EDIINT Triple DES problem

Ramesh_Sambandan · November 7, 2005, 8:11pm

Hi,

I’m using EDIINT to send the EDI to the Trading Partner.when i use DES encryption algorithm, everything seems to work fine.but the issue is, when i use TripleDES algorithm, there seems to be some problem.i dont see the encrypted payload in the ediintdata entry of the TN Analysis screen.
Is this something to do with any configuration or am i missing something?i’m stuck with this issue and would really appreciate if someone can chime in.

ramesh.

Ramesh_Sambandan · November 7, 2005, 8:22pm

Hi,

One more thing is, i have generated the certificate using OPENSSL and used “genrsa -des3 -out <private>.pem 2048” command to generate the private key and converted it to .der format.is this something to look into?

ramesh.

Ramesh_Sambandan · November 7, 2005, 10:10pm

Any thoughts???

Yemi_Bedu · November 7, 2005, 11:38pm

Hello,

We use TripleDES for all our partners selection tabs. I currently use openssl openssl-0.9.7c to do the generation of private key and certificate. I use a good number of windows batch routines for generation and conversion.

I use the following to make the private key:
openssl genrsa -out %1 %2

I use the following to make the certificate (public key):
openssl req -verbose -config openssl.cnf -new -x509 -sha1 -days %3 -key %1 -out %2

For converting private key PEM to DER I use the following:
openssl rsa -inform pem -in %1 -outform der -out %2

For converting certificate (public key) PEM to DER I use the following:
openssl rsa -inform pem -pubin -in %1 -outform der -out %2

%var names should be easy to guess. Please include the extension with these names. Remeber that your CA will not be automatically trusted.

I would also suggest you look for the lateset openssl version, get the source version, and create your scripts for the processes. Please share your feedback results. Good day.

Yemi Bedu

Yemi_Bedu · November 8, 2005, 5:02am

Hello,

Yemi Bedu

Ramesh_Sambandan · November 8, 2005, 7:22pm

Yemi,

As per your instructions, i tried to generate the keys.
1.genrsa -out testPrivate 2048
2.req -verbose -config openssl.cnf -new -x509 -sha1 -days 1095 -key testPrivate -out testCert
3.rsa -inform pem -in testPrivate -outform der -out testPrivate.der
4.rsa -inform pem -pubin -in testCert -outform der -out testCert.der

error during converting certificate(4th step)
unable to load Public Key
2100:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:644:Expecting: PUBLIC KEY
error in rsa

Can you tell me if i’m wrong somewhere.

Thanks
ramesh.

Ramesh_Sambandan · November 8, 2005, 7:42pm

Yemi,

I tried using “x509 -in testCert -inform PEM -out testCert.der -outform DER” to convert certificate to DER format.

I’ll let you know once my testing is done.

ramesh.

Ramesh_Sambandan · November 8, 2005, 10:09pm

Yemi,

The same problem repeats.if i use DES, it is working fine but when i change the encryption algorithm to TripleDES, it fails.i mean, the ediintdata entry in the TN Analysis screen shows only the header info but not the payload.when i use DES option, i can see the encrypted data under ediintdata.
i’m attaching the screenshot.

ramesh.

EDIINT_ERR.doc (68.1 k)

Yemi_Bedu · November 9, 2005, 11:16pm

Hello,

For your first post since my last, I would like to apologize. You do “not” need the -pubin option. Actually, can’t use it as that is why you see your error. That option is your if you had converted your pem private key to a public key and what the pem in der format. I should also mention that I am somewhat wrong in making the public key seem equal to the certificate. If you look at the pem in notepad or vi you will see they start with either “begin public key” or “begin certificate”. That was the hint in the error you gave me.

I think you can use the x509 just as you would the rsa. I think there was something not showing for me and is why I use the rsa. It may have been that the x509 was doing to much and rsa was doing the same with less extra options or something like that.

You should make this change and try your TN setup with TripleDES again. Sorry for any current troubles. I saw the screen shot, yes there is nothing there. Good day.

Yemi Bedu

Ramesh_Sambandan · November 10, 2005, 12:06am

Yemi,

Even after using x509 command to convert the certificate to DER format, i cant see the encrypted data under the ediintdata entry.
“You should make this change and try your TN setup with TripleDES again”--------Can you tell me what changes are you pointing to?

ramesh.

Yemi_Bedu · November 10, 2005, 1:46am

Hello,

Yemi Bedu

Yemi_Bedu · November 10, 2005, 1:49am

Hello,

Yemi Bedu

Ramesh_Sambandan · November 10, 2005, 2:17am

Yemi,

As per your instructions, i tried to generate the keys.
1.genrsa -out testPrivate 2048
2.req -verbose -config openssl.cnf -new -x509 -sha1 -days 1095 -key testPrivate -out testCert
3.rsa -inform pem -in testPrivate -outform der -out testPrivate.der
4.rsa -inform pem -in testCert -outform der -out testCert.der(tried without -pubin option, but getting an expecting Private Key error)

I would really appreciate if you can tell me the command for converting certificate to der format without the -pubin option.
tried using x509 command, but that doesn’t solve the problem.

ramesh.

Yemi_Bedu · November 10, 2005, 3:13am

Hello,

Yemi Bedu

Ramesh_Sambandan · November 10, 2005, 3:21am

Yemi,

I used x509 command and was able to convert the certificate to der format, and changed the encryption algorithm to TripleDES in TN, which doesn’t solve the issue.
“And like I said, I don’t use the x509 because I was getting some weird error with it and TN. I just use the rsa to do the same thing.”------can you tell me the rsa command you have used to do the same thing, as i was getting some errors while trying to do the same thing i.e without the -pubin option.

ramesh.

Ramesh_Sambandan · November 10, 2005, 9:31pm

Yemi,

The issue was nothing to do with generating the keys or certificates, but it was due to the security policy jars of the jvm.replaced them with the correct jars and it worked.

Thanks for your time.
ramesh.

Yemi_Bedu · November 10, 2005, 9:39pm

Hello,

Yemi Bedu

Ramesh_Sambandan · November 10, 2005, 9:53pm

Yemi,

We are using 1.4.2_08 from Sun with IS/TN 6.1 on Windows 2003.

ramesh.

vbalakrishna · September 11, 2008, 5:53pm

Ramesh,

We are facing the exact same issue as you. Could you let us know where we can find the correct version of the jars for our jvm? We are using IS/TN 6.5_SP3 with JVM 1.5 and Red Hat Linux 4.

Thanks,
Vandana.

Naveen_Kenche · September 17, 2008, 4:47pm

Hi Ramesh,

Going through the email looks like you have managed to configure the keys for EDIINT. We are trying to configure the security tab for a partner profile using the private key, but not able to. Could you guide us the steps involved in configuring the security tab. Our requirement is simple.

Encrypt/Decrypt EDI data over HTTP connection. Please be aware that we do not want HTTPS.

Fyi, EDIINT AS2 work fine with plain EDI data. Now would like to test with data encryption.

Your help is much appreciated.

Thanks & REgards
KN