I have logged this for tracking purposes: https://github.com/OpenAS2/OpenAs2App/issues/391
Mmmmm... that looks like something is not working right or I did a bad job adding in the DB as I would have thought I used connection pooling and the messages logged by a full lifecycle of an AS2 message is not significant so would have not expected there to be that many connections required. I put it in some years ago and will have to go and refresh mymind on how I did it. I will look into it when I get a chance.
I will add it to the README - thank you for the feedback.
Unfortunately the person who wrote the WebUI addon is not maintaining it. There are numerous posts both here in Sourceforge and in Github about WebUI issues that may help you. Github link here: [https://github.com/OpenAS2/OpenAs2App/issues/
Unfortunately the person who wrote the WebUI addon is not maintaining it. There are numerous posts both here in Sourceforge and in Github about WebUI issues that may help you. Github link here:
Unfortunately the person who wrote the WebUI addon is not maintaining it. There are numerous posts both here in Sourceforge and in Github ([https://github.com/OpenAS2/OpenAs2App/issues/]https://github.com/OpenAS2/OpenAs2App/issues/)) about WebUI issues that may help you.
Although there is a log message saying: 2024-03-19 12:32:27.754 FINER MDNSenderModule: ASYNC MDN send started... This is not actually correct - that is emmitted at the start of the MDN sender module and it has not yet checked if it should send ASYNC or SYNC yet. It looks for a header named "Receipt-Delivery-Option" and if present it will send asynchronously but there is none in the received message and subsequently sends a SYNC MDN as it should. (I will change the misleading debug message in a next...
Although there is a log message saying: 2024-03-19 12:32:27.754 FINER MDNSenderModule: ASYNC MDN send started... This is not actually correct - that is emmitted at the start of the MDN sender module and it has not yet checked if it should send ASYNC or SYNC yet. It looks for a header named "Receipt-Delivery-Option" and if present it will send asynchronously but there is none in the received message and subsequently sends a SYNC MDN as it should. (I will change the misleading debug message in a next...
The sender chooses SYNC or ADYNC MDN and the receiver automatically responds in the selected mode. You do not need to do anything. I will take a closer look at what could be triggering the error on their end in a couple days.
The software makes a best effort to extract the file. However, the built-in security within the AS2 protocol means that you can only extract the file once you have properly identified the sender, matched it to their publ;ic key to verify the signature then used the private key linked to that specific partner to decrypt the file. So OpenAS2 provides extensive logging telling you what went wrong and why. If you feel there are scenarios that could be helped by better logging, let me know and I will...
If you control grenerating the filename then try using a a $, @, & or % for the separator and that should cater for AS2 ID's that use either dash or underscore:] delimiters="$" Then filenames like this would work with the default tokens used in the "format" attribute: My_AS2ID$THEIR-AS2ID$TestFile.txt Alternatively, change the order of the tokens in the default attribute to this:\ format="attributes.filename",sender.as2_id, receiver.as2_id" Then the receiver AS2 ID can contain any number of dashes...
Thanks for the detailed troubleshooting info you did - made it easy to identify where the problem was. Version 3.9.1 just released fixes that issue.
The AS2 specification is very clear on utilisation of the MIC: https://datatracker.ietf.org/doc/html/rfc4130 Specifically, the receiving party (in this case it is your partner receiv ing your message) must calculate and return the MIC to the sender. The sender does NOT send the MIC and there is no indication of requirement to do this in the sAS2 tandard as linked to above. Note that the sender does tell the receiver whether they are expecting a signed receipt and in OpenAS2 you do that using this...
Quite often this sort of issue turns out to be a mistake on the partner side and they sent you a pub;lic key that is not matched to the private lkey they configured into the partnership on theoir side.
That sounds correct. Decryption might be failing because of the MIC - you will need to ask your partner if there is m ore detail to the arror in their logs.
It makes no sense to put your partners public key into the SSL (HTTPS) keystore but it makes no difference from an OpenAS2 point of view. You may have a certificate in the keystore for partnership encryption/signing with an alias that matches your config but are you 100% certain you have set up the x509_alias value to point to your PARTNERS public key ?
Not sure if you have transposed the words "private" and "public" but by definition your private key is private and should never be shared with anyone and it should be securely stored for only a select trusted few to have access to it if security is important to you and your transactions with your partners. You only share your public keys and your partner shares their public key with you..
That seems to indicate that you probably are not encrypting the message with the public key that the partner sent you. Make sure you correctly imported their certificate to the keystore using an alias specific to that partner and link it correctly in the partner definition.
First thing to try is disabling compression
Assuming you created a new certificate for this new partner, you will have had to import this new public and private key imported to your keystore under a new alias that is correctly set to point to the partnership in your partnerships.xml and the partner must be using the piublic key you sent them to encrypt the message. The problem could be any one of: 1. they are using an incorrect public key 2. the mapping of the partnship to the x509_alias in your partnerships.xml is incorrect 3. you may not...
Since the error you are getting on your side is simply that the partner reported an error in decrypting the message. The partner is using Axway for their AS2. The exact meaning of that message is very generalised so it is impossible to say exactly what went wrong on the partner end and there is not much to be learned from your logs or configuration settings. The exact reason why the decryption failed on their end could be a few different reasons and the only way of knowing is getting the partner...
Just tested and it sets the Transfer-Encoding to chunked if you do not have the "no_chunked_max_size" attribute set to something. I will look into how to get Apache HTTP client not to set the header but the workaround is to add something like this to your partnership: <attribute name="no_chunked_max_size" value="104857600"/>
The code that makes the call to the Apache HTTP core library (that reads the response) was last modified 4 years ago. The only change between 3.3 and 3.8 is the Apache client libraries. If 3.3 works, you could try using the 3.8 release woith the 3.3 Apache libraries to see if it is something to do wit hthe library change. To do this: 1. delete the httpclient.jar and httpcore.jar files from the 3.8 install "lib" folder. 2. Copy the httpclient.jar and httpcore.jar files from the 3.7 "lib" folder. to...
The problem is that the partners MDN response is sending the wrong "Content-Length" compared to what the HTTP receiver is actually receiving in bytes and hence the error. As you reported, the partner correctly receives the file but then responds with an invalid HTTP response that then triggers the error. The code that does the reading of the response is from the Apache Foundation (uses Apache HTTP client libraries) so it is not something to do wit hthe OpenAS2 code base itself. I have tested with...
Also, can you confirm what the "no_chunked_max_size" attribute is set to on the partnership if it is set.
The sending code has not changed since version 2.x releases so not sure what is going on here. Can you enable TRACE level logging and upload the (anonymised) trace file so I can get a better idea of what is going on?
Release 3.9.0 just released should support your errant partners software. You will have to set your "sign" attribute on the partnership to whatever the partner is returning and the new release will convert it toi the RFC5751 standard so that OpenAS2 still works as a open standards AS2 server. See the release notes for 3.9.0 for where to find a small blurb on how this works in the documentation.
SHA256 is SHA2 version using 256 bit key. The standard indicator for the MIC algorithm is SHA256 and not sure where they got SHA2_256 from but it is synonymous with SHA256. The quickest fix is if I add SHA2_256 as a synonym for SHA256 - will let you know when I release it.
The documentation is not clear but $properties.XXX$ dynamic variables are only supported for <attribute>elements so trying to use the properties replacement in<partnership>, <sender> or <receiver>elements will not work. It is not clear why you would want to set the sender and receiver using dynamic variables. If you can provide your use case and the use case makes sense for general use then I might consider enhancing the software to support properties in those elements. As you found out, ENV variables...
The log file will continue to fill up forever - youy must implement your own log file rotation. try googling "log file rotate on windows"
Looks like there is something about the container that prevents the stream command processor starting or there is some resource it needs missing because it is expecting a terminal interface. However, in a container, the stream command processor is useless and generally in productiuon should be disabled anyway. Add this to your property override file (search for "openas2.properties.file" in the OpenAS2HowTo.pdf for more info on this) : console.command.processor.enabled=false That should disable the...
Looks like there is something about the container that prevents the stream command processort starting. However, in a container, the steam command processor is useless and generally in productiuon should be disabled anyway. Add this to your property override file (search for "openas2.properties.file" in the OpenAS2HowTo.pdf for more info on this) : console.command.processor.enabled=false That should disable the stream command processor and the error will go away.
It is most likely a misconfigured command processor. Provide a full TRACE level log and I may be able to help.
NOTE: With the move to properties to change config.xml values, you should use a separate opens2.properties file for all your custom config. That way the upgrade becomes much simpler and you will automaitcally inherit any additions or enhancements in the base confiog.xml file (Search for opens2.properties.file in the OpenAS2HowTo.pdf) For receiving files from a partner you will need to enable the AS2ReceiverModule module and set it's associated properties appropriately. (The properties in the form...
I am guessing you are running an older version of OpenAS2 (or at least using an older startup script). In order for the logging module to use the common-logging.properties file, that file needs to be in the classpath for Java. Your classpath is set up to use the current working directory so it would only work if you started the OpenAS2 app from the "bin" directory. If you look at the latest implementations, the startup script explicitly sets the bin dir into the classpath. The SSL logging is not...
I suggest you read the extensive documentation in the OpenAS2HowTo about certificates and the difference between a certificate used for HTTPS and one for encryption and signing of AS2 payloads. It provides extensive information on how certificates are used in AS2, generating certificates (public and private keys) and troubleshooting issues. Once you get that all clear you might realise you have wasted your money buying a certificate but you should also gain clarity on what you should have sent your...
If you are coinnecting to your partner to send a file and the URL they gave you is HTTPS (ie SSL) then look at the OpenAS2HowTo for the section on troubleshooting certifcate issues and specically about certificate chains. Otherwise you need to provide a lot more information to get help.
The latest release version 3.7.0 has improved handling for the EOFException and also allows configuring parallel processing per partnership or globally and defines a maximum number of threads per poller. The config is set up with 2 new attributes on the poller (I have not tries to optimise the thread count value based on actual tests so if you can provide any feedback on value you end up using that would be helpful): • process_files_in_parallel – by default each detected file is processed in series...
Ah! That makes sense but I would have thought there would eventually be an HTTP timeout or a remote disconnect message logged. I will look into what happens under test conditions and see if there is a way to handle the issue so there is some form of logging to debug it with..
Ok - that is actually incorrect - thanks for pointing this out. I have corrected the documentation now and will come out in the next release. The "tempdir" attribute does the same thing in effect whether it is the sorage MessageFileModule or storage MDNFileModule but it specifically applies to the module it is defined in.
Actually I forgot that there is an equivalent behaviour already. The "tempdir" parameter in the MessageFileModule causes the storage handler to write the output stream to the temporary directory using a computer generated unique file name and closes the file then does a file move to the output directory with the correct file name as specified by the "filename" attribute for the MessageFileModule as an atomic file operation. This is effectively a rename of the file and ensures that there is no need...
Currently the file handler for received files simply writes the file to the output stream and closes it so you would have to monitor for file size changes over a period of time to detect when it might be done. I will add the ability to use a temporary extension into the next release which I may be able to release in about a weeks time.
My guess is that your Java was either deleted or updated to a new version and the path to the Java executable is no longer valid. You can get a better idea of what is going on by running the app named "OpenAS2Server.exe" in <installDir>\bin\commons-daemon When that app opens one of the tabs will show you which Java DLL it is using. It must exist on the server and must be in a folder named "server" within the Java install.
Try this version which catches a Throwable instead of Exception for the HTTP processor: https://drive.google.com/file/d/1wza-Hxp7n-ZwKlWrY3QxxIBaBiWes00g/view?usp=sharing
You can set this property to something larger than the default of 4560 seconds in the config.xml properties section: as2_mdn_response_max_wait_seconds
Good feedback - I will ignore EOFException because it is probably being processed during the execution of the loop that checks on existing files due to the very high volume of files you are processing.
Yep - have been considering a way to add a throttling mechanism that does not require a significant amount of effort to put in a robust solution. I will update this htread when I have made further progress.
I wil need to see more of the log below that line you posted - there should be a lot more logging information if you are running logging at TRACE level. If there is nothing at all after that then there must have ben an uncaught catastrophic error but OpenAS2 has very extensive logging and the more likely cause is that the OpenAS2 app is crashing completely when the message is received. If you can confirm that there is definitely nothing else in the logs then the next step is to add more logging to...
Yes you need the "prevent_chinking" attribute. See section 14.5 Content Length Versus Chunked of the OpenAS2HowTo.pdf :
Each partnership element will create a poller thread if the "enabled" atttribute for the"pollerConfig" elenet is set to "true". Each thread processes files in series and your experience is expected given the current behaviour. You can create multiple polling folders for the same partner to partner transfer by creatiung multiple partnerships with a different "name" value and setting the "outboxdir" attribute in the "pollerConfig" element for each partnership to be a unique folder but using the same...
No I have not had a chance top look into this.
For some reason SourceForge forces long discussion posts to be approved but sends no message to anyone saying there are messages waiting to be approved so this has sat there for a whil without being seen. Whether you use 3rd party certificates or not, for encryption and signing the thrid party chain certificates are irrelevant. Certificate chains are only followed for SSL transport connection encyption. The MDN response from your partner indicates they could not verify the sent message and your processing...
It looks like your partner is expereiencing some sort of processing error when trying to parse the inbound AS2 message. Usually a HTTP 412 response is defined as a "Precondition Failed" but they seem to be returning a custom text response for the HTTP 412. I would ask the partner if they are seeing more detail on exactly what their end is having an issue with before you can figure this out without too much trial and error. Alternatively, try the troubleshooting steps described in the OpenAS2HowTo.pdf...
If you upload a complete set of log files showing all the steps you followed and the outputs when you try to verify the certificate exists like I did above I may be able to help you I will have a quick look but even that version is now almost 2 years old.
Sorry but I am not supporting such old versions of the software. I strongly recommend you upgrade to the latest version.
I am unable to replicate your issue as you can see below. #>cert import XXX partnera.cer OK: Certificate(s) imported successfully Imported certificate: [ [ Version: V3 Subject: CN=as2.partnerb.com, OU=QA, O=PartnerA, L=New York, ST=New York, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits params: null modulus: 22341471057871226602791951301398730674090702201899085943483542471830714381378833687634236361901803629863197914614713181523215964032582956270940173993797835803230741804120077454718922370588619607485127431074610120067816176401507263107124814904911284307715290092011361887123437494325225846141466621317815044555020172086606871286733138852159608890018076276238293135050997643704430409605908395040677982022384445357941506626156389351169724543303939351355596556190228332746224727854674675946781744526153601639608304396728105331754964802854606185754063016510245970120833063152446448531226590843838087575607755881358504247143...
That was missed change to the new version. The release notes are correct.
See this discussion for a solution: https://sourceforge.net/p/openas2/discussion/265568/thread/9408a0d70d/
You will have to provide much more detail on exactly what you are doing and what format the source certificates arein. Have you looked for guidance in the OpenAS2HowTo.pdf? It has a lot of information around managing certificates.
Your issue has nothing to do with OpenAS2. Trying to access a home network via HTTP from the internet requires that you have a static IP address. You could share th==your current IP address using a "check my IP" domain but it can randomly change to something else at any time for a variety of reasons most of which you have no control over. Good luck
Sounds like it may have nothing to do with OpenAS2. If the server is unreachable then either: 1. Have NOT set up the AS2RecevierModule - by default it shoukld be enabled but if you have changed any properties or settings in the config.xml then it may not be. 2. Have not provided your partner with the correct URL (the default OpenAS2 install uses port 10080 not prot 80 so the URL will be something like http:as2.yourdomain.com:10080) Check what you have set for these properties: * module.AS2ReceiverModule.http.port="10080"...
What do you mean by "calling OpenAs2 server from different machine."? What are you trying to do?
If you are using OpenAS2, since they are running on different ports it does not matter what the URL is as long as it contains the cirrect hoistname and port.
That looks like the other Java baed open source AS2 software (Mendelson) not OpenAS2. OpenAS2 just not have a path in the URL - just the hostname and the port.
You will have to turn on TRACE level logging to see if it provides more insight into where the problem lies.
There is no certificate chain checking for signature verification so the problem is most likely going to be tht you do not have the right public certificate for that partner in your keystore. You can verify this by asking your partner for the certificate serial number of their certificate and compare it against what you get. They should be the same. You can use opensssl or keytool as below to get the serial number: openssl pkcs12 -in OpenAS2/config/as2_certs.p12 -clcerts -passout pass:"" | openssl...
I assume when wrapping it in a container, something is providing input to the shell the app is running in. Since the console command processor is inaccessible when running OpenAS2 as a daemon, the command processor is inaccessible anyway and should be disabled as indicated in the guide for production setup, I will not be figuring out what is causing the error.
Try turning off the command processors to see which one is causing the error. console.command.processor.enabled="false" socket.command.processor.enabled="false" restapi.command.processor.enabled="false"
The error and related messages are correct and the file was moved to the error folder as stated in the message. I have verified it does actually move the file using a similar setup.
The error is corrext and the file was move to the error folder as stated in the message. I have verified it does actually move the file using a similar setup.
A fix is in the 3.5.0 release.
Can you provide the exact set of steps you followed so I can replicate easily please?
Are you using partnership based directory pollers (OpenAS2 version 3.*)? If so it may be a problem with the way the reload works when it auto reoads the partnerships but does not reload the associated pollers. I will take a look at that over the next few weeks but in the mean time as you are now aware, do a forced restart of the OpenAS2 server when changing any config.
Yes 3.4.1 does include code to catch the EOF exception and handle it intelligently. It also will fix setting the file name in the Subject header correctly. It is not clear what the issue is in your latest message - there is no error log and the MDN was sent indicating the message was processed successfully.
It is unclesr why it was not using EN as the locale because it is hard coded in OpenAS2 for the "Date" header. You can override the date format using this property in the config.xml (or in the passed in properties file if you are using that mechanism): HTTP_HEADER_DATE_FORMAT The default formatting is: "EEE, dd MMM yyyy HH:mm:ss Z" To avoid diaretics you could use ISO standard for the date format: "yyyy-MM-dd HH:mm:ss Z"
It is unclesr why it was not using EN as the locale because it is hard coded in OpenAS2 for the "Date" header. You can override the date format using this property in the config.xml (or in the passed in properties file if you are using that mechanuism: HTTP_HEADER_DATE_FORMAT The default formatting is: "EEE, dd MMM yyyy HH:mm:ss Z" To avoid diaretics you could use ISO standard for the date format: "yyyy-MM-dd HH:mm:ss Z"
JCE is included in newer versions of Java so no need to do that step.
JCE is not included in newer versions of Java so no need to do that step.
It is included in the newer versions of Java. On Tuesday, December 6, 2022 at 01:07:44 PM GMT, robfantini2 <robfantini2@users.sourceforge.net> wrote: as our openas2 system, I upgraded the java version from 8 to 11 . Doe JCE need an upgrade from version 8? I could not find a new JCE from v8 . Java Cryptography Extension question Sent from sourceforge.net because chrisbroderick@yahoo.com is subscribed to https://sourceforge.net/p/openas2/discussion/265568/ To unsubscribe from further messages, a project...
You are riht - there is a problem somnewhere - I will take a look ASAP and let you know the fix.
This might be your problem: https://sourceforge.net/p/openas2/discussion/265568/thread/7e842b2b86/?limit=25#3c1b
NOTE: New functionality in OpenAS2 allows for overlapping your old and new certificates and OpenAS2 automatically tries to use the correct one. Check out the latest OpenAS2 documentation.
Can you provide more information on which heder this date is being used that is causing the problem? Some of the headers are populated with data from headers received in the initial AS2 message from your partner so the solution may not be as simple as changing your locale.
You are not likely to find that answer in this forum. AS2 only deals with the secure transfer of files - it does not care what format the files are in.
Step 4 should be: Then I merged certificates through [import_public_cert. bat]. The syntax is as follows: [import_public_cert 10010448. cer C:\test\ bin\10010450. p12 tomlan] alias is [kevin] Step 5 should be: Then the partners also merge certificates through [import_public_cert. bat]. The syntax is as follows: [import_public_cert 10010450. cer C:\test\bin\10010448. p12 kevim] alias is [WHATEVER THEY USED FOR YOUR ALIAS... probably tomlan]
You need to store the partners public certificarte in a DIFFERENT alias to your own private certicate (which includes bot the public and private key).
You command to import your partners certificate must store it in the partners x509_alias (ie "kevin") per ypur partnerships .xml import_public_cert 10010448. cer C:\test\bin\10010450. p12 kevin
It could be any number of things but without a clear indication of what the error is on the partner side you will have to step though the troubleshooting section in the OpenAS2HowTo that came with your version of OpenAS2 server.
It is not returning a valid MDN which would be a multipart/report mime part. Instead it is returning text/html. This is likely because some kind of unrecoverable error poccurred on the remote end. You will have to ask your partner to provide the error they get on the other side. Given that an unencrypted version works, the issue is going to be something to do with your certificate setup. Could be any one of: 1. Incorrect certificate used to encrypt. 2. Incorrect certificate used to sign 3. Certificate...
Check the changes.txt file that comes with the ZIP package for a full list of changes across versions. The RELEASE-NOTES.md file will tell you if there are any special upgrade instructions for specific versions. I recommend you use the openas2.properties file to abstract your configuration files out of the OpenAS2 standard files so that upgrades are much easier in the future. The log indicates there is a corrupt file in the pending info folder. Undortunately the way the code is writtten, it does...
I would not trust the imported certificate. An internet search indicates that this error can be for a few reasons but is includes that the certificate may not have been created correctly.
NOTE: The certificate alias is case insensitive so the difference in case you noted is not an issue.
Never had a situation where all the entries are not visible using the leytool app. The fact that the keytool fails to import the public key is most likely because it is incorrectly generated and missing some key information that keytool validates. The certificate importer implemented within OpenAS2 is rudimentary and does not validate the entire certificate. Try running the openssl command to see if it lists them: openssl pkcs12 -in <your p12 keystore file> If openssl lists the partner keys, copy...
The certs are stored in the file named by the "filname" attribute in the <certificates> element of the config.xml You should see a private key entry for each of your own certificates (it includes the private and public keys) against an entry labelled "PrivateKeyEntry" and a trusted entry for each of your partners public keys. labelled as "trustedCertEntry" entries. Example below shows the entry for my certs as alias "MyCompany" and for the single partner I addded as alias "MyPartner1": /opt/OpenAS2...
If your partnerships.xml is correctly formatted then you will need to enable TRACE level logging (see the OpenAS2HowTo.pdf for guidnace. I recommend you use 3.4.0 instead of 3.0.0 as there are fixes along with enhancements that are well worth having.
You should read the latest OpenAS2HowTo.pdf that comes with 3.4.0 that details a process for replacing/adding certificates.
The only way you can access that interface is by stopping the server in systemd (in your case) and starting it manually from the command line then restarting again using systemd. the interface is not recommended to be enabled for production use because the OpenAS2 server is started as a daemon. The recommended way forward is to use the shell scripts to import your own certificates (import_alias_from_keystore.sh) and your partners public keys (import_public_cert.sh). then you issue a restart to OpenAS2...
The inlky way you can access that interface is by stopping the server in systemd (in your case) and starting it manually from the command line then restarting again using systemd. The recommended way forward is to use the shell scripts to import your own certificates (import_alias_from_keystore.sh) and your partners public keys (import_public_cert.sh). then you issue a restart to OpenAS2 (in your case: systemctl restart openas2). There is a UI developed to support web based configuration (see here:...
Your partnerships.xml seems very oddly structured. Not sure if it is pasting into the discussion text area but if it is reflective of the structure you actiually have then you have enclosed each attribute within an attribute meaning the only attribute that will be read is: <attribute name="protocol" value="AS2"> You should ensure that all attributes are defined at the same level it it should look like this: <sender name="PartnerB"/> <receiver name="PartnerA"/> <attribute name="protocol" value="AS2"/>...