I'm setting up a new connection with a partner running Seeburger. To keep things simple, I want to only use HTTPS for sending messages, and do no signing/encryption of the messages themselves. This is also the default behavior of the partner.
My understanding is that if I do this, we will not have to import each other's certificates into local keystores (and then deal with the ongoing every couple of years maintenance headache with that), as long as each of us has a generally recognized CA-signed certificate running the SSL listener on our servers, we'll still have pretty solid security.
But I also want an MDN to come back as confirmation that my files sent to them went through. They successfully tested a send to me and got their MDN back, it appears, but when I send to them, with this partnership configuration:
<partnershipname="me-to-partner"><sendername="me"/><receivername="partner"/><attributename="as2_url"value="https://as2.partnerdomain.com:8443/SeeburgerAS2/AS2Controller?ls=001"/><attributename="subject"value="File $attributes.filename$ sent from $sender.name$ to $receiver.name$"/><attributename="as2_mdn_options"value="none"/><!-- <attribute name="as2_mdn_options" value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, SHA256"/>--><attributename="as2_mdn_to"value="edi@mydomain.com"/><attributename="rename_digest_to_old_name"value="true"/></partnership>
The message seems to go through fine, but then when they return the (sync) MDN, I see a message like this:
2019-03-08 13:26:13.945 ERROR AS2SenderModule: Unhandled error condition processing synchronous MDN. Message and asociated files cleanup will be attempted but may be in an unknown state. [OPENAS2-08032019132607-0600-56c3c337-4c9b-45db-9f8c-fc82c50a4ad5@me_partner]
org.openas2.cert.CertificateNotFoundException: Type: receiver, Alias: null
at org.openas2.cert.PKCS12CertificateFactory.getAlias(PKCS12CertificateFactory.java:59)
at org.openas2.cert.PKCS12CertificateFactory.getCertificate(PKCS12CertificateFactory.java:102)
at org.openas2.util.AS2Util.processMDN(AS2Util.java:489)
at org.openas2.processor.sender.AS2SenderModule.processResponse(AS2SenderModule.java:246)
at org.openas2.processor.sender.AS2SenderModule.sendMessage(AS2SenderModule.java:219)
at org.openas2.processor.sender.AS2SenderModule.handle(AS2SenderModule.java:131) at org.openas2.processor.DefaultProcessor.handle(DefaultProcessor.java:65)
at org.openas2.processor.receiver.MessageBuilderModule.processDocument(MessageBuilderModule.java:182)
at org.openas2.processor.receiver.DirectoryPollingModule.processFile(DirectoryPollingModule.java:196)
at org.openas2.processor.receiver.DirectoryPollingModule.updateTracking(DirectoryPollingModule.java:170)
at org.openas2.processor.receiver.DirectoryPollingModule.poll(DirectoryPollingModule.java:81)
at org.openas2.processor.receiver.PollingModule$PollTask.run(PollingModule.java:62)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
I wasn't sure what to make of that. Is it possible that they're returning a signed MDN even though (I think, based on OpenAS2 docs) I have requested an unsigned one?
Also, you'll note in the XML above that I have the alternate as2_mdn_options comment out, I've tried it both ways, and I think the response is similar or identical. Any ideas on how to proceed? I've not yet heard back from the partner but wanted to attack this preemptively a bit in case I could resolve it on my own.
Also, please confirm my thinking at the top that if all I do is use an SSL connection, but have no signing (of message or MDN) and no encryption, then I should not need to store the partner's certificate, nor should he need to store mine.
Thanks for any feedback.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After doing a bit more testing (loading a certificate I have for the partner into my as2_certs keystore, and defining that as the x509_alias on the partner), I re-sent a test and got an MDN back with this error message:
What I suspect is going on is that the partner is (for some reason, either because they're misunderstanding my MDN request, or I'm sending it wrong [telling them I want a signed MDN when I want unsigned], or they have me somehow misconfigured so that whenever I request an MDN, they send it as signed) sending me a signed MDN, and it's signed with a certificate of theirs that I don't have (that's different from their HTTPS certificate that I do have).
I'll wait to hear back from them, but anyone reading this that can at least validate my assumptions about when you must import a partner's signing/encryption certificate and when you don't have to, that'd be great.
Last edit: jll 2019-03-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Currently the code looks for a sender and partner certificate even if you configure it not to encrypt/sign and do not require the MDN to be signed sao you will have to load a certificate - this is unlikely to change becuase it is highly unusual to use AS2 without the encryption/signing but you can just use the existing default certs that come with the install package and point the sender and receiver to the same x509_alias or one to "openas2b" and one to "openas2b".
The MDN receiver looks at the mime body part headers to decide if the received MDN is signed so the fact that it is trying to verify the signature means your partner is signing it. Your partner should just be looking at the "Disposition-Notification-Options" header for indicating it must sign an MDN but with "as2_mdn_options" set to "none" OpenAS2 does not send that header so the remote system should not return a signed MDN.
If you are successfully receiving a file from your partner you could enable mime body part logging (see OpenAS2HowTo for enabling this) and see what the partner sends in the Disposition-Notification-Options header as it may be that the Seeburger system requires a Disposition-Notification-Options header otherwise it defaults to signing.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for pointing out that x509_alias is required, but does not necessarily need to match anything specific to the partner, in the scenario that I'm trying to implement (since OpenAS2 won't have to use it to verify anything).
I'm not sure what happened (it's possible the partner updated something in the configuration -- they responded to me and indicated that they had not, and that everything looked fine from their side with my previous tests), but after changing the x509_alias to openas2a, and setting these two relveant partnership settings:
I'm now getting multiple fully successful transfers where the mdn is returned (and must be unsigned, since I never did have the partner's public signing cert).
One follow up I have: in this scenario, only using TLS for connection security, but no encryption or signing, does my having received an MDN also include some sort of hash check to strongly confirm that the partner didn't just receive my file, but received it exactly as sent? I've read about the MIC that happens, and I'm assuming that that happens even with unsigned MDNs and that if there were some sort of corruption on the transfer, the MIC would indicate that and fail the transmit.
Thanks for your help,
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm running OpenAS2 2.7.0.
I'm setting up a new connection with a partner running Seeburger. To keep things simple, I want to only use HTTPS for sending messages, and do no signing/encryption of the messages themselves. This is also the default behavior of the partner.
My understanding is that if I do this, we will not have to import each other's certificates into local keystores (and then deal with the ongoing every couple of years maintenance headache with that), as long as each of us has a generally recognized CA-signed certificate running the SSL listener on our servers, we'll still have pretty solid security.
But I also want an MDN to come back as confirmation that my files sent to them went through. They successfully tested a send to me and got their MDN back, it appears, but when I send to them, with this partnership configuration:
The message seems to go through fine, but then when they return the (sync) MDN, I see a message like this:
I wasn't sure what to make of that. Is it possible that they're returning a signed MDN even though (I think, based on OpenAS2 docs) I have requested an unsigned one?
Also, you'll note in the XML above that I have the alternate as2_mdn_options comment out, I've tried it both ways, and I think the response is similar or identical. Any ideas on how to proceed? I've not yet heard back from the partner but wanted to attack this preemptively a bit in case I could resolve it on my own.
Also, please confirm my thinking at the top that if all I do is use an SSL connection, but have no signing (of message or MDN) and no encryption, then I should not need to store the partner's certificate, nor should he need to store mine.
Thanks for any feedback.
After doing a bit more testing (loading a certificate I have for the partner into my as2_certs keystore, and defining that as the x509_alias on the partner), I re-sent a test and got an MDN back with this error message:
What I suspect is going on is that the partner is (for some reason, either because they're misunderstanding my MDN request, or I'm sending it wrong [telling them I want a signed MDN when I want unsigned], or they have me somehow misconfigured so that whenever I request an MDN, they send it as signed) sending me a signed MDN, and it's signed with a certificate of theirs that I don't have (that's different from their HTTPS certificate that I do have).
I'll wait to hear back from them, but anyone reading this that can at least validate my assumptions about when you must import a partner's signing/encryption certificate and when you don't have to, that'd be great.
Last edit: jll 2019-03-08
Currently the code looks for a sender and partner certificate even if you configure it not to encrypt/sign and do not require the MDN to be signed sao you will have to load a certificate - this is unlikely to change becuase it is highly unusual to use AS2 without the encryption/signing but you can just use the existing default certs that come with the install package and point the sender and receiver to the same x509_alias or one to "openas2b" and one to "openas2b".
The MDN receiver looks at the mime body part headers to decide if the received MDN is signed so the fact that it is trying to verify the signature means your partner is signing it. Your partner should just be looking at the "Disposition-Notification-Options" header for indicating it must sign an MDN but with "as2_mdn_options" set to "none" OpenAS2 does not send that header so the remote system should not return a signed MDN.
If you are successfully receiving a file from your partner you could enable mime body part logging (see OpenAS2HowTo for enabling this) and see what the partner sends in the Disposition-Notification-Options header as it may be that the Seeburger system requires a Disposition-Notification-Options header otherwise it defaults to signing.
Thanks for pointing out that x509_alias is required, but does not necessarily need to match anything specific to the partner, in the scenario that I'm trying to implement (since OpenAS2 won't have to use it to verify anything).
I'm not sure what happened (it's possible the partner updated something in the configuration -- they responded to me and indicated that they had not, and that everything looked fine from their side with my previous tests), but after changing the x509_alias to openas2a, and setting these two relveant partnership settings:
I'm now getting multiple fully successful transfers where the mdn is returned (and must be unsigned, since I never did have the partner's public signing cert).
One follow up I have: in this scenario, only using TLS for connection security, but no encryption or signing, does my having received an MDN also include some sort of hash check to strongly confirm that the partner didn't just receive my file, but received it exactly as sent? I've read about the MIC that happens, and I'm assuming that that happens even with unsigned MDNs and that if there were some sort of corruption on the transfer, the MIC would indicate that and fail the transmit.
Thanks for your help,
Correct - the MIC checking is still done even if the MDN is not signed.