Managing Certificates

Certificates Overview

A digital certificate, also known as a public key certificate, is an electronic document used to indicate the ownership of a public key. Senders and receivers of documents can securely exchange documents by using digital certificates.

IBM webMethods B2B uses certificate sets. A certificate set is a certificate chain when it has one or more ordered certificates and a private key. If a certificate chain has a single certificate, it must be self-signed. If a set has multiple certificates, it must have a root, intermediate (optional), and node certificate as shown in the following figure.

icon

Either upload a certificate for each of the business partners you interact with (referred to as partner-specific certificates) or use a default certificate for all the partners you interact with. For example, you can use one set of certificates for sending documents to partner A, and a different set of certificates for sending documents to partner B. When IBM webMethods B2B does not find a partner-specific certificate for a sender-receiver pair, it uses the default certificate set.

IBM webMethods B2B supports three usages as authentication mechanisms for certificates:

Each usage can contain two certificate sets. For example, two sets for each usage: sign and verify, encrypt and decrypt, and SSL. The first set you upload is the primary certificate set and the second set you upload is the secondary certificate set.

For more information on which usages support automatic switching from primary certificates to secondary, see Using Certificates for Secure Communication Between Business Partners.

Use certificates having the following file extensions: .cer, .der, or .p7b.

The following image lists the usage based on the profile and the action that IBM webMethods B2B takes.

icon

How Can I Secure Document Exchange?

The following certificate usages are available to securely exchange documents with your business partners:

Usages Usage Description
Sign - Verify To sign a document or verify the digital signature. In the sender’s profile, IBM webMethods B2B uses the private key associated with the receiver to digitally sign documents.
IBM webMethods B2B checks the sender’s profile to use the sender’s public certificate that is associated with receiver to verify the document that was digitally signed by the sender.
Encrypt - Decrypt To decrypt or encrypt documents. In the receiver’s profile, IBM webMethods B2B uses public certificate associated with the receiver to encrypt information.
IBM webMethods B2B checks the receiver’s profile for the private key associated with the sender to decrypt document.
SSL To enable IBM webMethods B2B to act as an SSL client and connect to a remote secure server. If you enable this usage to send documents, upload a valid private key in the sender’s profile.
The supported private key file extensions are .cer, .der, .pk,.pkcs8, and .key

How Does a Secondary Certificate Work for SSL Certificates?

You can upload up to two certificate sets each (referred to as the primary and secondary certificate sets for SSL certificate types. The certificate that you add first for each usage is considered as the primary certificate set. When a primary certificate expires, IBM webMethods B2B continues to process documents by switching to the secondary set.

IBM webMethods B2B automatically switches to the secondary set when any of the following situation occurs:

Note
Secondary certificates are not used to sign-verify, encrypt-decrypt, or SSL usages for any document received over any AS2 channel. To work around this issue, ensure that only valid certificates are set as primary certificates.

For detailed explanation on how the automatic switching occurs, see Certificates Overview for Secure Communication Between Business Partners.

How Does IBM webMethods B2B Verify Digital Signatures?

When a sender signs a document to send to a partner, IBM webMethods B2B checks sender’s profile to see if it contains a receiver-specific public certificate to use to verify the document. If IBM webMethods B2B finds a set of certificates to use for that specific receiver, it uses the primary certificate in that set. Else, it uses the default set of certificates specified in the sender’s profile.

IBM webMethods B2B performs the following checks during a sign-verify scenario:

  • Ensures that the CA (Certificate Authority) that signed the certificate is included in the list of trusted CA certificates.
  • Ensures that the signed content of the document has not changed and the sender is who it claims to be, by matching the certificate from the digital signature to verify the certificate that IBM webMethods B2B has for the partner.
  • How Does Digital Signing of Documents Work?

    IBM webMethods B2B supports x.509v3 certificates. You can digitally sign documents that you want to send to business partners. To digitally sign a document, the sender’s profile must have a private key.

    IBM webMethods B2B locates the sender from the business document to retrieve the correct signed certificate. The owner of the certificate is the sender, and the receiver is the business partner.

    You can set up IBM webMethods B2B to use unique partner-specific certificates for each of your business partners. You can also specify a default sign certificate by providing the certificate information in the sender’s profile. If you upload a default sign certificate, then IBM webMethods B2B uses it when a partner-specific sign certificate is not available.

    How Does Encrypting and Decrypting Data Work?

    When a business partner encrypts a document to send it to another partner, IBM webMethods B2B checks the sender’s profile to see it contains the specific public certificate to encrypt the document. If IBM webMethods B2B does not find a certificate set to use for that sender, it uses the default certificate set specified in the receiver’s profile.

    When a partner sends an encrypted document to the enterprise, IBM webMethods B2B checks the receiver’s profile to see if it contains the specific private key to decrypt the document. If IBM webMethods B2B does not find a certificate set to use for that specific receiver, it uses the private key in the default certificate in the receiver’s profile.

    How Does Secure Communication with SSL Work?

    When SSL connections that require client-side authentication, IBM webMethods B2B checks the sender’s profile to see whether it contains the specific certificate set along with the private key to use to connect to the receiver (the remote secure server).

    The following table lists the possible communication sender-receiver scenarios and how IBM webMethods B2B uses the secure communication mechanism for each scenario:

    Scenario Secure Communication Mechanism that IBM webMethods B2B Uses
    IBM webMethods B2B finds a receiver-specific certificate set to use The public certificate set along with the private key.
    IBM webMethods B2B does not find a receiver-specific certificate to use The default certificate set along with the private key specified in the sender’s profile.

    How Do I Monitor Certificates?

    You can monitor certificates for all the partners in a single view on IBM webMethods B2B. The following table lists how you can monitor certificates:

    Certificate Monitoring Activity Action
    View all the certificates you have configured for partners in IBM webMethods B2B Go to Partners icon > Certificate monitoring.
    View expired certificates 1. Go to Partners icon > Certificate monitoring.
    2. Click icon.
    View certificates that expire in 24 hours, seven days, 30 days, one year, or three years 1. Go to Partners icon > Certificate monitoring.
    2. Click the appropriate option in icon.
    View certificates that expire in a specific date range 1. Go to Partners icon > Certificate monitoring.
    2. Click icon and specify the Start date and End date in the Custom date range dialog box.
    Refresh the certificate list 1. Go to Partners icon > Certificate monitoring.
    2. Click icon.
    View certificates of a specific partner 1. Go to Partners icon > Partner Profiles > Partner_name > Certificates.
    2. On the Certificates page, click icon.
    3. Type the partner name in the text box.
    Sort certificates based on partner 1. Go to Partners icon > Partner Profiles > Partner_name > Certificates.
    2. Click icon next to Partner name.
    Certificates are sorted in ascending order by default.
    Search for a certificate based on a search string 1. Go to Partners icon > Partner Profiles > Partner_name > Certificates.
    2. Click icon next to Partner name.
    3. Type the certificate search string in the text box.
    All the certificates that contain the string appear as search result.
    View certificates that are Issued to a partner 1. Go to Partners icon > Partner Profiles > Partner_name > Certificates.
    2. Click icon next to Issued to.
    3. Type the partner’s name string in the text box.

    Note
    The partner profile name may be different from the common name appearing in the Issued to column.

    Using Certificates for Secure Communication Between Business Partners

    The following sections address the various scenarios that occur while using certificates to exchange documents with partners.

    Pre-requisites:

    SSL Scenario with C1 as the Primary SSL Certificates

    icon

    Here, C1 is the primary SSL certificate.

    Step Description
    1 The enterprise sends a document to the business partner over HTTPS using the private key from certificate C1.
    2 The business partner’s server authenticates the document using the SSL certificate C1 configured on the server. Authentication is successful, and the transaction is complete.

    SSL Scenario with C2 as the Primary SSL Certificate

    icon

    Here, C1 is the primary certificate. C2 is the SSL certificate.

    Step Description
    1 The enterprise sends a secure document to the business partner over HTTPS using the private key from certificate C1.
    2 The business partner’s server authenticates the document using the SSL certificate C2 configured on the server. Authentication fails.
    3 The enterprise sends an error message to the enterprise.
    4 The enterprise switches the SSL certificate to C2.
    5 The business partner resends the document to the enterprise over HTTPS.
    6 Business partner authenticates the document using the SSL certificate C2. Authentication is successful. The transaction is complete.