Creating and installing encryption certificates

This section describes encryption certificates.

Inbound encryption certificate

This certificate is used by the hub to decrypt encrypted files received from participants. The hub uses your private key to decrypt the documents. Encryption is used to keep anyone other than the sender and intended recipient from viewing documents in transit.

Note the following important restriction about receiving encrypted AS2 messages from participants. If a participant sends an encrypted AS2 message but uses the wrong certificate, the decryption fails. No MDN is returned to the participant to indicate the failure, however. In order for your participant to receive MDNs in this situation, create a connection to the participant with the following document flow definition:

Using a self-signed certificate

If you are going to use a self-signed certificate, use the following procedure.

  1. Start the iKeyman utility.
  2. Use iKeyman to generate a self-signed certificate and a key pair.
  3. Use iKeyman to extract to a file the certificate that will contain your public key.
  4. Distribute the certificate to your participants. They are required to import the file into their B2B product for use as an encryption certificate. Advise them to use it when they want to send encrypted files to the Community Manager. If your certificate is CA-signed, provide the CA certificate as well.
  5. Use iKeyman to save the self-signed certificate and private key pair in the form of a PKCS12 file.
  6. Install the self-signed certificate and private key pair in the form of a PKCS12 file through the Community Console.
    1. Click Account Admin > Profiles > Certificates to display the Certificate List page.

      Make sure you are logged in to the Community Console as the Hub Operator.

    2. Click Load PKCS12.
      Notes:
      1. The PKCS12 file being uploaded should contain only one private key and the associated certificate.
      2. You can also upload the certificate and private key as a DER-encoded certificate and PKCS#8-encoded private key.
    3. Select Encryption as the type of certificate.
    4. Type a description of the certificate (which is required).
    5. Change the status to Enabled.
    6. Click Browse and navigate to the directory in which you have saved the certificate.
    7. Select the certificate and click Open.
    8. Enter a password.
    9. Click Upload and then click Save.
  7. Enable encryption at the package (highest level), participant, or connection level (lowest level). Your setting can override other settings at the connection level. The connection summary will inform you if any required attribute is missing.

    For example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and then select the participants. Click Attributes and then edit the attribute (for example, AS Encrypted).

Using a CA-signed certificate

If you are going to use a certificate signed by a CA, use the following procedure:

  1. Start the iKeyman utility.
  2. Use iKeyman to generate a certificate request and a key pair for the Receiver.
  3. Submit a Certificate Signing Request (CSR) to a CA.
  4. When you receive the signed certificate from the CA, use iKeyman to place the signed certificate into the key store.
  5. Distribute the signing CA certificate to all participants.

Outbound encryption certificate

The outbound encryption certificate is used when the hub sends encrypted documents to participants. WebSphere Partner Gateway encrypts documents with the public keys of the participants, and the participants decrypt the documents with their private keys.

The participant can have more than one encryption certificate. One is the primary certificate, which is the one used by default. The other is a secondary certificate, which is used if the primary certificate expires or is otherwise unable to be used.

  1. Obtain the participant's encryption certificate. The certificate must be in X.509 DER format. Note that WebSphere Partner Gateway supports only X5.09 certificates.
  2. Install the certificate through the Community Console under the participant's profile.
    1. Click Account Admin > Profiles > Community Participant, and search for the participant's profile.
    2. Click Certificates.
    3. Click Load Certificate.
    4. Select Encryption as the type of certificate.
    5. Type a description of the certificate (which is required).
    6. Change the status to Enabled.
    7. Click Browse and navigate to the directory in which you have saved the certificate.
    8. Select the certificate and click Open.
    9. If the participant has two encryption certificates, indicate whether this is the primary or secondary certificate by selecting Primary or Secondary from the Certificate Usage list.
    10. Click Upload and then click Save.
  3. Repeat step 2 if the participant has a second encryption certificate.
  4. If the certificate was signed by a CA and the CA root certificate and any other certificates that are part of the certificate chain are not already installed in the Hub Operator profile, install the certificates now.
    1. Click Account Admin > Profiles > Certificates to display the Certificate List page.

      Make sure you are logged in to the Community Console as the Hub Operator, and install the certificate in your own profile.

    2. Click Load Certificate.
    3. Select Root and Intermediate.
    4. Type a description of the certificate (which is required).
    5. Change the status to Enabled.
    6. Click Browse and navigate to the directory in which you have saved the certificate.
    7. Select the certificate and click Open.
    8. Click Upload and then click Save.
    Note: You do not have to perform the previous step if the CA certificate is already installed.
  5. Enable encryption at the package (highest level), participant, or connection level (lowest level). Your setting can override other settings at the connection level. The connection summary will inform you if any required attribute is missing.

    For example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and then select the participants. Click Attributes and then edit the attribute (for example, AS Encrypted).

When the error message No valid encryption certificate found is displayed, neither the primary nor the secondary certificate is valid. The certificates might be expired or they might have been revoked. If the certificates were expired or revoked, the corresponding event (Certificate revoked or expired) in also visible in the Event Viewer. Note that these two events might be separated by other events. To display the Event Viewer, click Viewers > Event Viewer.

Copyright IBM Corp. 2003, 2005