Certificates usage in AS2

Body

This blog aims to help you correctly identify and solve certificates related issues in AS2.

Certificates in general:

there are different certificates stores in SI where certificates need to be imported depending on the usage, this is done via the UI under "Trading Partner => Digital certificates"

1. System certificates
   This store is used to keep your own system certificates, the ones that contain a private key.
   You need to import to this store the certificates used in the organization profile for signing and encryption as well as your own SSL certificate, if SSL is used.

2. Trusted Certificates
   This store is used to keep your trading partners certificates used for data signing and/or encryption.
   You need to import into this store the certificates used in the AS2 trading partner profile for data signing and encryption.

3. CA Certificates
   This store is used to store all intermediate and root certificates of a certificate chain.
   You will also need to import into this store your trading partners SSL certificates.

When importing (Checking in) certificates into SI, there are few validation options you can set on the certificate that might condition the certificate usage

This is done by setting one of the following "Validate When Used" options:

1. Validity
   Verifies dates for the validity period of the certificate to check if they are still in effect.
   If the certificate has expired, the certificate is not used.
2. Auth Chain
   Constructs a chain of trust for certificates that are not self-signed. If a chain of trust cannot be constructed using valid certificates, the certificate is not used. If the certificate is self-signed, this option verifies only the certificate signature; this means that all the intermediate and root certificates listed in the certificate chain need to be imported into SI CA store.
3. CRL Cache
   Checks the Certificate Revocation List (CRL) if used.

Certificate Usage with AS2

Certificates are used in AS2 for Data Signing and/or Encryption as well as for SSL (server and/or client authentication).

1. Signing and encryption

   The certificates used for data signing and/or encryption are configured in the organization profile (Your own system certificates) and in the AS2 trading partner profile (Your trading partner certificates), they are most of the times the same but they can differ, it is up to customer or trading partners to decide if they want to use different certificates.

   Organization configuration example:

   Trading partner configuration example:

   In a AS2 transaction there are always two certificates involved for data signing and encryption, your trading partner certificate and your own system certificate.

   The certificates involved depend on the direction of the communication (Inbound or Outbound) as well as the certificate activity (Signing and/or Encryption).

   There will always be a key pair involved, a public key certificate and a private key.

   It is important to be able to identify which certificates are involved in a transfer so that if certificate issues arise, we can correctly identify which certificate is causing the problem.

• • Outbound

    The partner certificate (Public key) is used to encrypt the data, this means that only the partner that has the corresponding Private key will be able to decrypt that data.

    Your own system certificate is used to sign the data (Private key)

  • Inbound

    Your own system certificate (Private key) will be used to decrypt the data, since it has been encrypted by your partner using your public key.

    The partner certificate (Public key) is used to verify the data signature.

See below a table that will help you identify exactly which certificates are used and when:

What are the most common errors for data signing and encryption?

• • Decryption-failed errors (Verify the encryption\decryption certificates involved make sure that is correctly assigned, verify the encryption algorithm, mime type and sub-type, try setting the compression to NONE.)

    See below blog that can help you troubleshoot decryption errors:

    https://www-304.ibm.com/connections/blogs/SterlingB2B/entry/troubleshooting_inbound_as2_configuration_decryption_failed?lang=en_us

  • Authentication-failed errors (Verify the signature certificates involved, make sure that is correctly assigned, Verify the signing algorithm, mime type and sub-type, try setting the compression to NONE.)

2. SSL authentication.

   Sterling Integrator does not automatically capture the remote server SSL certificate, you need to obtain the certificate first and import it into the SI CA store and once that is done you can configure it on the AS2 partner profile.

   How to obtain remote partners SSL certificates?

• • You can usually capture SSL server end-user certificates by connecting to the server with IE and then saving the certificate to a file. IE might either give you a dialog box asking if you want to examine the certificate or display a lock icon that you can use to view the certificate and save it to a file.

  • You can also use the Certificate capture utility within SI to capture the remote server SSL certificate.

• • If none of the above is possible, you will need to rely on your partner to provide you the correct SSL certificate.

Which SSL certificates to import into SI.

The certificates to import into SI depends on which type of SSL trust you are going to implement, Direct trust versus CA trust. Trust of an SSL server can be either direct or authority-based, CA trust.

• • In CA trust, you are trusting the assertions of identity in the server certificate because it is issued by some CA you trust. In this case you need the root certificate of the actual remote server SSL certificate imported into SI's CA store as well as any possible intermediate certificates.

  • In direct trust, you have a copy of the certificate the server is expected to send and you check what the server sends against that. You will need to import the actual end-user certificate into the CA store.

    Direct trust is necessary for cases where:

• • • The server uses a self-signed certificate

    • The server's authority issued certificate lacks certain properties like a server name or SSL key usage restrictions

The advantage or CA trust is that if the remote partner SSL certificate expires and you have the root certificate configured in the AS2 partner profile configuration, as long as the remote partner signs the new certificate using the same root certificate, you don't need to make any adjustments in the configuration and the connection will still work fine, on the other hand if you use Direct Trust, meaning you have configured the remote partner end user SSL certificate in your AS2 partner profile, you will need to obtain the new certificate, import it into SI CA store and adjust the configuration to use the new certificate.

SSL Certificate configuration for AS2.

There are two types of SSL authentication possible and the type used will impact the configuration necessary:

• • The most common is server authentication only, meaning that you will only use the server SSL certificate.

  • Client authentication can also be used, but it is not mandatory, so you will ned to agree with your partner first if this is required and in that case a client certificate also needs to be exchanged between parties and used in the SSL configuration.

The SSL certificate configuration for AS2 depends on the direction of the communication (outbound or inbound) as well as the type of SSL authentication used.

• • Outbound (Server authentication only)

    The SSL certificates are configured in the AS2 partner profile communications page. Specify the CA Certificate under SSL section, this should be the SSL certificate from your remote partner (server authentication only).

  • Outbound (Server and client authentication).

    If client authentication is required as well, in addition to the above, specify the system certificate to be used for client authentication under "Key Certificate", if no client authentication is used, leave this field empty.

    Note that when client authentication is used, you will need to provide your partner the public key or root certificate of the system certificate you specified for "Key certificate".

  • Inbound (Server authentication only)

    The SSL certificates are configured in the configuration page "SSL Setting" of the HTTP server adapter used to receive the inbound AS2 transfers.

    Specify under System Certificate, your own SSL system certificate that will be assigned as the server certificate (server authentication only)

  • Inbound (Server and client authentication)

    If client authentication is required; under CA certificates, choose from the list the client SSL certificate to be used, that you obtained from your partner and imported into SI previously and add them to the right side panel of the screen.

    You can add as many CA certificates as you like as you go along and implement new partners.

Monitor Certificates expiration

Certificates have an expiration date and will need to be replaced before that expiration date is reached.

To help you identify those certificates in time and alert you when they are about to expire, you can configure the CheckExpire service in SI, find and edit the CheckExpire service under:

"Deployment => Services => Configuration".

CheckExpire Service allows you to configure an alert for expired or about to expire certificates, some of the options you have when configuring the service are:

• • Schedule the service to generate a report with the frequency you want, every day or every week per example.

  • Specify what type of alert, email per example.

  • Specify the email address the system will send the report to if email alert is chosen.

  • Configure how many days in advance to be alerted when a certificate is about to expire.

You may consult the online documentation for more details about this service.

http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.svcs_adpts_a_l.doc/CheckExpireSvc.html

My organization system certificate is about to expire, what do I do?

• • Create a new self signed certificate or import a new system certificate that you have purchased from a CA authority.

  • Do a check out of the public key from the system certificate store and send it to all your partners.

  • Agree a date and time and adjust the organization AS2 profile to use the new exchange (encryption) and signing certificate at the agreed date and time.

  • Alternatively, you can create a new organization with a slight different AS2 identifier using the new certificates and have your partners migrate to the new organization as they become ready to use the new certificates, this will allow a phased migration.

My Partner AS2 signing and encryption certificate is about to expire, what do I do?

• • Request a new certificate from your partner.

  • Upload the new certificate into the certificates Trusted store.

  • At an agreed date and time, adjust the AS2 partner profile to use the new exchange (encryption) and signing certificate.