Invoke Service via HTTPS Error

Hi,
I want to receive XML data from a partner. They should use a url ([url=“http://https://123.456.789.0:1111/invoke/folder/service”]https://123.456.789.0:1111/invoke/folder/service[/url]) and send XML data to our SAP BC (4.7). The service is client/http. We set up a https port for that. Additionally we have a server certificate, CA certificate, provate key for our BC. The client certificates are set up and mapped to the users, which are included in a certain ACL - the service they are trying to invoke is also setup for this ACL. We also included the CA certificates in the trusted folder.
A Certificate is required to be send by the partner.

When I try to send the data via a browser it works for a test user where we created a client certificate ourself and signed it.
But it does not work for any of our partners, although we set them up the same way (client certificates, CA certificates). When they try to send the data the access is denied (for those who use a browser, a window appears and the are asked to give a user and password). We send them our CA certificate (which signed our server certificate), but no change. Some of them are trying to send the data via browser, others via a BC.

Can anyone give me an advice what may be the problem?

Kai

Some random things to check:
What are the settings for the HTTPS port (No ip address filtering or anything strange)? Require or request certs?

Have you mapped the client certs to their user?

ACLs on the service: is your test user an admin by some chance?

regards,
Nathan Lee

HTTPS Listener Configuration
Port: 5558
Client Authentication: Request Client Certificates
Package Name: WmRoot
Bind Address (optional): <none>

Listener Specific Credentials (Optional):
Server’s Certificate: unspecified
Authority’s Certificate: unspecified
Private Key: unspecified
Trusted Authority Directory: unspecified

Outbound SSL Certificates:
Server’s Signed Certificate: certificates/bcp1_server_cert.der
Signing CA’s Certificate: certificates/drs_itso_ca-cacert.der
Server’s Private Key: config/bcp1_privkey.der

Trusted Certificates
CA Certificate Directory: certificates

Hardware SSL Acceleration
Hardware Vendor: None

The client certs are mapped to their users.

Users and test users belong to:
Group test
Group Everybody
Group WmPartnerUsers

Kai,
Please make sure that your clients are sending a valid/trusted certificate for authentication. If you change your HTTPS port to “Require Client Certificates”, then they would not get the user-id/password popup. For some reason your browser and client softwares are not sending the certificates and thus the server is reverting back to userid/password authentication. This could be due to their CA not being trusted by your wm server. Also, port access has to be set to Allow (in ports settings).
~tS

Resolved!

For some reason it didn’t worked becase of this - also it’s optional.

Listener Specific Credentials (Optional):
Server’s Certificate: unspecified
Authority’s Certificate: unspecified
Private Key: unspecified
Trusted Authority Directory: unspecified

We changed to that analog to Outbound SSL Certificates

Server’s Certificate: certificates/bcp1_server_cert.der
Authority’s Certificate: certificates/drs_itso_ca-cacert.der
Private Key: config/bcp1_privkey.der
Trusted Authority Directory: certificates

Now it’s working and we have access.

Kai

YES, you would need to enter in the Listener Specific Credentials with the appropriate info if your require client digital certificates. This information is where your CA and private keys are kept and where the WM server uses to validate incoming digital certificates.