Hello,
I am an edi and as2 newbie. I am trying to follow the instructions in "The definitive guide to setup on Windows". I have checked and double checked that i have done everything exactly.
I am in the "configure the main system" part of the guide, but i get an error when i try to configure the partner with the "green house" at the beginning of the guide, after i put my IP address in the MDN URL bar in the partner configuration screen, i get an error that says "no key assignment" and then says "please assign a private key to every of the local stations."
the "local station" check box is checked in the misc menu, and the
"main system [main system]" option are the only options for the "private key (encryption)" and "private key (signature)" boxes in the security menu.
i have gone though the instructions many times, and also have tried to assign a private key as the instructions suggest, yet, i can't seem to get anything but this error. I am sure it's probably something simple, but im stuck. please help.
thanks,
joe
Joe,
to sign messages and decrypt data a private key is required for every local station. For more information about the PKI please have a look at
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://en.wikipedia.org/wiki/Public_key
Regards
Heller
Hi Heller,
Thank you for your response. unfortunately, the problem is that i followed the below instructions and thought that i had created a public key. what am i missing? shouldn't this create a public key? Also, just to make sure clicked file>reload keystore. but that didn't seem to help.
I followed the below directions in the portecle 1.4:
http://community.mendelson-e-c.com/node/389
Left click on the first entry and then right click on it and select DELETE, click on YES to confirm and then repeat for the other entries in the list. This will give us a blank key store to start with.
...
Click on TOOLS and then on GENERATE KEY PAIR.
Make sure RSA is selected and the size is 1024 and click on OK. In a second you will be shown a screen where you enter in your information.
Make sure it is SHA1withRSA and change the validity to 3000
In the next three lines type in "main system" (no quotes)
The type in your suburb, state, country code (2 letters only) and your email address. Then click on OK. Enter in the alias of "main system" (no quotes) and click on OK and then click on OK again.
You have just made your keys for the main server. We now need to create a certificate for our test server to use
Highlight the line for main system, right click on it, and left click on EXPORT. Select "certificate chain" and "PKCS #7" and click on OK. Save it to your desktop, change the name to "main system.cer", and click on EXPORT. Click on OK when the successful window appears.
Close portecle and click on YES to save the key store.
Joe,
these instructions are community driven, we have not verified them. They describe how to work with portecle which is a 3rd party software to work with keystores. Please have a look at the link section for a download link.
Regards
Heller
Joe,
I thought maybe a plain-English description of how PKI works and how it relates to Mendelson might help you.
The basic premise behind PKI is that *you* generate two keys (just a couple of big numbers; 1024 bits, 2048 bits, etc.) that are mathematically related (like ripping a piece of paper in half; the tear is unique). That's the "Generate Key Pair" option in Portecle.
Now, one of those keys you can give to the whole world. There's nothing private about it, hence it's called the "public key". The other one is super-secret . . . the "private key". If the private key is compromised, all hope is lost, so the file is usually protected on the filesystem and encrypted (3DES, I believe), so it requires a password, which you'll notice Portecle prompting for sometimes. Remember, the private key never leaves your control.
And here's why this arrangement is so special:
If someone uses your public key (which they can be freely given) to encrypt something, it can only be decrypted with your private key (remember that unique mathematical relationship?). This is confidentiality.
If you use your private key on something to "sign" it, anyone with your public key can be sure it came from you (because only you have the private key). This is authentication.
If you use your private key to sign the "hash" of something, anyone with your public key can prove that the message hasn't been tampered with. (A hash is another mathematical trick that derives a unique number from a piece of data; [almost] no two pieces of data will produce the same hash and the hash can't be reversed to determine the data.) This is integrity.
If you have both authentication and integrity, you also have non-repudiation. It's legally-admissible proof (at least in the US) that you sent exactly that message.
That's all good stuff. But how does the world know that the private key that was used to sign that message actually belongs to you? That's where Certificate Authorities (CAs) come in. If a CA signs your public key with their private key and adds some information (most importantly the "subject", the owner), it's now a "certificate" because it certifies that anyone with the matching private key is the subject named on the certificate.
Anyone can be a CA (all you need is your own key pair ; > ), but we pay big commercial CAs like Thawte and Verisign (same company, BTW) to purportedly verify that an authentic subject is going on the certificate. If someone other than a commercial CA signs your public key, it's usually called a self-signed certificate. There's nothing inherently less secure about a self-signed cert (AAMOF, there are ways in which it's more secure, but that's another discussion), however, most software that handles PKI has a built-in list of "trusted roots"...that is, CAs that are generally trusted...and if they are presented with a certificate signed by a CA that's not in the list of trust roots, they'll pop up a warning dialog. Some ridiculous software won't work with self-signed certs at all.
So what does this mean for Mendelson? Each pair of trading partners has to have a public/private key pair and has to exchange public keys. You use your partner's public key for encrypting messages you send to them and verifying the integrity of messages received from them. You use your private key for decrypting messages sent to you and establishing the integrity of messages you send to them.
Mendelson has two keystores (just files which can contain multiple keys), one at ./certificates.p12 and the other at ./jetty/etc/keystore. They're in different formats and they have to stay that way, which means you have to do double work with your keys. I start by opening Portecle, and opening the certificates.p12 store. Then you can select "Generate Key Pair". You'll want RSA keys (just one way of doing the math) and I recommend using a 2048-bit key size (1024-bit keys are near-crackable now, so during a multi-year lifespan, they're likely to be crackable). Leave the "Signature Algorithm" at "SHA1withRSA". The validity period is up to you, but if you're going to have it signed by a commercial CA, you pay by the year. And again, if you're signing yourself, the rest of the info is arbitrary, but a commercial CA will want accurate info. Here's what I'd have:
CN=myserver.mydomain.com
OU=My Department
O=My Company
L=My City
ST=two-letter abbreviation for my state (don't know how this is used outside the US)
C=US
E=some_role_account@mydomain.com
The "Key Pair Alias" is just the name by which it will appear in the list, for your reference.
I'm sure everything else was perfectly straightforward (; >) so here's where it gets complicated. You need your public key signed to get a certificate, which means that you have to generate a "certificate signing request" (CSR) file to give to the CA. In Portecle, just right-click the key pair you created and select "Generate Certification Request".
Now a CA has to act on that CSR. If you're getting a commercial cert, go to the CA's website and follow the bouncing ball. If your company has an internal CA that will be signing for you, you'll have to talk to your admin (for the MS CA, you'd start at http://someserver/certsrv). If you're going to sign it yourself, here's a good description of doing it with openssl: http://www.tc.umn.edu/~brams006/selfsign.html (it's really only the "openssl x509" line you need; the rest you're doing in Portecle).
What you'll get back from the CA is a "reply" file, which you have to match against the original key pair. In Portecle, you'll do that by right-clicking the key pair and selecting "Import CA Reply". What you'll end up with is a new entry in your keystore for the signed certificate. It's that certificate that you'll want to right-click and choose "Export" and give to your trading partner.
So now you've got one keystore ready to use with a public/private key pair and your certificate. Congratulations. All that's left to do is get the other keystore populated. There are a couple of approaches here, but what I do is export the keys and cert, then open up the other keystore and import them. Part of the reason is that I keep the keys and cert in a password locker for posterity, so I'm going to export them anyway. Here we go:
Right-click the key pair or cert and select Export.
For the cert, just accept the defaults and save the file somewhere.
For the key pair, select "Private Key and Certificates", give it a password (which you'll need to import it again), and then save the file somewhere.
Save and close this keystore and open the other one.
Select "Import Key Pair", browse for the key file, and follow the prompts.
Select "Import Trusted Certificate", browse for the cert, and follow the prompts.
Save and close this keystore.
Mendelson should now be good to go. Remember not to leave that exported private key lying around.
Thanks,
Chaz
Chaz and Heller,
I really appreciate this information. i know im probably in over my head, but im a small business owner trying to use Mendelson AS2 to connect with multinational companies who have started fining me for not having an EDI system. I don't have the money to use a commercial version (and i prefer open source anyway) and they don't care enough about my few transactions to walk me through the process (plus, they're used to commercial methods doing all the work for them).
So, as usual, i am in debt to the amazing open source community. Now I just hope i can get this system running! I'll have to go through this process a few times to make sure i don't mess it up and get comfortable with it.
thanks again,
joe
If you need more help, let me know and we can take it offline if necessary.
Thanks,
Chaz
Thanks.
I'll let you know, and you'll probably hear from me soon. I'm going to give this a try for a bit and see what i can come up with. And if I still come up short, I'll send you an email.
Again, I really appreciate the help.
Best,
joe