or give some new hints.
  Is rmi ssl creating and using selfsigned certificates from the private keys in the keystore?No. SSL doesn't generate certificates at all. You do. SSL just looks in the keystore for a certificate to send that matches what the peer will accept, and sending that.
  So maybe the CA cert is used for it, which would be fault. I'm going to check that.
  A has a certificate of B (and trusts it, because it was signed by an authority whose certificate is trusted from the beginning). B should trust the certificate of A (because it was signed by the same authority).> A and B don't need mutual trust unless you have needClientAuth set 'true' somewhere, which you haven't mentioned.I mentioned it, but it came to my mind at the end of my post, so it's kind of hidden in the text. So, I do use client authentication.> > My guess is, in the ssl handshake, A is using his private key to create a self signed certificate> No. See above.> > and is sending this to B. B has no reason of trusting a self-signed certificate and the handshake fails.> No. There is something wrong with the certificate that was received by the side that first got the bad_certificate alert.Thanks a lot. I see several things clearer now.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Applet does not load using java 1.5 through reverse proxy with certific...

  Hi,
  we have the following problem:
  When using java 1.5 in our browser, our applet does not load. Using java 1.4.2 it works. It also works using java 1.5.0 using another reverse proxy.
  The differences between the 2 reverse proxies (one works, one works not) we use is that the one through which the applet does not load has a certificate installed that is not for its hostname. Can this be the reason the applet does not load? Where can I find information about the sandbox of java 1.5.0 concerning these issues. Are there any docs of the security restrictions imposed by java 1.5.0 sandbox?
  Greetings,
  Tim

  Ok,
  the solution to this specific problem was a misconfigured reverse dns lookup.
  Greets,
  Tim

• Access Mac Mini Server (profile management) through reverse proxy

  Hi,
  Newbie in Mac's world and yet trying to make it more complicated as it is.
  As we recently (last month) decided to equip our sales force with iPads, they were configured through Apple Configurator tool running on a dedicated Mac Mini Mountain Lion.
  Now, I'd be keen in moving this configuration to the Profile Manager, part of the OSx Server plugin. So far so good.
  Problem is the following : another web server is already on the LAN using both 80 and 443 ports. So all incoming traffic on those ports was routed to this other server. As Mac Mini Server default http/s ports may not be altered, I installed a reverse proxy server (Oracle VM - Ubuntu 12.04LTS - pound), configured to deal differently traffic on those ports according to the domain name (host) of the web request (header). Each 'local' server has been allocated a domain name. Just to be clear, traffic is now routed by the WAN/LAN router, for those ports, towards the reverse proxy, configured to reroute the traffic to the correct destination.
  So far so good, it works like a charm, except... as soon as we enter https protocol on Mac Mini Server Profile Manager.
  Access from an iDevice to the Mac Mini Server Profile Manager login page is fine, but as soon as password is confirmed, safari is pending and finally a message 'An internal serer error occured. Please try later again' appears.
  Looking to both reverse proxy system log and Mac Mini profilemanager.log files to trace the problem, the following lines are produced at this particular moment :
  reverse proxy system.log
  Jan 15 14:44:03 reverseproxy pound: 91.... GET /devicemanagement/console/apple_theme_v2/en/da56af0a69e733b259dac3991419fa928b4 94a56/resources/images/sprites/me_controls.png HTTP/1.1 - HTTP/1.1 200 OK
  Jan 15 14:44:03 reverseproxy pound: 91.... GET /auth?redirect=http://osxsrv.fiks.net/devicemanagement/api/authentication/callback HTTP/1.1 - HTTP/1.1 302 Moved Temporarily
  Jan 15 14:44:04 reverseproxy pound: 91.... GET /devicemanagement/api/authentication/callback?auth_token=336952DE-BDDE-4390-82F 7-8475B79FB2D3 HTTP/1.1 - HTTP/1.1 302 Moved Temporarily
  Jan 15 14:44:04 reverseproxy pound: (b7680b40) e500 can't read header
  Jan 15 14:44:04 reverseproxy pound: (b7680b40) e500 response error read from 192.168....:443/GET /profilemanager/ HTTP/1.1: Success (0.007 secs)
  Jan 15 14:44:08 reverseproxy pound: 91.... POST /devicemanagement/api/magic/get_updated HTTP/1.1 - HTTP/1.1 200 OK
  OSx Server profilemanager.log
  Jan 15 14:44:05 osxsrv ProfileManager[1748] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:05) [POST]Jan 15 14:44:05 osxsrv ProfileManager[1749] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:05) [POST]
  Jan 15 14:44:06 osxsrv ProfileManager[1748] <Info>: Completed in 492ms (View: 0, DB: 6) | 200 OK [http://osxsrv.../magic/do_magic]
  Jan 15 14:44:06 osxsrv ProfileManager[1749] <Info>: Completed in 687ms (View: 0, DB: 5) | 200 OK [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Completed in 4ms (View: 1, DB: 14) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Completed in 45ms (View: 1, DB: 43) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Completed in 55ms (View: 0, DB: 1) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Processing AuthenticationController#callback (for 91.... at 2013-01-15 14:44:08) [GET]
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Redirected to https://osxsrv..../profilemanager/
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Completed in 149ms (DB: 5) | 302 Found [http://osxsrv..../authentication/callback?auth_token=[FILTERED]]
  I guess the '302 Found' is causing or explaining the problem.
  I agree this might not be a Mac issue, so I still knock your doors hoping some of you could at least give a hint for what to search for !
  If the pound configuration file is of interest, just ask, but this is pretty trivial, saying basically listen these protocols (http/https) on these ports (80/443) and according to Header content (check destination host) and reroute packet to LAN device (with given LAN IP address).
  As the default port(s) of the Mac Mini Web Services may not be altered (so far I know), I guess I am stuck using 80 and 443 anyway.
  Maybe should I invest time in changing my other apache server ports to some more exotic 8080 or 88 or whatever so Mac Mini Server Profile Manager default ports 80 and 443 are maintained and can be easily and directly rerouted to my Mac server without any reverse proxy along the way.
  Thanks in advance for your help
  Alx

  HI All,
  i'm also using reverse proxy technique to publish my server to the internet. The ip is used by twice domains. The problem is by using the profile manager
  after login it redirects the url to the Local Area network addresse instead to the domain.
  How to configure this on OS X Server and the Profile Manager Service?
  Kind Regards
  Oemer

• ITS through Reverse Proxy : Only POST method  doesn't work

  Hi all,
  We are using an Apache Reverse Proxy infront of our Portal and ITS Server
  and using https.
  Reverse Proxy : 443 > ITS:8443
  We have rewrite rules for /sap and /scripts (ITS) /irj (portal) in the
  Reverse Proxy .
  We have set the following variables through the wgate-config URL of the
  ITS server (SetHeader) :
  HTTPS on
  HTTP_HOST proxy_server:443
  All ITS Iviews that use GET mehod display correctly .
  However all ITS Iviews that use POST create an Apache Proxy Error.
  We believe this is due to HTTP_CONTENT_LENGTH not being set in the ITS .
  Do we set this value the same way?
  Are there any other ITS settings that would cause this error for POSTS in
  a Reverse Proxy ?
  Regards
  Daniel

  There is a way around this (thanks to apple for responding to my bug submission) but it's slow. Test to see if the glyphCode created is greater than zero or not:
  final FontRenderContext fontRenderContext = new FontRenderContext(null, false, false);
  char[] array = new char[1];
  array[0] = (char) intvalueofchar;
  GlyphVector glyphVector = glyphFont.createGlyphVector(fontRenderContext, array);
  int glyphCode = glyphVector.getGlyphCode(0);
  boolean validchar = (glyphCode > 0);I only need to do this on the mac; on windows it does the right thing without this. If anyone has any suggestions for speeding it up (I already have it running in a thread), that'd be great - but thought I'd post it here for anyone else who might run into the same problem some day.

• 11g Fusion Middleware through reverse proxy..?

  Hi All,
  We are using 11g Discoverer in our environment, our client is having a reverse proxy server .Now my question is..
  How to configure 11g Discoverer to use existing reverse proxy server...?
  please help with any documents ,links or suggestions...!!!!
  Thanks
  RB

  Reports 11.1.1.3 doesn't work correctly behind reverse proxy:
  Oracle Reports 11g gives the machine hostname instead of the proxy hostname in rwservlet/showjobs.
  Oracle Fusion Middleware 11g 11.1.1.3 Forms & Reports on Solaris 10 64 bit.
  http://machinename:9002/reports/rwservket/getjobs
  returns Job Name URLs such as
  http://machinename:9002/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
  more asinst_1/config/OHS/ohs1/moduleconf/reports_ohs.conf
  #mod_weblogic related entry
  #<IfModule mod_weblogic.c>
  <Location /reports>
  SetHandler weblogic-handler
  WebLogicHost machinename
  WebLogicPort 9002
  </Location>
  #</IfModule>
  http://machinename/reports/rwservket/getjobs
  returns Job Name URLs such as
  http://machinename/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
  Now I place machinename behind a proxy server proxyname.
  http://proxyname/reports/rwservket/getjobs
  returns Job Name URLs such as
  http://machinename/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
  instead of the correct URL
  http://proxyname/reports/rwservket/getjobid5?server=rep_wls_reports_machinename_asinst_1
  The above is only one problem, there are many others that I have found.
  Ken

• Controls_ie5.js file not completely downloadable through reverse proxy

  Hi,
  We have EP6.0 SP11 implemented in our production and we have setup Apache as reverse proxy server.
  With RP, url for portal is http://salesportal.company.com/irj
  Internal URL would be http://mirag.company.com:50000/irj
  We have set rewriting rule in Apache and proxy filter in portal web.xml.
  System was working perfectly with SP09 with Reverse Proxy. Last week i upgraded the sytem to SP11 and after that i seem to get lot of error message refering to java script controls_ie5.js.
  Problem is, when I login to portal with RP url it get java script error at lower left cornor of IE. But if I login with internal URL, I do not get any JS error and the server works seamless. We could find out that we are not able to download controls_ie5.js file using RP URL. Only partial file is getting downloaded to IE Temp. Internet Files folder.
  Any help is appreciated. Thanks.
  best regards,
  Vishnu

  Don't use the reverse proxy filter - it is deprecated for NW04 in favor of the http provider service (of the dispatcher) parameter "ProxyMappings". See help.sap.com for more details on ProxyMappings.
  Do an http trace of the request for the .js, also check your compression, keep-alive, and chunking settings in your VisAdmin to see if something got out of whack on the upgrade.
  Nick

• Dynamic filename in receiver AS2 adapter in B2B Add-on

  Hello Experts,
  Can you please let me know how we can put dynamic filename in the receiver AS2 adapter for B2B Addon on SAP 7.4.
  Thanks
  Saurabh

  Hi Ryan / Experts,
  Let me explain you in more detail.
  In the receiver AS2 Communication channel, if I keep the Filename field as blank as shown below, then in the Mendelson inbox folder, a file is generated with the name "ASJAVA_DX5" which is my business component name.
  If I fill the filname field for example with "CONTRL", then in the Mendelson inbox folder, a file is generated with the name "CONTRL".
  This is my requirement because, suppose i trigger this interface "first time", a file with static name (ASJAVA_DX5/CONTRL ) would be generated in the inbox folder. If I trigger this interface "second time", since the file already exists with same name, it is not overwritten and I cannot check the output of 2nd trigger . Contents are not overwritten.
  To solve this problem + as a general requirement, I wish to have this name to be dynamic, atleast with date+timestamp.
  Can you please help.

• "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.]" for brand new, vanilla Mac App

  In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster. 
  Under Preferences > Accounts, I signed in to my Mac Developer Account.
  In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
  I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
  In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
  I select my Provisioning Profile in the dropdown, and click "Validate".
  It comes back with several errors:
  1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
  2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'.  If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
  3 - Invalid Code Signing Entitlements.  The entitlements in your app bundle signature do not match the ones that are contained in the provision profile.  The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
  I was able to do the same process before, for a vanilla app, before Mavericks.  I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects.  Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
  Would love any help you can provide!  Thank you!

  Seen this thread?
  New codesign behavior, --deep option 
  "Code signing has some interesting changes in Mavericks (that apparently haven't made it into the release notes yet...). Note that this is a change to the operating system, not to the devtools."

• Missing Code Signing Certificate in Profile Manager

  Hi everyone,
  Firstly, I'm not a professional and managing a server isn't in my skill set.  I have an old Mac mini running the Mavericks server to dabble with.
  Recently, the code-signing certificate (I assume self-signed) disappeared from Profile Manager for the option to "Sign configuration profiles" – no idea why, and I'm struggling to get it back, it just doesn't appear in the drop down.
  Under "Certificates" in Server.app, and within Keychain Access; it's still in the system and can be seen, where there are two of them.
  I've tried renewing both of these through Server.app to see if that would be a quick fix, but nothing.
  Could someone advise me on how to create a new verified code signing certificate for use with profile manager?
  Kind regards,
  Jamie

  Tried again.  Destroyed OD and recreated – code signing appears.  Reboot machine, code signing disappears.
  I tried exporting out the Code Signing Cert before rebooting the machine and reimporting after it disappears only to get "This profile cannot be used to sign profiles".
  Any idea what could be breaking the code-signing on reboot? Really bizarre.

• The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  If you could ask a coherent question, maybe...
  Perhaps you should be posting in the developers forums...

• Error is Receiver AS2 adaptor used for Idoc to AS2 scenario

  Hello Experts,
     I am doing Idoc to AS2 B2B scenario where I am getting below error message in runtime workbench comm channel monitoring.
  Message processing failed. Cause: javax.resource.ResourceException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # Outbound configuration error: Sender configuration incomplete - perhaps AS2ID missing.., SEEBURGER AS2: AS2 Adapter failure # Outbound configuration error: Sender configuration incomplete - perhaps AS2ID missing..
  Sending failed.
  Error type: COMPONENT_ERROR,NOT_TRANSMITTED >> Error date: 10/16/09 9:06 AM >> Description: AS2 Adapter failure Outbound configuration error: Sender configuration incomplete - perhaps AS2ID missing.. com.seeburger.as2.AS2Plugin.execute(AS2Plugin.java:321)
  AS2 Adapter failure
  Processing task
  Sending called. 
  Message processing started
  Basis has already configured the AS2 Server with Certificates and provided me the below details for receiver agreement and those are put in Receiver agreement.
  AS2 sender Configuration:
  Authentication certificate à TRUSTEDAS2certAS2_datapool
  AS2 Receiver Configuration:
  Decryption Key à TRUSTEDAS2certXXXenterprise2008
  Signing Key à TRUSTEDAS2certXXXenterprise2008
  XXX is my receiver partner
  For the Receiver party XXX I have maintained the Identifier as given below
  *Agency----
  Scheme-------Name*
  http://sap.com/xi/XI--XIParty--
  XXX
  Seeburger----
  AS2ID----
  XXX_AS2ID
  There is no need for sender agreement for Sender IDoc but still I tried to created R3 as sender party and R3 Business system, used it for the scenario and created sender agreement for sender Idoc but received same error message in Runtime workbench.
  R2 system sender party is also set with identifier with AS2 ID.
  MDN mode is set to no MDN in the receiver AS2 communication channel.
  Please suggest me if something is missing or wrong in the configuration.
  Thanks in advance.
  Vinit

  Hi Larry,
     The solution was very simple.
  It was problem with the basic understanding of system and configuration.
  Idoc is send sent by R3 ERP system and target is Partner Party. As ERP system is Business system and not the party w.r.t XI/PI terminology, we are not supposed to use Sender party as Sender ERP system but just use Business system as sender without any sender party. So in this way PI system could recognize that the data is coming from R3 system which is nothing but PI Business system.
  Now question comes where to user the Serder Party which was defined with AS2 ID? So answer is in the receiver determination we have to mention the Sender party and sender service in the header mapping part (Also mention receiver party and service).    
  So in my case problem was with sernder party. I mentioned sender party in all receiver determination, Interface determination, Sender Agreement and receiver agreement where only sender service ie sender system was required. And as I configured my scenario without sender party it worked because PI could recognize the sender R3 system and AS2 ID was recognized form the Header mapping of Receiver Agreement.
  Kindly let me know if it works and if you require snap shots of my configuration then I can send you the same.
  Regards,
  Vinit

• Signer Certificate is Different in the message

  Hi All,
  I am getting the following exception when i receive documents from my TP. I verified that i have the user and trusted certificate in the wallet and that the wallet location is configured in the tip.props. I also could see in the logs that the certificate are being read by B2B. I used these same certificates in the B2B config and verified the serial numbers of the certificates uploaded in b2b and the wallet.
  Has anyone else come across the same problem?
  0.10 at 10:33:44:723: RMI TCP Connection(3)-192.168.1.54: B2B - (DEBUG) adding BEGIN/END CERTIFICATE comment
  2008.10.10 at 10:33:44:723: RMI TCP Connection(3)-192.168.1.54: B2B - (DEBUG) adding BEGIN/END CERTIFICATE comment
  2008.10.10 at 10:33:44:766: RMI TCP Connection(3)-192.168.1.54: B2B - (WARNING) java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
       at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:176)
       at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:101)
       at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.compareX509Cert(MessageValidator.java:519)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:478)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
  Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
       at sun.security.util.DerInputStream.getLength(DerInputStream.java:530)
       at sun.security.util.DerValue.init(DerValue.java:346)
       at sun.security.util.DerValue.<init>(DerValue.java:276)
       at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173)
       ... 21 more
  2008.10.10 at 10:33:44:766: RMI TCP Connection(3)-192.168.1.54: B2B - (WARNING) Not validating the certificate! Please make sure to validate the certificate manually
  2008.10.10 at 10:33:44:767: RMI TCP Connection(3)-192.168.1.54: B2B - (ERROR) Error -: AIP-50530: Signer certificate in the message is different from certificate in agreement
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:483)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
  2008.10.10 at 10:33:44:767: RMI TCP Connection(3)-192.168.1.54: B2B - (ERROR) Error -: AIP-50530: Signer certificate in the message is different from certificate in agreement
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:483)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)

  Thanks Ramesh,
  I replicated the entire setup in Dev Box and took a risk. Asked the TP to send Prod data to Dev and it worked. It looks like something to do with the setup in production which is faulty.
  Right now i am able to get all the documents from the TP into Dev box.
  Thanks a lot for all your help!!