Certificates Overview
No subtopics in thissection
A digital certificate, also known as a public key certificate, is an electronic document used to indicate the ownership of a public key. Senders and receivers of documents can securely exchange documents by using digital certificates.
IBM webMethods B2B uses certificate sets. A certificate set is a certificate chain when it has one or more ordered certificates and a private key. If a certificate chain has a single certificate, it must be self-signed. If a set has multiple certificates, it must have a root, intermediate (optional), and node certificate as shown in the following figure.
Either upload a certificate for each of the business partners you interact with (referred to as partner-specific certificates) or use a default certificate for all the partners you interact with. For example, you can use one set of certificates for sending documents to partner A, and a different set of certificates for sending documents to partner B. When IBM webMethods B2B does not find a partner-specific certificate for a sender-receiver pair, it uses the default certificate set.
IBM webMethods B2B supports three usages as authentication mechanisms for certificates:
- Sign-Verify
- Encrypt-Decrypt
- Secure Socket Layer (SSL)
Each usage can contain two certificate sets. For example, two sets for each usage: sign and verify, encrypt and decrypt, and SSL. The first set you upload is the primary certificate set and the second set you upload is the secondary certificate set.
For more information on which usages support automatic switching from primary certificates to secondary, see Using Certificates for Secure Communication Between Business Partners.
Use certificates having the following file extensions: .cer, .der, or .p7b.
The following image lists the usage based on the profile and the action that IBM webMethods B2B takes.
How Can I Secure Document Exchange?
No subtopics in thissection
The following certificate usages are available to securely exchange documents with your business partners:
| Usages | Usage Description |
|---|---|
| Sign - Verify | To sign a document or verify the digital signature. In the sender’s profile, IBM webMethods B2B uses the private key associated with the receiver to digitally sign documents. IBM webMethods B2B checks the sender’s profile to use the sender’s public certificate that is associated with receiver to verify the document that was digitally signed by the sender. |
| Encrypt - Decrypt | To decrypt or encrypt documents. In the receiver’s profile, IBM webMethods B2B uses public certificate associated with the receiver to encrypt information. IBM webMethods B2B checks the receiver’s profile for the private key associated with the sender to decrypt document. |
| SSL | To enable IBM webMethods B2B to act as an SSL client and connect to a remote secure server. If you enable this usage to send documents, upload a valid private key in the sender’s profile. The supported private key file extensions are .cer, .der, .pk,.pkcs8, and .key |
How Does a Secondary Certificate Work for SSL Certificates?
No subtopics in thissection
You can upload up to two certificate sets each (referred to as the primary and secondary certificate sets for SSL certificate types. The certificate that you add first for each usage is considered as the primary certificate set. When a primary certificate expires, IBM webMethods B2B continues to process documents by switching to the secondary set.
IBM webMethods B2B automatically switches to the secondary set when any of the following situation occurs:
- The primary certificate expires, but the secondary certificate has not.
- The receiver's sign-verify, or SSL primary certificate set does not match the sender's sign-verify or SSL certificate set.
Note
Secondary certificates are not used to sign-verify, encrypt-decrypt, or SSL usages for any document received over any AS2 channel. To work around this issue, ensure that only valid certificates are set as primary certificates.
For detailed explanation on how the automatic switching occurs, see Certificates Overview for Secure Communication Between Business Partners.
How Does IBM webMethods B2B Verify Digital Signatures?
No subtopics in thissection
When a sender signs a document to send to a partner, IBM webMethods B2B checks sender’s profile to see if it contains a receiver-specific public certificate to use to verify the document. If IBM webMethods B2B finds a set of certificates to use for that specific receiver, it uses the primary certificate in that set. Else, it uses the default set of certificates specified in the sender’s profile.
IBM webMethods B2B performs the following checks during a sign-verify scenario:
How Does Digital Signing of Documents Work?
No subtopics in thissection
IBM webMethods B2B supports x.509v3 certificates. You can digitally sign documents that you want to send to business partners. To digitally sign a document, the sender’s profile must have a private key.
IBM webMethods B2B locates the sender from the business document to retrieve the correct signed certificate. The owner of the certificate is the sender, and the receiver is the business partner.
You can set up IBM webMethods B2B to use unique partner-specific certificates for each of your business partners. You can also specify a default sign certificate by providing the certificate information in the sender’s profile. If you upload a default sign certificate, then IBM webMethods B2B uses it when a partner-specific sign certificate is not available.
How Does Encrypting and Decrypting Data Work?
No subtopics in thissection
When a business partner encrypts a document to send it to another partner, IBM webMethods B2B checks the sender’s profile to see it contains the specific public certificate to encrypt the document. If IBM webMethods B2B does not find a certificate set to use for that sender, it uses the default certificate set specified in the receiver’s profile.
When a partner sends an encrypted document to the enterprise, IBM webMethods B2B checks the receiver’s profile to see if it contains the specific private key to decrypt the document. If IBM webMethods B2B does not find a certificate set to use for that specific receiver, it uses the private key in the default certificate in the receiver’s profile.
How Does Secure Communication with SSL Work?
No subtopics in thissection
When SSL connections that require client-side authentication, IBM webMethods B2B checks the sender’s profile to see whether it contains the specific certificate set along with the private key to use to connect to the receiver (the remote secure server).
The following table lists the possible communication sender-receiver scenarios and how IBM webMethods B2B uses the secure communication mechanism for each scenario:
| Scenario | Secure Communication Mechanism that IBM webMethods B2B Uses |
|---|---|
| IBM webMethods B2B finds a receiver-specific certificate set to use | The public certificate set along with the private key. |
| IBM webMethods B2B does not find a receiver-specific certificate to use | The default certificate set along with the private key specified in the sender’s profile. |
How Do I Monitor Certificates?
No subtopics in thissection
You can monitor certificates for all the partners in a single view on IBM webMethods B2B. The following table lists how you can monitor certificates:
| Certificate Monitoring Activity | Action |
|---|---|
| View all the certificates you have configured for partners in IBM webMethods B2B | Go to Partners  > Certificate monitoring. |
| View expired certificates | 1. Go to Partners > Certificate monitoring. 2. Click  . |
| View certificates that expire in 24 hours, seven days, 30 days, one year, or three years | 1. Go to Partners > Certificate monitoring. 2. Click the appropriate option in  . |
| View certificates that expire in a specific date range | 1. Go to Partners > Certificate monitoring. 2. Click  and specify the Start date and End date in the Custom date range dialog box. |
| Refresh the certificate list | 1. Go to Partners > Certificate monitoring. 2. Click  . |
| View certificates of a specific partner | 1. Go to Partners > Partner Profiles > Partner_name > Certificates. 2. On the Certificates page, click  . 3. Type the partner name in the text box. |
| Sort certificates based on partner | 1. Go to Partners > Partner Profiles > Partner_name > Certificates. 2. Click  next to Partner name. Certificates are sorted in ascending order by default. |
| Search for a certificate based on a search string | 1. Go to Partners > Partner Profiles > Partner_name > Certificates. 2. Click next to Partner name. 3. Type the certificate search string in the text box. All the certificates that contain the string appear as search result. |
| View certificates that are Issued to a partner | 1. Go to Partners > Partner Profiles > Partner_name > Certificates. 2. Click next to Issued to. 3. Type the partner’s name string in the text box. Note
The partner profile name may be different from the common name appearing in the Issued to column.
|
Using Certificates for Secure Communication Between Business Partners
SSL Scenario with C1 as the Primary SSL CertificatesSSL Scenario with C2 as the Primary SSL CertificateThe following sections address the various scenarios that occur while using certificates to exchange documents with partners.
Pre-requisites:
- You must have set up the enterprise and created one or more partners in IBM webMethods B2B. And these partners must have appropriate partner users associated with them.
- Ensure that you have created communication channels and associated them with the appropriate inbound and outbound channels for those partner profiles.
- The outbound channel configuration must have a preferred outbound set in the partner profile.
- Ensure that the processing rule processes the incoming business document, has the Deliver Document option is selected in the Actions page while configuring a processing rule.
- Ensure that the sender's profile contains valid certificates.
SSL Scenario with C1 as the Primary SSL Certificates
Here, C1 is the primary SSL certificate.
| Step | Description |
|---|---|
| 1 | The enterprise sends a document to the business partner over HTTPS using the private key from certificate C1. |
| 2 | The business partner’s server authenticates the document using the SSL certificate C1 configured on the server. Authentication is successful, and the transaction is complete. |
SSL Scenario with C2 as the Primary SSL Certificate
Here, C1 is the primary certificate. C2 is the SSL certificate.
| Step | Description |
|---|---|
| 1 | The enterprise sends a secure document to the business partner over HTTPS using the private key from certificate C1. |
| 2 | The business partner’s server authenticates the document using the SSL certificate C2 configured on the server. Authentication fails. |
| 3 | The enterprise sends an error message to the enterprise. |
| 4 | The enterprise switches the SSL certificate to C2. |
| 5 | The business partner resends the document to the enterprise over HTTPS. |
| 6 | Business partner authenticates the document using the SSL certificate C2. Authentication is successful. The transaction is complete. |