Configuring encryption and decryption

WebSphere Partner Gateway - Express uses a cryptographic system known as public key encryption to ensure secure communication between trading partners. Public key encryption uses a pair of mathematically related keys. A document encrypted with the first key must be decrypted with the second, and a document encrypted with the second must be decrypted with the first. Each participant in a public key system has a pair of keys. One of these keys is kept secret; this is the private key. The other key is distributed to anyone who wants it; this is the public key. WebSphere Partner Gateway - Express uses a partner's public key to encrypt a document; the private key is used for decryption.

This section describes how to configure encryption with WebSphere Partner Gateway - Express, and includes the following topics:

Configuring encryption for outbound documents

To configure encryption for outbound documents, you must first upload the trading partner's public certificate, which contains the public key, then enable encryption for outbound documents to that partner. These configuration steps will automatically encrypt any outbound documents sent to that partner using the partner's public key. Upon receiving the encrypted document, the trading partner must then use their private key to decrypt the document. The following sections describe how to configure encryption for outbound documents.

Uploading the trading partner's public certificate

Enabling encryption for outbound documents

Uploading the trading partner's public certificate

To upload the trading partner's public certificate, which contains the public key, use the following procedure.

  1. Click the Security tab, then click Outbound in the navigation bar. The Outbound page appears.
  2. From the Selected Participant drop-down menu, select the participant for whom you want to upload the public certificate.
  3. Locate the Encryption row, then, in the Upload column, click the Add/Update Certificate/Key icon. The Upload Encryption Public Certificate page appears.
  4. In the Public Certificate field, enter the path and name of the public certificate file you want to upload. Alternatively, click the Browse button to select the public certificate file you want to upload, then click Open.
    Note:
    The certificates must be DER encoded. DER encoded certificates typically have a .der or .cer extension.
  5. Click the Submit button.

Enabling encryption for outbound documents

To enable encryption for documents being sent to a particular trading partner, use the following procedure.

  1. Click the Configuration tab, then click AS2 in the navigation bar.
  2. From the Selected Participant drop-down menu, select the participant for whom outbound documents will be encrypted.
  3. Click the Edit button. The Manage AS2 editing page opens, enabling you to edit both Inbound and Outbound AS2 parameters.
  4. In the Outbound section of the page, select the Encrypt Documents check box, then click Save.

Configuring decryption for inbound documents

In order to receive encrypted documents from a partner, you must first create a public certificate, or public key, then send that public certificate to the partner. To create a public certificate, you must first generate or upload a self-signed document decryption keypair, then download and save the public certificate portion of that keypair and send it to the partner. The following sections describe how to create a public certificate.

Generating a new self-signed document decryption keypair

Uploading an existing decryption keypair

Downloading a public certificate for decryption

Generating a new self-signed document decryption keypair

The following procedure describes how to use WebSphere Partner Gateway - Express to generate a new self-signed decryption keypair for securing inbound documents.

Note:
If a document decryption keypair already exists, refer to Uploading an existing decryption keypair.

When you generate a self-signed decryption keypair, it is uploaded into WebSphere Partner Gateway - Express automatically. The generated decryption certificate is also stored in the Express Certifying Authority (CA) directory.

  1. Click the Security tab to display the Inbound page. If the page does not appear, click Inbound in the navigation bar.
  2. From the Selected Participant drop-down menu, select the participant for whom you want to generate the self-signed keypair.
  3. Locate the Decryption row, then, in the Generate column, click the Generate Self-Signed Certificate icon. The Inbound page appears.
  4. Complete the entries in the Inbound page (see Table 7).
  5. Click the Create button. The self-signed keypair is uploaded and appears in the Inbound page. A new file called decrypt.der is added to the Decryption row, and the certificate is automatically added to the the Certifying Authority page. Also, the partner name is automatically added to the filename. For example, if the parner's name is Partner1, the filename will be decryptPartner1.der.
    Table 7. Inbound page for Generated Self-Signed
    Document Decryption Keystore
    Parameter Description

    Common Name

    Enter the server host name.

    Organization

    Enter the name of the participant's company.

    Organizational Unit

    Enter the name of the department where the participant works.

    Locality

    Enter the locale or city where the participant works.

    State

    Enter the state or province where the participant works.

    Country

    Enter the country where the participant works.

    E-mail Address

    Enter the participant's e-mail address.

    Certificate Validity

    Enter the number of days for which the certificate is valid.

    Private Key Password

    Enter the private key password.

Uploading an existing decryption keypair

To upload an existing decryption keypair for securing inbound documents, use the following procedure.

Note:
Use these instructions only if a decryption keypair already exists. Otherwise, refer to Generating a new self-signed document decryption keypair.

  1. Click the Security tab to display the Inbound page. If the page does not appear, click Inbound in the navigation bar.
  2. From the Selected Participant drop-down menu, select the participant for whom you want to upload the keypair.
  3. Locate the Decryption row, then, in the Upload column, click the Add/Update Certificate Key icon. The Inbound page appears.
  4. Complete the entries in the Inbound page (see Table 7).
  5. Click the Submit button. The decryption pair is uploaded and appears in the Inbound page. A copy of the decryption certificate will also be uploaded to the Express Certifying Authority (CA) directory.
    Table 8. Inbound page for Uploading an Existing Decryption Keypair
    Parameter Description
    Private Key File The private key file must be in PKCS#8 format. If the private key file is not present in PKCS#8 format, the private key will be extracted from PKCS12 type of file if PKCS#12 file is uploaded in the PrivateKey file upload field. Enter the full path and name of the private key file to be uploaded. Alternatively, click Browse to navigate to the file, then select the file and click Open to load the full-path name into the field.
    Private Key Password Enter the private key password for the decryption file.
    Public Certificate The public certificate must be in the DER format. Enter the full path and name of the public certificate file to be uploaded. Alternatively, click Browse to navigate to the file, then select the file and click Open to load the full-path name into the field.

Downloading a public certificate for decryption

After you generate or upload a keypair into WebSphere Partner Gateway - Express, you must download the public certificate before you can send it to the trading partner. This is the certificate that the partner will use to encrypt documents that you will decrypt with the private key upon receipt.

  1. Click the Security tab to display the Inbound page. If the page does not appear, click Inbound in the navigation bar.
  2. From the Selected Participant drop-down menu, select the participant whose certificate you want to download.
  3. Locate the Decryption row, then, in the Download column, click the Download Public Certificate icon. A "file-download" dialogue box appears.
    Note:
    Depending on your browser version and firewall settings, the dialogue box may prompt you to select either opening the file or saving it to disk. If this occurs select the "save" option.
  4. Click Save (or it's equivalent) to display the Save As dialog box.
  5. In the Save As dialog box, select a location where you want to download the certificate, and rename the file to something appropriate, then click Save.
  6. Send this file to the trading partner.

Copyright IBM Corp. 2003, 2005