none
AS2 error : forbidden RRS feed

  • Question

  • Hello, i have a question regarding as2/IIS...so i have this AS2 software running with IIS 6.0 and with xp...i have it working with SSL both and they seem to work ok.

     

    i have 2 different problems but i solve any of those 2 im good :):

     

    with xp: my customer tries sending me info and they get an error saying "ssl renegotiations not allowed on client" so i searched the web and found out about this was a vulnerability in windows and i should try using the "sslalwaysnegoclientcert" flag...the thing is it only exists for iis 6.0 (or at leas thats what i have found)

     

    with IIS 6.0: so installed windows server 2003 and IIS...the software works with SSL and i already set the sslalwaysnegoclientcert flag..but now my customer gets an "forbidden" error.

    i have searched the web again and found that it can be any of these: 

    Table 11.7 HTTP 403 Substatus Codes
    403 Description

    None

    Access is denied.

    1

    Execute access is denied.

    2

    Read access is denied.

    3

    Write access is denied.

    4

    SSL is required to view this resource.

    5

    SSL 128 is required to view this resource.

    6

    IP address of the client has been rejected.

    7

    SSL client certificate is required.

    8

    DNS name of the client is rejected.

    9

    Too many clients are trying to connect to the Web server.

    10

    Web server is configured to deny Execute access.

    11

    Password has been changed.

    12

    Client certificate is denied access by the server certificate mapper.

    13

    Client certificate has been revoked on the Web server.

    14

    Directory listing is denied on the Web server.

    15

    Client access licenses have exceeded limits on the Web server.

    16

    Client certificate is ill-formed or is not trusted by the Web server.

    17

    Client certificate has expired or is not yet valid.

    18

    Cannot execute requested URL in the current application pool.

    19

    Cannot execute CGIs for the client in this application pool.

    20

    Passport logon failed.


    the thing is i do not know which one could affect as2 communications or how to solve any of those...could someone help me?

     

    also, the as2 software i use has a tool to create certificates, i created my pfx file and .cer file from that tool and i used that for SSL in IIS also...could that be the problem? i do not think so since i can access the webpage from outside my network and it works with https but since i read that i should use one certificate for each site and use the qualified name of my web page for each certificate and i never typed "https://200.53.96.12/as2test" maybe its related?

     

    thanks for the help and hope i made my self clear... english is not my first language :)

    Tuesday, January 4, 2011 3:15 PM

All replies

  • Which AS2 software are you using?

    Do you know what endpoint was given to your client? It is hard to diagnose your issue without knowing what type of endpoint your client is calling. Usually with BizTalk people use the default AS2 support and it goes to something like http://localhost/BTSHttpReceive.dll. It sounds like your client might be trying to hit a virtual directory address that does not exist.

    So the tool makes your cert? This sounds like a self-signed certificate. Probably your partner is checking for revocation on the cert and/or cannot contact the CA to confirm the cert is valid. Probably the name on the cert does not match your server name. This could definitely be part of the issue. Usually you send the name of the server where you are going to expose the endpoint to the CA as part of the request to get the cert. I would try to get a public cert from a company like Verisign. Your partner might be able to use the self-signed cert but you need to confirm it with them. (There might be a flag or switch in your partner's software to enable the self-signed cert to work on their end).

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Tuesday, January 4, 2011 9:33 PM
    Moderator
  • thanks for your answer Ben, i think they are using a software called webmethods (im sorry i posted on the biztalk forum but is the only forum i have found that people answer/ask about AS2).., dont know how it works to be honest.

    the software im using is as2connector from IPworks! (http://www.freeas2.com/?gclid=CJPF4runo6YCFUHt7QodHl-CZQ ...i got the payed version not the free).

    yes, the certificate is a self-signed certificate so the cert was created by the software, didnt know the cert name had to be the cert name and since its created by the software never cared to look for it..the thing is... i already configured another computer with the free version of the software i use and started exchangin info and there was no problem: i got messages , sent messages and received mdn's...i even got another customer and we have no problems exchanging info(i use the server with xp to xchange info with him since i did not have the ssl renegotiations problem with him).

    concerning verisign stuff....well yea i tried something like that but my company is not that big so they kinda wanted to save the 2k that verisign charges for a certificate and since i read that i could make it work with self-signed certificates im trying to save that money...

    ill try to confirm if my partner can use self-signed certs, thanks for the help !

    Wednesday, January 5, 2011 2:52 PM
  • Cool, that's a lot more information to go on. Most companies can use self-signed certs you just need to be sure they are expecting them. I worked with GXS as an EDI VAN and they could do self-signed as long as all parties were ok with the security implications/risks.

    It definitely sounds like something in the webMethods side is probably not allowing the self-signed cert to work. I searched for the self-signed webMethods stuff and it looks like webMethods may only allow certain types of self-signed certs - see http://www.customware.net/repository/display/WMFAQ/How+to+configure+HTTPS+port+in+WebMethods+6. So I would guess the one you made is probably not going to work on the partner's side. I would ask the partner using webMethods to generate a self-signed certificate for you that webMethods can use.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Wednesday, January 5, 2011 3:09 PM
    Moderator
  • oh i almost forgot, i was looking into my firewalls logs...when my customer is trying to send an MDN receipt or just send me a regular file i do see the attemp to the right ip and its mapped to the right port (443 since im using SSL) and i dont think its a routing problem/firewall or anything like that since i have another customer  and we are exchaning info withouth a problem... i even configured another server in my local network and started xchaning info and it worked so my guess is that is not routing/firewall problem but my server  is just rejecting the connection  probably caused by something in my customer config? or in mine?

    thanks again

    Wednesday, January 5, 2011 3:10 PM
  • Cool, that's a lot more information to go on. Most companies can use self-signed certs you just need to be sure they are expecting them. I worked with GXS as an EDI VAN and they could do self-signed as long as all parties were ok with the security implications/risks.

    It definitely sounds like something in the webMethods side is probably not allowing the self-signed cert to work. I searched for the self-signed webMethods stuff and it looks like webMethods may only allow certain types of self-signed certs - see http://www.customware.net/repository/display/WMFAQ/How+to+configure+HTTPS+port+in+WebMethods+6. So I would guess the one you made is probably not going to work on the partner's side. I would ask the partner using webMethods to generate a self-signed certificate for you that webMethods can use.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    thanks! yea i actually used that open ssl for my windows xp machine so i could use https but since i got the ssl renegotiations problems i tottally forgot about that...ill try creating a certificate with that and use that certificate for signing/encryption and leave the certificate im using only for HTTPS...or would you recommend using the new for all (signingn/encrypting/HTTPS).

     

     

    Wednesday, January 5, 2011 3:50 PM
  • BizTalk does let you have different ones as of BizTalk 2006 R2 SP1 or BizTalk 2009/2010. I am guessing IPWorks would let you have different ones too (I do not know)

    I would choose different ones so the webMethod restrictions do not limit other trading partners.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Wednesday, January 5, 2011 4:07 PM
    Moderator
  • Cool, that's a lot more information to go on. Most companies can use self-signed certs you just need to be sure they are expecting them. I worked with GXS as an EDI VAN and they could do self-signed as long as all parties were ok with the security implications/risks.

    It definitely sounds like something in the webMethods side is probably not allowing the self-signed cert to work. I searched for the self-signed webMethods stuff and it looks like webMethods may only allow certain types of self-signed certs - see http://www.customware.net/repository/display/WMFAQ/How+to+configure+HTTPS+port+in+WebMethods+6. So I would guess the one you made is probably not going to work on the partner's side. I would ask the partner using webMethods to generate a self-signed certificate for you that webMethods can use.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    wouldnt i also need the .pfx? not only the certificate but the pfx that is generated so i can sign messages?..im kinda new on all this so i guess i may sound kinda ...dumb?  but i just need like orientation or something haha, but i kinda think that my software needs the pfx file so it can sign messages...i tried following the tutorial and got a self signed cert but i cant use it for SSL since its not pfx and iis 6.0 requieres that is a pfx file (or create the request ..CSR.. which im about to try) and cant use it for my software since its asking me for the .pfx/p12 file.

    again, maybe im making no sense but as i said im tottaly new to this.

     

    thanks for your patience sir!

    Wednesday, January 5, 2011 4:51 PM
  • No problem. If you want to use the cert for SSL then you need to have one with both keys. PFX usually has both in it, yes.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Wednesday, January 5, 2011 8:39 PM
    Moderator