Web Methods IS vs SapBC Connectivity problem

Our customer in China, using Web Methods IS (do not know the version), is attempting to login into our Sap BC server running Web Methods B2B Server ver. 4.0.1 (Win2000 platform) using URL (https link and userid with password) and gets error message “java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier”.
Our port is configured to Request a client certificate, so they should be able to login with or without the certificate. The problem is the their IS rejects our certificate however they maintain that they installed our CA certificate on their IS server.
I do not really know much about WebMethods IS server, where should I point them for checking things to overcome this problem?
Thanks a lot for you help.

Margaret

Your customer should have the root (and intermediate) signing certificates (that are used by your certificate) in their IS Trusted Certificates directory (as .der files)
They should also have put your certificate under Security > Certificates > Client Certificates (or if they use TN, under their TP profile for you).
You should independently check that your BC server HTTPS port is indeed working and that your server certs have not expired.

HTH
Kevin

Kevin

Thanks a lot for your pointers. I have verified https port connectivity - it works fine. Also our certs are brand new and not expired for sure.

Margaret

oops that bit about “They should also have put your certificate under Security > Certificates > Client Certificates (or if they use TN, under their TP profile for you).” only applies if you are POSTing to them and they are using client certificates to authenticate you.

For you to accept their client certificate when they are POSTing to you, you need to have done the above on your BC for their client certificate and likewise you also need to have their root (and intermediate) signing certificates (that are used by their client certificate) in your BC Trusted Certificates directory (as .der files).
If you are using an IS reverse invoke in your DMZ, then you ‘should’ have their root (and intermediate) signing certificates (that are used by their client certificate) in your IS reverse invoke Trusted Certificates directory. Their client certificate does not need to be in the IS reverse invoke however, as it will be BC that checks it.
One reason for having their root (and intermediate) signing certificates in your IS reverse invoke Trusted Certificates directory is for testing purposes, so that when they use a browser from their server and they have their client cert. in the keystore used by this browser, during the HTTPS session negotiation it will popup a list of certificates that are installed in their keystore that your server will accept.
Hope this isn’t confusing.
You could try turning off ‘request client cert.’ on your port if want to remove this from part of the problem until you nail it down further.