AS2 signing and encryption

I have a problem with sending signed AS2 messages to a partner. Their software only accepts signed messages which includes the public key with which the signature can be verified. I cannot find anything about this in the EDIINT documentation, but I assume from the problem of this partner that the public key is not sent with the AS2 message.
Is this asumption right, and is there a way to send the public key with the digitally signed message?
I checked the S/MIME specification, and this specification provides in sending the key with the message.

Thanks
Andre.

They should have the public key by importing the cert you sent them. You need to set the “type” on wm.EDIINT:send to “signed” or “signedandEncrypted” to include the signature on the transfer…hope that helps

I have sent them the public key, and I have set the type to “signedAndEncrypted”. The issue is that they expect that not only a digital signature, but also the public key is attached to every AS2 message that is sent to them.

If you want your public key to be sent with each transaction you use HTTPS to connect to your trading partner and ask your trading partner to set up their HTTPS listener to request/require client certificates. After this request, your server (acting as the client) will present your public key to your trading partner. This can be used to authenticate you to your trading partner and allow you access to their receiving flow service. A short time later your client will send the EDIINT AS2 message. However this public key is not “attached” to the AS2 message.
When you sign a message you create the signature using your private key. Your trading partner verifies the signature using your public key (that you previously provided to them).
When you encrypt a message you do this using your trading partners public key (that they previously provided to you). Your trading partner decrypts the message using their private key.
Does this help ?

Kevin,

I think what Andre is referring to is the inclusion of certificates in the actual signature. EDIINT AS2 leverages PGP and S/MIME for securing documents (signatures and encryption). S/MIME utilizes PKCS#7/CMS for the actual content of the secured data.

When signing data with PKCS#7 the signer can optionally include the signing certificate with the data.

Andre–how is the signature being created? Are you creating it yourself or are you using Trading Networks to retrieve the certificates/keys from the partner profile?

Eduardo,

Yes, that is wat I was referring to. The signature is retrieved from the partner profile. I just set the type to “signedAndEncrypted” and let TN do the actual signing using the keys from the partner profile.

Thanks,
Andre

Andre,

I believe the default behavior for Trading Networks is to include the certificates if they’re included in your partner profile definition; although it has been some time since I worked directly with the product.

Have you tried getting a dump of the message to see if the certificates are included?

Hi Eduardo,

Can you tell me how to get a dump of the message? When I look at the message in the TN console, it only contains the signature itself, as far as I understand.

You’ll need to get your hands on a security toolkit to dump the details. OpenSSL or Cryptix will enable you to do an ASN.1 dump of the object for close inspection.

Is there any sensitive data in the signature object? If not can you post the signature?

As far as I can see, TN doesn’t store the signed message. Only the AS2 header and the EDI data is stored, TN signs and encrypts the EDI data and sends it to the partner. So how can I get my hands on the signed message? I think this is getting to complex for me.

But one other thing, in case the digital signature is verified with a public key attached to the same message that is digitally signed, is this still a secure verification? There is no guarantee whatsoever that the signature/public key combination is coming from the source you expect it to come from. It is like saying “I am Andre, and yes, it’s really me”
Isn’t it more secure if the public key is exchanged beforehand in a separate session?

The integrity/security of the message itself does not change whether you exchange certificate beforehand or not.

Exchanging the certificates ahead of time allows you to build additional assurances about the origination of the message–assuming the exchange of the certificates was done in a secure manner. Don’t get me wrong, it does make administrative and processing steps easier.

As for how to get a dump, I’d have to check into TN to see if there are additional diagnostic capabilities for capturing this. I don’t know off the top of my head.

One Quick Question:
I am getting stream of EDI data with Encrypted and Signed. Content-Transfer-Encoding: binary. Is it required to change binary encoded format… Decryption service is failed to decrypt this message. I am getting No Content data error while decrypting it… Please give some suggestions how to handle this situation…
I am using webMethods 4.0.2 version (EDIINT -AS2)…
Quick reply helps me to proceed into Production

Thanks in Advance…

Any ideas guys?

Verify that both you and your partner are using the same encryption method?
What software is your partner using?

Thanks Chris,
Yesterday we resolved the problem by changing Encryption algorithm. I don’t know the reason, webMethods not able to decrypt TriplsDES format. We changed RC2 KeyLength-40. Now i am able to decrypt it but not able to sending MDN’s back. Now i am working on this issue.

Thanks once again.

If you partner is using Cyclone there’s a setting that they have to change. I ran into a similar issue. Unfortunately I don’t remember the setting.
If I do, I will post.

Chris,
Perfect… My partner is using Cyclone… Please send your experience… It might be helpful for me to go right way…

Thankyou very much

Another small note -
If the partner ediint certificate is signed by a chain of CAs, import all the certs in CA Chain to TN Console’s CA chain Security tab

DG

I have a problem in retrieving the invalid signature in the AS2 receive service. When signature verification is done, gives error code as “4” and error message as “Signature could not be verified” and “signerCert” variable is not in the pipeline for invalid signatures. The service works fine for valid signatures and I am able to get the signature in signerCert object.
I need to retrieve the signature if it is invalid/valid and store in database for future reference.

If anybody knows how to handle this problem, please share it with me. It will be a great help for me.

Thanks,
Prasanna.

I have a quick question - does webMethods provide out-of-the-box support for the AS2 protocol and PGP encryption? It looks like it is supported, but by creating additional logic in flow services… not sure if that is correct. I’m kind of new to EDI - my client wants to exchange messages with partners using the NAESB v 1.4 EDM (used in the Retail Energy industry). If anybody else out there is using this EDM, I’d like to hear about how easy it is to set up wM to exchange messages using this EDM.

Any help will be appreciated - Thanks…

Vijai