This section provides a general overview of the types of security, the tools used to generate and upload certificates, and the types of data stores installed by WebSphere Business Integration Connect.
This section gives a brief overview of SSL, digital signatures, and encryption.
WebSphere Business Integration Connect can use SSL to secure inbound and outbound documents. An inbound document is one that is sent to the hub. An outbound document is one that is sent from the hub.
SSL is a commonly used protocol for managing security over the Internet. SSL provides secure connections by enabling two applications linked through a network connection to authenticate each other's identify.
An SSL connection begins with a handshake. During this stage, the applications exchange digital certificates, agree on the encryption algorithms to use, and generate encryption keys used for the remainder of the session.
The SSL protocol provides the following security features:
Digital signing is the mechanism for ensuring non-repudiation. Non-repudiation means that a participant cannot deny having originated and sent a message. It also ensures that the participant cannot deny having received a message.
A digital signature allows an originator to sign a message so that the originator is verified as the person who actually sent the message. It also ensures that the message has not been modified since it was signed.
WebSphere Business Integration Connect uses a cryptographic system known as public key encryption to secure the communication between participants and the hub. Public key encryption uses a pair of mathematically related keys. A document encrypted with the first key must be decrypted with the second, and a document encrypted with the second key must be decrypted with the first.
Each participant in a public key system has a pair of keys. One of the keys is kept secret; this is the private key. The other key is distributed to anyone who wants it; this is the public key. WebSphere Business Integration Connect uses a participant's public key to encrypt a document. The private key is used to decrypt a document.
As described in the sections that follow, you use the IBM Key Management Tool (ikeyman) to create key databases, public and private key pairs, and certificate requests. You can also use ikeyman to create self-signed certificates. The ikeyman utility is included in the <WBIC_install_dir>/router/was/bin directory, which WebSphere Business Installation Connect creates during installation.
You can also use ikeyman to generate a request for a certificate to a Certifying Authority (CA).
You use the Community Console to install all the required client, signature, and encryption certificates for WebSphere Business Integration Connect storage. You can also use the Community Console to install Root and CA (Certifying Authority) certificates.
When you install WebSphere Business Integration Connect, a keystore and truststore for the Receiver and Console are installed.
By default, the two keystores and two truststores are created in the WBIC_install_root/common/security/keystore directory. The names are:
The default password for accessing all four stores is WebAS. The embedded WebSphere Application Server is configured to use these four stores.
/WBIC_install_root/console/was/java/bin/keytool -storepasswd -new $NEW_PASSWORD$ -keystore $KEYSTORE_LOCATION$ -storepass $CURRENT_PASSWORD$ -storetype JKS
If the keystore passwords are changed, each WebSphere Application Server instance configuration must also be changed. This can be done using the bcgChgPassword.jacl script. For the Console instance, navigate to the following directory:
/WBIC_install_root/console/was/bin
and execute the following command:
./wsadmin.sh -f /WBIC_install_root/console/scripts/ bcgChgPassword.jacl -conntype NONE
Repeat this step for the WebSphere Application Server instances of the Receiver and Document Manager.
You will be prompted for the new password.
This data type must match the data type of the importing certificate.