WebSphere Partner Gateway - Express uses the Secure Sockets Layer (SSL) protocol to secure inbound and outbound documents. SSL is a commonly used protocol for managing security over the Internet. SSL provides secure connections by enabling two applications linked through a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications.
An SSL connection begins with a handshake. During this stage, the applications exchange digital certificates, agree on the encryption algorithms to use, and generate encryption keys used for the remainder of the session.
The SSL protocol provides the following security features:
The following sections describe how to use SSL for inbound server and client authentication and outbound client authentication.
Using keystores for inbound server authentication
Using truststores for inbound client authentication
Using keypairs for outbound client authentication
A keystore for securing inbound documents over an SSL connection can be generated and uploaded automatically within WebSphere Partner Gateway - Express or uploaded from a location outside the application. The keystore can then be downloaded.
A keystore is a protected database that holds keys and certificates. If your participants have keys and certificates and use SSL, you can use the Inbound page to make the keystore available. The following topics describe how to use keystores for inbound server authentication.
Generating a self-signed SSL keystore
The following procedure describes how to use WebSphere Partner Gateway - Express to generate a self-signed SSL keystore for securing inbound documents. When you generate a self-signed keystore, it is uploaded into WebSphere Partner Gateway - Express automatically.
Parameter | Description |
---|---|
Common Name |
Enter the server host name. |
Organization |
Enter the name of the participant's company. |
Organizational Unit |
Enter the name of the department where the participant works. |
Locality |
Enter the locale or city where the participant works. |
State |
Enter the state or province where the participant works. |
Country |
Enter the country where the participant works. |
E-mail Address |
Enter the participant's e-mail address. |
Certificate Validity |
Enter the number of days for which the keystore is valid. |
Keystore Password |
Enter the keystore password. |
Private Key Password |
Enter the private key password. |
If you have an SSL keystore you want to upload into WebSphere Partner Gateway - Express, use the following procedure.
Parameter | Description |
---|---|
Keystore File |
Enter the path and name of the keystore file you want to upload. Alternatively, click the Browse button to select the keystore file you want to upload. |
Keystore Password |
Enter the keystore password for the keystore you want to upload. |
Key Password |
Enter the key password for the keystore you want to upload. |
After you upload an SSL keystore into WebSphere Partner Gateway - Express, you can use the following procedure to download the public certificate encapsulated in the keystore database.
A truststore is used for client authentication, when WebSphere Partner Gateway - Express wants to verify the certificate provided by the server. From a truststore, the system can ascertain whether to trust a client and allow the client access to the site.
Using the Inbound page, you can upload a truststore for client authentication. The truststore can then be deleted when it is no longer required.
If the truststore you want to upload has not been created, you can use keytool to create it. The following section describes this procedure.
Keytool is a key and certificate management utility. It lets you create keys for use in self-authentication (where WebSphere Partner Gateway - Express authenticates itself to other entities and services) or data integrity and authentication services, using digital signatures. It also lets you cache the public keys (in the form of certificates) of their communicating peers.
Keytool stores the certificates in a truststore. The default truststore implementation implements the keystore as a file. Once you create the file, you can use the procedure under Uploading a truststore for client authentication to upload the file into WebSphere Partner Gateway - Express.
The following procedures describe how to use keytool to create a truststore, list certificates in a truststore, add certificates to a truststore, and delete certificates from a truststore. The commands used to perform these procedures can be executed from any system that has Java installed. For convenience, keytool is provided in the was\java\jre\bin directory of the WebSphere Partner Gateway - Express CD.
To create a truststore, use the following procedure.
keytool -genkey -keystore <truststore filename> -storetype PKCS12
To list certificates in a truststore, use the following procedure.
keytool -list -v -keystore <truststore>
To add a certificate to a truststore, use the following procedure.
To remove a certificate from a truststore, use the following procedure.
keytool -delete -alias <cert name> -keystore truststore
After a truststore has been created, use the following procedure to upload it for client authentication of inbound documents.
Parameter | Description |
---|---|
Truststore File |
Enter the path and name of the truststore file you want to upload. Alternatively, click the Browse button to select the truststore file you want to upload. |
Truststore Password |
Enter the truststore password. |
For outbound documents, client authentication is where WebSphere Partner Gateway - Express identifies itself to a remote server. The following topics describe how to use keypairs for outbound client authentication.
Generating a self-signed SSL client certificate keypair
Uploading a client authentication keypair
Downloading the client certificate for client authentication
The following procedure describes how to use WebSphere Partner Gateway - Express to generate a self-signed SSL client certificate keypair. When you generate a self-signed SSL client certification keypair, it is uploaded into WebSphere Partner Gateway - Express automatically.
Parameter | Description |
---|---|
Common Name |
Enter the server host name. |
Organization |
Enter the name of the participant's company. |
Organizational Unit |
Enter the name of the department where the participant works. |
Locality |
Enter the locale or city where the participant works. |
State |
Enter the state or province where the participant works. |
Country |
Enter the country where the participant works. |
E-mail Address |
Enter the participant's e-mail address. |
Certificate Validity |
Enter the number of days for which the keypair is valid. |
Private Key Password |
Enter the private key password. |
To upload a client authentication keypair identifying this client to a remote SSL-enabled host, use the following procedure.
Parameter | Description |
---|---|
Public Certificate |
Enter the path and name of the public certificate file you want to upload. Alternatively, click the Browse button to select the public certificate file you want to upload. |
After you upload a keypair into WebSphere Partner Gateway - Express, you can use the following procedure to download the public certificate. This public certificate can be e-mailed to the partner for inclusion within the partner's truststore.
The following steps describe how to enable HTTPS.