EDIINT:Error...security check failed

Hi everyone,

I am doing a AS2 setup with one of my partner, i have installed the public certificate of my partner in TN and IS.

But while receiving a EDIINT message from our partner , the message is processed with ERROR state. Error message shown in activity log is:

processed/error: insufficient-message-security

Could anyone help me on this issue

Regards,
Rajesh

Did you shared your certificate to your TP also and confirmed they are sending in their request?

These kind of issues you need to closely work with your/TP network teams engaged and also by raising the log level trace for ( 0064 Network Services,HTTP) etc…

But most likely the issue related to certs hand shaking or message digest not matching the format…Please also google the error for more infor:

HTH,
RMG

reading the error: processed/error: insufficient-message-security
this normally happens when the client system is not signing and/or encrypting the message, but corresponding TN profile of the sender requires signing/encryption (which is the default setting).
If the client is not signing or encrypting, just change the TN profile setting: TN profile>Extended field>EDIINT>SMIME Type

I have seen this error with out having SMIME Type defined on the profile and try with plain…But yes could be client system is not signining or encrypting the message…and you can test with text/plain with out sign/encryption and EDIINT should work with no error (not secured though)

Hi,

Yes i have shared our certificates to our TP. I have shared our Root, Intermediate, AND CA cert to our partner.

Partner is using 3DES/SH1 for signing and encryption.

I have configured S/MIME and signing and encrypting and encrypting algoritham as 3DES at our side in TN…this is the same thing i have followed in previous setup’s, but this one is giving the error…not sure what happened…are there any extended settings do i need to take care of…???

Please advise…

Regards,
Rajesh

This is in 8.x env correct?..Did you ever tried with SMIME Plain and test the difference?

Set the S/MIME type to plain on both sender and receiver profile’s EDIINT extended properties and that should resolve the issue.

Also is there any TP working fine similar setup or is this first moved to production?

Also please see these related KB’s on Empower:

KB #: 1731606

KB #: 1736859

IF you are on EDIModule 65 then
WmEDIINT_6-5-2_Fix12 resolves the issue

HTH,
RMG

Yes, Our environment is 8.2

I have changed the SMIME to plain, and the error message shown previously had not seen, but here is the new error…:

processed/error: decryption-failed

Our TP EDIINT has the subject as:

BizMgr AS2[SMIME Signed And Encrypted/EncryptParams(3DES/168)SigningAlg(SHA1)]

From this i can say OUR TP is signing and encrypting the message…am i Right ?

Do i need to change anything more, like java policies etc…
I think FONT=Arial Unlimited Strength Jurisdiction Policy File [/font]was expired or it’s only limited…do i need to chnage this policy to unlimited…? I am not sure how this policy file will be effecting the decryption so i am asking, but we have some other TP of same setup which are working good…:slight_smile:

Last but not least…Do i need to Give our Private Key certificate in Encrypt/Decrypt tab in TP profile…? i have some of the setups which are working good without giving the Private Key certificate in Encrypt/Decrypt tab in TP profile…??

Regards,
Rajesh

Yes, Our environment is 8.2

I have changed the SMIME to plain, and the error message shown previously had not seen, but here is the new error…:

processed/error: decryption-failed

Our TP EDIINT has the subject as:

BizMgr AS2[SMIME Signed And Encrypted/EncryptParams(3DES/168)SigningAlg(SHA1)]

From this i can say OUR TP is signing and encrypting the message…am i Right ?

[B]Do i need to change anything more, like java policies etc…
I think FONT=Arial Unlimited Strength Jurisdiction Policy File [/font][COLOR=#333333][FONT=Arial]was expired or it’s only limited…do i need to chnage this policy to unlimited…? I am not sure how this policy file will be effecting the decryption so i am asking, but we have some other TP of same setup which are working good…:slight_smile:[/font][/color]

Last but not least…Do i need to Give our Private Key certificate in Encrypt/Decrypt tab in TP profile…? i have some of the setups which are working good without giving the Private Key certificate in Encrypt/Decrypt tab in TP profile…??

[B]Regards,
Rajesh
[/b][/B]

“(JCE) Unlimited Strength Jurisdiction Policy File was expired or it’s only limited…”
you sure need to load the unlimited policy file to your JCE. Search on Java’s web site, download and install it.

BTW, you should never share your private key with your trading partner.

Hi,

Thanks for your reply…shall install JCE file and let you know…

I am not sharing our Private Certificate to our Trading partner, i am just asking do i need to install Private key certificate in the Encrypt/Decrypt tab in Trading Partner profile in our Trading Network console…???

Yes, you need to install your private key under the encrypt/decrypt tab in order to decrypt the message (which is encrypted by your client using your server’s public key).

I am not sharing our Private Certificate to our Trading partner, i am just asking do i need to install Private key certificate in the Encrypt/Decrypt tab in Trading Partner profile in our Trading Network console…???

–> YES load it in your sender profile private key should be defined in all tabs

Hi There,

I have faced same issue. Our partner was using our certificate along with certificate chain.

I have asked them to use only public certificate. After that issue has been resolved.

  • Suresh

Yes most likely these issue always leads to certs not configured properly chain or public cert installation. (time taking errors) :frowning:

HTH,
RMG

we have the same issue and tried all the above suggested solutions but none is working. Any more suggestions please?
Thanks in advance.
Ram

Is the exact same issue and what is your IS/EDIINT module version running on?

Have you already open a ticket with SAG support yet?

HTH,
RMG