Basic configuration - Setting up security for inbound and outbound documents

In this section, you will see how to add the following types of security to the basic configuration:

Setting up SSL authentication for incoming documents

In this section, you use iKeyman to set up server authentication so that Partner Two can send AS2 documents over HTTPS.

To set up server authentication, perform the following steps:

  1. Initiate the iKeyman application, by opening the ikeyman.bat file from the /<ProductDir>/was/bin directory.
  2. Open the Receiver's default key store, receiver.jks. From the menu bar, select Key Database File Open. On a default installation, receiver.jks resides in the directory: <ProductDir>/common/security/keystore
  3. When prompted, enter the default password for receiver.jks. This password is WebAS.
  4. If this is the first time you have opened receiver.jks, delete the "Dummy" certificate.

The next step is to create a new self-signed certificate. Creating a self-signed personal certificate creates a private key and public key within the server key store file.

To create a new self-signed certificate:

  1. Click New Self Signed.
  2. Give the certificate a key label that is used to uniquely identify the certificate within the key store. Use the label selfSignedCert.
  3. Enter the server's Common Name. This is the primary, universal identity for the certificate. It should uniquely identify the principal that it represents.
  4. Enter the name of your organization.
  5. Accept all other defaults, and click OK.

Assume that Partner Two wants to send an EDI message over AS2 using secure HTTP. Partner Two will need to refer to the public certificate (which was created as part of the creation of the self-signed certificate) in order to do so.

To enable Partner Two to use the public certificate, export the public certificate from the server key store file as follows:

  1. Select the newly created self-signed certificate from the IBM Key Management utility.
  2. Click Extract Certificate.
  3. Change the Data type to Binary DER data.
  4. Provide the file name commManPublic and click OK.

Finally you use iKeyman to export the self-signed certificate and private key pair in the form of a PKCS12 file. This PCKS12 file will be used for encryption, which is described in a later section.

To export the self-signed certificate and private key pair:

  1. Click Export/Import.
  2. Change the Key file type to PKCS12.
  3. Provide the File Name commManPrivate and click OK.
  4. Enter a password to protect the target PKCS12 file. Confirm the password, and click OK.
Note: Stop and restart the Receiver for these changes to take effect.

The password entered will be used later when you import this private certificate into the hub.

Partner Two must also perform some configuration steps, including importing the certificate and changing the address to which it sends AS2 documents. For example, Partner Two would have to change the address to:

https://<IP_address>:57443/bcgreceiver/submit

where <IP_address> refers to the hub.

Now, the self-signed certificate that was placed in the Receiver's default key store is presented to Partner Two whenever Partner Two sends a document over secure HTTP.

To set up the reverse situation, Partner Two must provide the hub with an SSL key in the form of a .der file (in this case, partnerTwoSSL.der). If necessary, Partner Two must also change the configuration to permit the receipt of documents over the HTTPS transport.

Load Partner Two's file, partnerTwoSSL.der, into the Hub Operator's profile as a root certificate. A root certificate is a certificate issued from a Certifying Authority (CA) used when establishing a certificate chain. In this example, PartnerTwo generated the certificate, which is loaded as a root certificate to allow the hub to recognize and trust the sender.

Load partnerTwoSSL.der into the hub:

  1. From the main menu, click Account Admin > Profiles > Community Participant.
  2. Click Search.
  3. Select Hub Operator by selecting the View details icon.
  4. Click Certificates and then Load Certificate.
  5. Set the Certificate Type as Root and Intermediate Certificate.
  6. Change the Description to Partner Two SSL Certificate.
  7. Set the Status as Enabled.
  8. Click Browse and navigate to the directory in which you have saved partnerTwoSSL.der.
  9. Select the certificate and click Open.
  10. Click Upload and then click Save.

Change Partner Two's gateway to use secure HTTP.

  1. Click Account Admin > Profiles > Community Participant from the horizontal navigation bar.
  2. Click Search and select Partner Two by clicking the View details icon.
  3. Click Gateways from the horizontal navigation bar. Next select HttpGateway by clicking the View details icon.
  4. Edit it by clicking the Edit icon.
  5. Change the transport value to HTTPS/1.1
  6. Change the value of the address to read as follows: https://<IP_address>:443/input/AS2, where <IP_address> refers to Partner Two's machine.
  7. All other values can remain unchanged. Click Save.

Setting up encryption

This section provides the steps for setting up encryption.

Partner Two must perform any necessary configuration steps (for example, importing the public certificate and the self-signed certificate) and set up encryption on documents sent to the hub.

WebSphere Partner Gateway will use its private key when decrypting documents. To allow the hub to do so, you first load the private key extracted from the self-signed certificate into the Community Console. Perform this task logged in to the Community Console as Hub Operator and install the certificate in your own profile.

To load the PKCS12 file:

  1. Click Account Admin > Profiles > Community Participant from the horizontal navigation bar.
  2. Click Search.
  3. Select Hub Operator by clicking the View details icon.
  4. Click Certificates and then click Load PKCS12.
  5. Select the check box to the left of Encryption.
  6. Change the Description to CommManPrivate.
  7. Select Enabled.
  8. Click Browse and navigate to the directory in which the PKCS12 file, commManPrivate.p12, is stored.
  9. Select the file and click Open.
  10. Enter the password provided for the PKCS12 file.
  11. Leave the Gateway Type as Production.
  12. Click Upload, and then click Save.

This completes the configuration required to allow a participant to send encrypted transactions over secure HTTP to the hub.

In the following section, the previous procedure is reversed--the hub sends an encrypted EDI transaction over secure HTTP.

Partner Two must generate a document decryption key pair (in this example, partnerTwoDecrypt.der) and should make the public certificate available to the hub.

As mentioned earlier, the public key will be used by the hub when encrypting transactions to be sent to the participant. In order to do so, you load the public certificate into the hub.

  1. From the main menu, click Account Admin > Profiles > Community Participant.
  2. Click Search.
  3. Select Partner Two by clicking the View details icon.
  4. Click Certificates from the horizontal navigation bar.
  5. Click Load Certificate.
  6. Select the check box next to Encryption.
  7. Change the Description to read Partner Two Decrypt.
  8. Set the status to Enabled.
  9. Click Browse.
  10. Navigate to the directory in which the decryption certificate, partnerTwoDecrypt.der, is stored.
  11. Select the certificate and click Open.
  12. Leave the Gateway Type as Production
  13. Click Upload and then click Save.

The final step in configuring the hub to send encrypted messages over secure HTTP using AS2 is to modify the participant connection that exists between the Community Manager and Partner Two.

To modify the participant connection from the Community Console:

  1. Click Account Admin > Participant Connections from the horizontal navigation bar.
  2. From the Source list, select Comm Man.
  3. From the Target list, select Partner Two.
  4. Click Search.
  5. Click the Attributes button for the Target.
  6. From the Connection Summary, note that the AS Encrypted attribute has a current value of No. Edit this value by clicking the Expand icon next to Package: AS (N/A).
    Note: You will need to scroll down the page for this option to appear.
  7. From the list, update the AS Encrypted attribute to Yes and click Save.

Setting up document signing

When digitally signing a transaction or message, WebSphere Partner Gateway uses your private key to create the signature and sign. Your partner receiving that message uses your public key to validate the signature. WebSphere Partner Gateway uses digital signatures to this effect.

This section provides the steps required to configure both the hub and a participant for use with digital signatures.

Partner Two must perform any necessary configuration steps (for example, creating a self-signed document named, in this example, partnerTwoSigning.der) and configuring the signing of documents. Partner Two must make partnerTwoSigning.der available to the hub.

To load the digital certificate into the hub:

  1. Click Account Admin > Profiles > Community Participant from the horizontal navigation bar.
  2. Click Search.
  3. Select Partner Two by clicking the View details icon.
  4. Choose Certificates from the horizontal navigation bar.
  5. Click Load Certificate.
  6. Select the check box next to Digital Signature.
  7. Change the Description to CommMan Signing.
  8. Set the Status to Enabled.
  9. Click Browse.
  10. Navigate to the directory in which the digital certificate, partnerTwoSigning.der, is saved, select the certificate, and click Open.
  11. Click Upload followed by Save.

This completes the initial configuration for digital signatures.

The participant uses the public certificate to authenticate signed transactions sent the hub.

The hub will use the private key to digitally sign outbound transactions sent to the participant. You first enable the private key for digital signature.

To enable the private key for digital signature:

  1. Click Account Admin > Profiles > Certificates from the horizontal navigation bar.
  2. Click the View details icon next to Hub Operator.
  3. Click the View details icon next to CommManPrivate.
    Note: This was the private certificate loaded into the hub earlier.
  4. Click the Edit icon.
  5. Select the check box next to Digital Signature.
    Note: If there were more than one digital signature certificate, you would select which one was primary and which one was secondary by selecting Primary or Secondary from the Certificate Usage list.
  6. Click Save.

Next you alter the attributes of the existing participant connection between the Community Manager and Partner Two to accommodate signed AS2.

To alter the attributes of the participant connection:

  1. Click Account Admin > Participant Connections from the horizontal navigation bar.
  2. Select Comm Man from the Source list.
  3. Select Partner Two from the Target list.
  4. Click Search.
  5. Click the Attributes button for Partner Two.
  6. Edit the AS Signed attribute by clicking the Expand icon next to Package: AS (N/A).
  7. Select Yes from the AS Signed list.
  8. Click Save.

This completes the configuration required to send a signed AS2 transaction from WebSphere Partner Gateway to the participant.

Copyright IBM Corp. 2003, 2005