Basic
configuration - Setting up security for inbound and outbound documents
In this section, you will see how to add the following
types of security to the basic configuration:
- Secure Socket Layers (SSL) Server Authentication
- Encryption
- Digital Signatures
Setting up SSL authentication for incoming documents
In this section, you use iKeyman to set up server authentication
so that Partner Two can send AS2 documents over HTTPS.
To set up server authentication, perform the following steps:
- Initiate the iKeyman application, by opening the ikeyman.bat
file from the /<ProductDir>/was/bin
directory.
- Open the Receiver's default key store, receiver.jks. From the
menu bar, select Key Database File Open. On
a default installation, receiver.jks resides in the directory: <ProductDir>/common/security/keystore
- When prompted, enter the default password for receiver.jks.
This password is WebAS.
- If this is the first time you have opened receiver.jks, delete
the "Dummy" certificate.
The next step is to create a new self-signed certificate. Creating
a self-signed personal certificate creates a private key and public
key within the server key store file.
To create a new self-signed certificate:
-
Click New Self Signed.
- Give the certificate a key label that is used to uniquely identify
the certificate within the key store. Use the label selfSignedCert.
- Enter the server's Common Name. This is the primary,
universal identity for the certificate. It should uniquely identify
the principal that it represents.
- Enter the name of your organization.
-
Accept all other defaults, and click OK.
Assume that Partner Two wants to send an EDI message over AS2
using secure HTTP. Partner Two will need to refer to the public
certificate (which was created as part of the creation of the self-signed
certificate) in order to do so.
To enable Partner Two to use the public certificate, export the
public certificate from the server key store file as follows:
- Select the newly created self-signed certificate from the IBM
Key Management utility.
- Click Extract Certificate.
- Change the Data type to Binary DER data.
- Provide the file name commManPublic and
click OK.
Finally you use iKeyman to export the self-signed certificate
and private key pair in the form of a PKCS12 file. This PCKS12 file
will be used for encryption, which is described in a later section.
To export the self-signed certificate and private key pair:
- Click Export/Import.
- Change the Key file type to PKCS12.
- Provide the File Name commManPrivate and
click OK.
- Enter a password to protect the target PKCS12 file. Confirm
the password, and click OK.
Note: Stop and restart the Receiver for these changes
to take effect.
The password entered will be used later when you import this
private certificate into the hub.
Partner Two must also perform some configuration steps, including
importing the certificate and changing the address to which it sends
AS2 documents. For example, Partner Two would have to change the
address to:
https://<IP_address>:57443/bcgreceiver/submit
where <IP_address> refers to the hub.
Now, the self-signed certificate that was placed in the Receiver's
default key store is presented to Partner Two whenever Partner Two
sends a document over secure HTTP.
To set up the reverse situation, Partner Two must provide the
hub with an SSL key in the form of a .der file (in this case, partnerTwoSSL.der).
If necessary, Partner Two must also change the configuration to
permit the receipt of documents over the HTTPS transport.
Load Partner Two's file, partnerTwoSSL.der, into the
Hub Operator's profile as a root certificate. A root certificate
is a certificate issued from a Certifying Authority (CA) used when
establishing a certificate chain. In this example, PartnerTwo generated
the certificate, which is loaded as a root certificate to allow
the hub to recognize and trust the sender.
Load partnerTwoSSL.der into the hub:
- From the main menu, click Account Admin > Profiles > Community Participant.
- Click Search.
- Select Hub Operator by selecting the View details icon.
- Click Certificates and then Load Certificate.
- Set the Certificate Type as Root and Intermediate Certificate.
- Change the Description to Partner Two SSL Certificate.
- Set the Status as Enabled.
- Click Browse and navigate to the directory
in which you have saved partnerTwoSSL.der.
- Select the certificate and click Open.
- Click Upload and then click Save.
Change Partner Two's gateway to use secure HTTP.
- Click Account Admin > Profiles > Community Participant from
the horizontal navigation bar.
- Click Search and select Partner Two by
clicking the View details icon.
- Click Gateways from the horizontal navigation
bar. Next select HttpGateway by clicking the View details icon.
- Edit it by clicking the Edit icon.
- Change the transport value to HTTPS/1.1
- Change the value of the address to read as follows: https://<IP_address>:443/input/AS2,
where <IP_address> refers to Partner
Two's machine.
- All other values can remain unchanged. Click Save.
Setting up encryption
This section provides the steps for setting up encryption.
Partner Two must perform any necessary configuration steps (for
example, importing the public certificate and the self-signed certificate)
and set up encryption on documents sent to the hub.
WebSphere Partner Gateway will use its private key when decrypting
documents. To allow the hub to do so, you first load the private
key extracted from the self-signed certificate into the Community
Console. Perform this task logged in to the Community Console as
Hub Operator and install the certificate in your own profile.
To load the PKCS12 file:
- Click Account Admin > Profiles > Community Participant from
the horizontal navigation bar.
- Click Search.
- Select Hub Operator by clicking the View details icon.
- Click Certificates and then click Load PKCS12.
- Select the check box to the left of Encryption.
- Change the Description to CommManPrivate.
- Select Enabled.
- Click Browse and navigate to the directory
in which the PKCS12 file, commManPrivate.p12, is stored.
- Select the file and click Open.
- Enter the password provided for the PKCS12 file.
- Leave the Gateway Type as Production.
- Click Upload, and then click Save.
This completes the configuration required to allow a participant
to send encrypted transactions over secure HTTP to the hub.
In the following section, the previous procedure is reversed--the
hub sends an encrypted EDI transaction over secure HTTP.
Partner Two must generate a document decryption key pair (in
this example, partnerTwoDecrypt.der) and should make the public
certificate available to the hub.
As mentioned earlier, the public key will be used by the hub
when encrypting transactions to be sent to the participant. In order
to do so, you load the public certificate into the hub.
- From the main menu, click Account Admin > Profiles > Community Participant.
- Click Search.
- Select Partner Two by clicking the View details icon.
- Click Certificates from the horizontal
navigation bar.
- Click Load Certificate.
- Select the check box next to Encryption.
- Change the Description to read Partner Two Decrypt.
- Set the status to Enabled.
- Click Browse.
- Navigate to the directory in which the decryption certificate, partnerTwoDecrypt.der,
is stored.
- Select the certificate and click Open.
- Leave the Gateway Type as Production
- Click Upload and then click Save.
The final step in configuring the hub to send encrypted messages
over secure HTTP using AS2 is to modify the participant connection
that exists between the Community Manager and Partner Two.
To modify the participant connection from the Community Console:
- Click Account Admin > Participant Connections from
the horizontal navigation bar.
- From the Source list, select Comm Man.
- From the Target list, select Partner Two.
- Click Search.
- Click the Attributes button for the Target.
- From the Connection Summary, note that the AS Encrypted attribute
has a current value of No. Edit this value
by clicking the Expand icon next to Package: AS (N/A).
Note: You will need to scroll down the page for this option
to appear.
- From the list, update the AS Encrypted attribute
to Yes and click Save.
Setting up document signing
When digitally signing a transaction or message, WebSphere
Partner Gateway uses your private key to create the signature and
sign. Your partner receiving that message uses your public key to
validate the signature. WebSphere Partner Gateway uses digital signatures
to this effect.
This section provides the steps required to configure both the
hub and a participant for use with digital signatures.
Partner Two must perform any necessary configuration steps (for
example, creating a self-signed document named, in this example,
partnerTwoSigning.der) and configuring the signing of documents.
Partner Two must make partnerTwoSigning.der available to the hub.
To load the digital certificate into the hub:
- Click Account Admin > Profiles > Community Participant from
the horizontal navigation bar.
- Click Search.
- Select Partner Two by clicking the View details icon.
- Choose Certificates from the horizontal
navigation bar.
- Click Load Certificate.
- Select the check box next to Digital Signature.
- Change the Description to CommMan Signing.
- Set the Status to Enabled.
- Click Browse.
- Navigate to the directory in which the digital certificate,
partnerTwoSigning.der, is saved, select the certificate, and click Open.
- Click Upload followed by Save.
This completes the initial configuration for digital signatures.
The participant uses the public certificate to authenticate signed
transactions sent the hub.
The hub will use the private key to digitally sign outbound transactions
sent to the participant. You first enable the private key for digital
signature.
To enable the private key for digital signature:
- Click Account Admin > Profiles > Certificates from
the horizontal navigation bar.
- Click the View details icon next to Hub Operator.
- Click the View details icon next to CommManPrivate.
Note: This was the private certificate loaded into the
hub earlier.
- Click the Edit icon.
- Select the check box next to Digital Signature.
Note: If there were more than one digital signature certificate,
you would select which one was primary and which one was secondary
by selecting Primary or Secondary from
the Certificate Usage list.
- Click Save.
Next you alter the attributes of the existing participant connection
between the Community Manager and Partner Two to accommodate signed
AS2.
To alter the attributes of the participant connection:
- Click Account Admin > Participant Connections from
the horizontal navigation bar.
- Select Comm Man from the Source list.
- Select Partner Two from the Target list.
- Click Search.
- Click the Attributes button for Partner
Two.
- Edit the AS Signed attribute by clicking
the Expand icon next to Package: AS (N/A).
- Select Yes from the AS Signed list.
- Click Save.
This completes the configuration required to send a signed AS2
transaction from WebSphere Partner Gateway to the participant.
