C1OnRamp encryption

Does the C1OnRamp 1.0 use public key encryption? I realize it can use userid/pwd or certificates for authentication, but I’m not clear about the encryption portion. Can anyone help?

Thanks,
Ben

Not to be having a conversation with myself, but it doesn’t seem that I ever tell sendEnvelope what certs to use (since I don’t use setKeyandChain or clearKeyandChain, etc. in the code), thus I would assume the C1 OnRamp would use the default outbound certs of the server, which are set on the outbound Certificates settings (true or false?). What if those have no value, is it not encrypting then (and only encoding)?

If setKeyAndChain are not called then the default certificate/key settings are used–those specified in the outbound certificates.

For the second question…clients are not required to have certificates for the HTTPS connection to be encrypted. Only the server is required. Whether a connection is encrypted or not depends on what cipher is selected by the client.

Thanks Ed, I sort of had a brain cramp there (you don’t need a cert when buying something from Amazon, their server handles the encryption and gives the client some sort of temporary hash encryption key to use). To follow up, when my B2B server is acting like an SSL server (using receiveEnvelope), would I present my certificates from the listeners.cnf to create the encryption key that the client would use (this really may depend on the relationship and the setups on each end, but I’m just looking for some generalization)? One other question, is there a prop setting for the cipher on the client or is this randomly generated. Thanks again.

Ben,
When you receive document using HTTPS to receiveEnvelope, it uses the certificates used during the port creation, I guess it stores in listners.cnf.

Hi guys -

> For the second question…clients are not required to have
> certificates for the HTTPS connection to be encrypted.

[Disclaimer: I’m no encryption expert, could be wrong ]
Say you’re the client (delivering PO Acks to a C1 marketsite). You do need to install the remote C1 Marketsite’s CA root certificate (certificate authority root) and any intermediate certificates in your trusted certs directory on the IS server. I think pub.client:http throws an exception if this isn’t done.

About the browser/Amazon.com example: true, you don’t need a certificate to connect to Amazon. But Amazon’s CA is Verisign, and the Verisign root CA is installed in your browser. (Try https://amazon.com for an example).

> false?). What if those have no value, is it not encrypting
> then (and only encoding)?

Hmm… I’m not sure what you meant by encoding, but you don’t need your own certificate to setup an encrypted HTTPS connection as a client - you just need to trust the remote server’s CA.

Hey, btw, if you do have your own server certs installed, there are issues with some C1 Marketsites where they reject your posting if you try to post using certificates. This is a bug within C1’s software (Marketsite 4.0.1 inclusive, IIRC). WM support have released a workaround which tricks setKeyAndChain with dummy certs, so that you do not use your certs while sending documents outbound to marketsites which can’t handle them. (If you’re using TN, you have to setup two delivery services - one with certs, one without). I don’ t think you need to worry about this though Ben.

Regarding Sonam’s comment…you only need client certificates if the server requires them. In general (typical browser-based navigating) you don’t need a certificate to access a secure site.

Back to Ben’s questions…
In general–for RSA based public key algorithms–the client determine the master secret key for symmetric encryption. Once the client generates the private key, it is encrypted using the server’s public key from the server’s certificate–which theorectically only the private key can decrypt.

The cipher suite chose depends on the client software. The actual cipher suite chosen depends on a combination of (first) what the server supports, and (secondly) what the client supports. The first cipher suite in common is (typically) selected as the cipher suite for the SSL session/connection.

As a client the Integration Server/B2B server will select higher strength encryption cipher suites.

hth

Thanks all, that is really good info.

I have the Certificate file and the certificate authority file from C1 installed in my webMethods TN console. I am trying to test the connection from the C1 On Ramp adapter in the webMethods administrator. I am getting an authorization failed error from C1.

  1. Could this be becoz that I already have an ssl port configured with our own private key and this is being used when I try to connect with C1 instead of the key they provided?
    Any ideas?
    Thanks in advance

Regarding Ed’s comments: He’s absolutely right – sorry if I wasn’t clear. The client needs a certificate only if the remote server requires it. For example with a WM server, this occurs when the port setting is “require client certificates” instead of “request client certificates”.

Regarding Vince’s question.
> I am getting an authorization failed error from C1.

> 1. Could this be becoz that I already have an ssl port
> configured with our own private key

Yes, your server’s default key will be used. Just make sure you aren’t confusing the C1 marketsite’s public key with your server’s key. The C1 Marketsite’s cert is the one installed by you so that inbound connections from the the C1 marketsite can authenticate to you server.

I guess you’re using the WmMarketConnectTN package’s delivery service. Here’s are two main reasons you get an access denied.

  1. See my note earlier on the bug with some C1 marketsites. You can determine if this is the case by disabling certs from your server and trying delivery. If that works, you may want to contact WM support for their workaround (i.e. HTTPS post to C1 marketsites while having a cert installed on your server).

  2. If, for some reason, the TPIDs in the C1 envelope are wrong (X-Sender-ID and X-Receiver-ID are wrong), you’ll get authorization denied from the remote marketsite.

Hi,
I am trying to install the WmMarketConnectHTTPS package and I am getting this error.
Any ideas?
Thanks

java.lang.RuntimeException: Error in WmMarketConnectHTTPS startup. java.lang.NoClassDefFoundError:wm/server/net/IaikHTTPSListenerFactory
at wm.marketconnect.httpsListener.startup(httpsListener.java:59)
at java.lang.reflect.Method.invoke(Native Method)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java(Compiled Code))
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))
at com.wm.app.b2b.server.HTTPInvokeHandler.process(HTTPInvokeHandler.java:168)
at com.wm.app.b2b.server.HTTPDispatch.run(HTTPDispatch.java(Compiled Code))
at com.wm.util.pool.PooledThread.run(PooledThread.java:103)
at java.lang.Thread.run(Thread.java:498)

What version of the Integration Server/B2B are you running and what fixes, if any, do you have applied?

The error you are getting points to a package dependency issue that would surface with a 4.6 fix. Updating the package dependency list for WmMarketConnectHTTPS to include WmRoot should address this.

I am running IS 4.6 and have the latest service pack installed.

Product webMethods Integration Server
Version 4.6 Release Notes
Updates IS_4-6_SP2, TNS_4-6_SP1

How do I update the package dependency list?
Thanks in advance!

I searched the webMethods forum and saw that sonam chauhan had the same problem during Aug 2002. The solution is not given there.
Sonam, this is an SOS call. If you have a solution, please respond.
Thanks

Thanks Ed. That worked.
Sometimes, I wish I could cry out loud here!

THANK YOU GUYS!!!

You can update the package dependencies by launching the Developer. Select the package and update the panel on the right.

> Sonam, this is an SOS call. If you have a solution, please respond.

Hi Mark - I guess your problem got solved! But can you point me to the open discussion from Aug 2002? I remember a NoClassDefFound issue with the C1 Onramp, which I brute-forced by adding all C1OR classes to the classpath.

BTW, we use these 4.6 patches: TN SP1, IS SP2 and IS FIX 19.

The NoClassDefFound issue is introduced only when you apply a specific fixs/service pack against the 4.x Integration Server. If you do not have any fixes or SPs applied, you will not run across the class loading issues identified in this thread.

Take a look at the readme for SP2 and search for ‘classload’. It explains at a high level the changes to class loading for packages.

cheers!

Mark - what was the Aug 2002 thread you were referring to? Maybe the stuff below can help…

Hm, thanks Ed. The only issue we had with our current set of patches (TN SP1, IS SP2 and IS FIX 19) is that IS SP 2 broke the WmMarketConnectTN package due to a circular dependency. Earlier, I’ve mentioned the workaround for it (somewhere on wmusers.com ) … but WM officially released a fix for this on the 20th. I’ve included excerpts from the readme file below:


webMethods OnRamp for Commerce One MarketSite, 3.0 Fix 18

       February 2003 


4.0 Fix Contents

This fix is provided to assure compatibility
with IS46SP2. The WmMarketConnectTN package depends
on the WmTN package. With IS46SP2, the integration
server only checks packages which a package depends
on in order to find java classes. As such, the WmTN
package needs to depend on the WmMarketConnectTN package.
This will cause a circular dependency preventing the
integration server from starting. Instead,
this fix creates a /code/libs directory in the
WmMarketConnectTN package such that its classes are
available as native VM classes. Further, a readme.txt
file has been put in the directory such that package
replication picks up such directory during package
publication.

Hi,
Now when I am trying to submit a document to TN from my developer by

  1. createEnvelopefromString
  2. receiveEnvelope
    I am receiving this error.
    Any ideas?
    And Sonam, here is the thread that I was referring to.
    [url]http://advantage.webmethods.com/cgi-bin/advantage/main.jsp?w=0&targChanId=-536881002&action=viewMessage&gid=536880006&mid=1610615109[/url]
    Thanks

com.wm.app.b2b.server.ServiceException:

wm.tn.doc:recognize

  com.wm.app.tn.doc.BizDocTypeException 
  Cannot determine if doctype class is XML (com.wm.pkg.marketconnect.tn.MarketConnectBizDocType) 

(0) java.lang.ClassNotFoundException: com.wm.pkg.marketconnect.tn.MarketConnectBizDocType
(1) java.lang.ClassNotFoundException: com.wm.pkg.marketconnect.tn.MarketConnectBizDocType

  java.lang.ClassNotFoundException: com.wm.pkg.marketconnect.tn.MarketConnectBizDocType 

java.lang.ClassNotFoundException: com.wm.pkg.marketconnect.tn.MarketConnectBizDocType

java.lang.ClassNotFoundException: com.wm.pkg.marketconnect.tn.MarketConnectBizDocType

at java.net.URLClassLoader.findClass(URLClassLoader.java(Compiled Code))

at java.lang.ClassLoader.loadClass(ClassLoader.java(Compiled Code))

at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java(Compiled Code))

at java.lang.ClassLoader.loadClass(ClassLoader.java(Compiled Code))

at java.lang.Class.forName1(Native Method)

at java.lang.Class.forName(Class.java(Compiled Code))

at com.wm.app.tn.doc.BizDocTypeReg.recognize(BizDocTypeReg.java:318)

at com.wm.app.tn.doc.BizDocTypeReg.recognizeAndCreate(BizDocTypeReg.java:442)

at wm.tn.doc.recognize(doc.java:645)

at java.lang.reflect.Method.invoke(Native Method)

at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java(Compiled Code))

at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))

at com.wm.app.b2b.server.BaseService.invoke(BaseService.java(Compiled Code))

at com.wm.lang.flow.FlowInvoke.invoke(FlowInvoke.java(Compiled Code))

at com.wm.lang.flow.FlowState.invokeNode(FlowState.java(Compiled Code))

at com.wm.lang.flow.FlowState.invoke(FlowState.java(Compiled Code))

at com.wm.lang.flow.FlowState.invoke(FlowState.java(Compiled Code))

at com.wm.app.b2b.server.FlowSvcImpl.baseInvoke(FlowSvcImpl.java(Compiled Code))

at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))

at com.wm.app.b2b.server.BaseService.invoke(BaseService.java(Compiled Code))

at com.wm.lang.flow.FlowInvoke.invoke(FlowInvoke.java(Compiled Code))

at com.wm.lang.flow.FlowState.invokeNode(FlowState.java(Compiled Code))

at com.wm.lang.flow.FlowState.invoke(FlowState.java(Compiled Code))

at com.wm.lang.flow.FlowState.invoke(FlowState.java(Compiled Code))

at com.wm.app.b2b.server.FlowSvcImpl.baseInvoke(FlowSvcImpl.java(Compiled Code))

at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))

at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))

at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java(Compiled Code))

at com.wm.app.b2b.server.Service.doInvoke(Service.java(Compiled Code))

at com.wm.app.b2b.server.Service.doInvoke(Service.java:458)

at pub.marketconnect.transport.