Creating and installing encryption certificates
This section describes encryption certificates.
Inbound encryption certificate
This certificate is used by the hub to decrypt encrypted
files received from participants. The hub uses your private key
to decrypt the documents. Encryption is used to keep anyone other
than the sender and intended recipient from viewing documents in
transit.
Note the following important restriction about receiving encrypted
AS2 messages from participants. If a participant sends an encrypted
AS2 message but uses the wrong certificate, the decryption fails.
No MDN is returned to the participant to indicate the failure, however.
In order for your participant to receive MDNs in this situation,
create a connection to the participant with the following document
flow definition:
- Package: AS
- Protocol: Binary
- Document Flow: Binary
Using a self-signed certificate
If you are going to use a self-signed certificate, use
the following procedure.
- Start the iKeyman utility.
- Use iKeyman to generate a self-signed certificate and a key
pair.
- Use iKeyman to extract to a file the certificate that will contain
your public key.
- Distribute the certificate to your participants. They are required
to import the file into their B2B product for use as an encryption
certificate. Advise them to use it when they want to send encrypted
files to the Community Manager. If your certificate is CA-signed,
provide the CA certificate as well.
- Use iKeyman to save the self-signed certificate and
private key pair in the form of a PKCS12 file.
- Install the self-signed certificate and private key pair in
the form of a PKCS12 file through the Community Console.
- Click Account Admin > Profiles > Certificates to
display the Certificate List page.
Make sure you are logged in to the Community Console as the Hub
Operator.
- Click Load PKCS12.
Notes:
- The PKCS12 file being uploaded should contain only one private
key and the associated certificate.
- You can also upload the certificate and private key as a DER-encoded certificate
and PKCS#8-encoded private key.
- Select Encryption as the type of certificate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- Enter a password.
- Click Upload and then click Save.
- Enable encryption at the package (highest level), participant,
or connection level (lowest level). Your setting can override other
settings at the connection level. The connection summary will inform
you if any required attribute is missing.
For
example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and
then select the participants. Click Attributes and
then edit the attribute (for example, AS Encrypted).
Using a CA-signed certificate
If you are going to use a certificate signed by a CA,
use the following procedure:
- Start the iKeyman utility.
- Use iKeyman to generate a certificate request and a key pair
for the Receiver.
- Submit a Certificate Signing Request (CSR) to a CA.
- When you receive the signed certificate from the CA, use iKeyman
to place the signed certificate into the key store.
- Distribute the signing CA certificate to all participants.
Outbound encryption certificate
The outbound encryption certificate is used when the hub
sends encrypted documents to participants. WebSphere Partner Gateway
encrypts documents with the public keys of the participants, and
the participants decrypt the documents with their private keys.
The participant can have more than
one encryption certificate. One is the primary certificate, which
is the one used by default. The other is a secondary certificate,
which is used if the primary certificate expires or is otherwise
unable to be used.
- Obtain the participant's encryption certificate. The certificate
must be in X.509 DER format. Note that WebSphere Partner Gateway
supports only X5.09 certificates.
-
Install the certificate through the Community
Console under the participant's profile.
- Click Account Admin > Profiles > Community Participant,
and search for the participant's profile.
- Click Certificates.
- Click Load Certificate.
- Select Encryption as the type of certificate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- If the participant has two encryption certificates, indicate
whether this is the primary or secondary certificate by selecting Primary or Secondary from
the Certificate Usage list.
- Click Upload and then click Save.
- Repeat step 2 if the
participant has a second encryption certificate.
- If the certificate was signed by a CA and the CA root certificate
and any other certificates that are part of the certificate chain
are not already installed in the Hub Operator profile, install the
certificates now.
- Click Account Admin > Profiles > Certificates to
display the Certificate List page.
Make sure you are logged in to the Community Console as the
Hub Operator, and install the certificate in your own profile.
- Click Load Certificate.
- Select Root and Intermediate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- Click Upload and then click Save.
Note: You do not have to perform the previous step if
the CA certificate is already installed.
- Enable encryption at the package (highest level), participant,
or connection level (lowest level). Your setting can override other
settings at the connection level. The connection summary will inform
you if any required attribute is missing.
For
example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and
then select the participants. Click Attributes and
then edit the attribute (for example, AS Encrypted).
When the error message No valid encryption certificate found is displayed, neither the primary nor the secondary certificate
is valid. The certificates might be expired or they might have been
revoked. If the certificates were expired or revoked, the corresponding
event (Certificate revoked or expired) in also visible in the Event Viewer. Note that these two
events might be separated by other events. To display the Event
Viewer, click Viewers > Event Viewer.
