Configuring and verifying digital signatures

Digital signing is the mechanism for ensuring non-repudiation. Non-repudiation is a service that ensures that a participant cannot deny having originated and sent a message (called "Non-Repudiation of Origin and Content"). It also ensures that the participant cannot deny having received a message (called "Non-Repudiation of Receipt"). In an authentication system that uses public key encryption, digital signatures are used to sign certificates.

A digital signature allows an originator to sign a message in such a way that the message can be verified that it was signed by no one other than that entity and consequently that the message has not been modified since it was signed. WebSphere Partner Gateway - Express uses digital signatures to secure inbound and outbound documents.

The following sections describes how to configure outbound digital signatures and digital signature verification on inbound documents.

Configuring digital signatures for outbound documents

To configure digital signatures for outbound documents, you must first create or upload a document signing keypair, then download the public key portion of that keypair to be sent to the trading partner. Creating a document signing keypair can be done either by generating a new self-signed document signing keypair, or by uploading an existing document signing keypair. The following sections describe how to configure digital signing for outbound documents.

Generating a self-signed document signing keypair

Uploading an existing document signing keypair

Downloading a document signing public certificate

Generating a self-signed document signing keypair

The following procedure describes how to use WebSphere Partner Gateway - Express to generate a new self-signed document signing keypair.

Note:
If a document signing keypair already exists, refer to Uploading an existing document signing keypair.

When you generate a self-signed document signing keypair, it is uploaded into WebSphere Partner Gateway - Express automatically. To generate a self-signed document signing keypair for securing outbound documents, use the following procedure.

  1. Click the Security tab, then click Outbound in the navigation bar. The Outbound page appears.
  2. From the Selected Participant drop-down menu, select the participant for whom you want to generate the self-signed keypair.
  3. Locate the Verification row, then, in the Generate column, click the Generate Self-Signed Certificate icon. The Outbound page appears.
  4. Complete the entries in the Outbound page (see Table 9).
  5. Click the Create button. The self-signed keypair is uploaded and appears in the Outbound page.
    Note:
    The role changes from Verification to Signing.
    Table 9. Outbound page for Generated Self-Signed
    Document Signing Keypair
    Parameter Description

    Common Name

    Enter the server host name.

    Organization

    Enter the name of the participant's company.

    Organizational Unit

    Enter the name of the department where the participant works.

    Locality

    Enter the locale or city where the participant works.

    State

    Enter the state or province where the participant works.

    Country

    Enter the country where the participant works.

    E-mail Address

    Enter the participant's e-mail address.

    Certificate Validity

    Enter the number of days for which the keypair is valid.

    Private Key Password

    Enter the private key password.

Uploading an existing document signing keypair

To upload a document signing keypair for securing outbound documents, use the following procedure.

Note:
Use these instructions only if a document signing keypair already exists. Otherwise, refer to Generating a self-signed document signing keypair.

  1. Click the Security tab, then click Outbound in the navigation bar. The Outbound page appears.
  2. From the Selected Participant drop-down menu, select the participant for whom you want to upload the keypair.
  3. Locate the Signing row, then in the Upload column, click the Add/Update Certificate/Key button. The Upload Document Signing Keypair page appears.
  4. Complete the entries in the page (see Table 10).
  5. Click the Submit button. The keypair is uploaded and appears in the Outbound page.
    Table 10. Outbound page for Document Signing Keypair
    Parameter Description

    Private Key File

    The private kay file must be in PKCS#8 format. If the private key file is not present in PKCS#8 format, the private key will be extracted from PKCS12 type of file if PKCS#12 file is uploaded in the PrivateKey file upload field. Enter the path and name of the private key file you want to upload. Alternatively, click the Browse button to select the private key file you want to upload.

    Private Key Password

    Enter the private key password.

    Public Certificate

    The public certificate must be in the DER format. Enter the path and name of the public certificate file you want to upload. Alternatively, click the Browse button to select the public certificate file you want to upload.

Downloading a document signing public certificate

After you upload a document signing keypair into WebSphere Partner Gateway - Express, you must download the keypair's public certificate before you can send it to the partner. If the partner is using WebSphere Partner Gateway - Express, the partner is expected to load the document signing certificate into his or her list of certifying authorities (see Adding new certificates).

  1. Click the Security tab, then click Outbound in the horizontal navigation bar. The Outbound page appears.
  2. From the Selected Participant drop-down menu, select the participant whose document signing public certificate you want to download.
  3. Locate the Signing row, then in the Download column, click the Download Public Certificate button. A "file-download" page appears.
    Note:
    Depending on your browser version and firewall settings, the dialogue box may prompt you to select either opening the file or saving it to disk. If this occurs select the "save" option.
  4. Click Save (or equivalent) to display the Save As dialog box.
  5. Select a location where you want to download the document signing public certificate, rename the file to an appropriate name, then click Save.
  6. Send the saved file to the trading partner.

Configuring digital signature verification for inbound documents

If your trading partner is going to send you digitally-signed documents, you must obtain that trading partner's public signature certificate and add it to the Certifying Authority tab. The following procedure describes how to do this.

  1. Click the Security tab, then click Certifying Authority in the navigation bar. The Certifying Authority page appears.
  2. Click the Add New Certificate button.
  3. Enter the path and name of the public certificate file you want to add. Alternatively, click the Browse button to select the public certificate file you want to add.
  4. Click Submit to add the file to the list of Certifying Authority certificate files.

Enabling digital signature

To enable digital signature, use the following procedure.

  1. Click the Configuration tab, then click AS2 in the navigation bar.
  2. From the Selected Participant drop-down menu, select the participant for whose outbound documents you want to enable encryption.
  3. Click the Edit button. The Manage AS2 editing page appears.
  4. In the Outbound section, select the Sign Documents check box, then click Save.

Copyright IBM Corp. 2003, 2005