About Implementing SSL in Sterling B2B Integrator

Secure Sockets Layer (SSL) provides secure communication over the Internet. It uses both symmetric and asymmetric cryptography.

The SSL security protocol provides server authentication and client authentication in Sterling B2B Integrator:
  • Server authentication is performed when a client connects to the server. After the initial handshake, the server sends its digital certificate to the client. The client validates the server certificate or certificate chain.
  • Client authentication is performed when a server sends a certificate request to a client during the handshake. If the client certificate or chain is verified and the certificate verify message is verified, the handshake proceeds further.
  • An optional additional authentication is performed by checking the common name in the certificate against the server's fully qualified domain name from a reverse Domain Name Server (DNS) lookup where the server's fully qualified domain name can be obtained.

Types of Trust

Two types of trust for SSL certificates are supported in Sterling B2B Integrator:
  • CA Trust – Hierarchical trust based on a root certificate used to issue other certificates. This is the standard SSL certificate trust model.
  • Direct Trust – Direct trust of self-signed certificates assumed to be distributed through secure out-of-band mechanisms. Direct trust and self-signed certificates are not part of the SSL standards, but are frequently used in certain trading communities.

SSL Certificates

To communicate using SSL, configure the systems involved to support either server authentication or client/server authentication. To perform authentication against a server, you need a root Certificate Authority (CA) certificate and the set of intermediate certificates in the chain or, if the server uses a self-signed certificate, a copy of the self-signed certificate.

To support client/server authentication you need a CA or self-signed certificate and a system certificate.

You can obtain an SSL certificate from a trusted CA by providing a Certificate Signing Request (CSR) to the CA. The SSL certificate binds the public key and the SSL server or client.

If you plan to use client/server authentication, configure a system certificate. You can create system certificates in the following ways:
  • Check in an existing key certificate file or PKCS12 file
  • Generate a self-signed system certificate
  • Generate a CSR and get a certificate from a CA.

Cipher Suites

Before you use Sterling B2B Integrator, you should review the available, predefined cipher lists and customize them according to your company's security requirements.

The IBM SDK, Java Technology Edition, Version 7 cipher suites can be found here: http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/ciphersuites.html. For other supported JDKs in Sterling B2B Integrator, see the JDK supplier documentation for a list of supported cipher suites.

Cipher strengths are configured in security.properties or in customer_overrides.properties. The levels of cipher suites available are:
  • AllCipherSuite (UI selection is ALL) - includes everything listed in WEAK and STRONG.
  • WeakCipherSuite (UI selection is WEAK) - Add supported weak cipher suites you want to use with Sterling B2B Integrator
  • StrongCipherSuite (UI selection is STRONG) - Add supported strong cipher suites you want to use with Sterling B2B Integrator
  • CipherSuiteDefault (available in V5.2.6 and higher) - by default, includes a subset of supported ciphers for IBM JDK7. Used if WeakCipherSuite and StrongCipherSuite are empty.