Adding outbound certificates

Users with the Developer role can add client and trust certificates in Self Service.

About this task

Outbound certificates are for customization to be able to talk to external systems. There are two types of connections that can be established.

Secure SSL/TLS connections - Some certificates that are required in the truststore to establish the connection and to trust the certificate that is returned are referred as third-party certificates.
Mutually authenticated secure SSL/TLS connections - The application requires a client certificate that is used to establish the secure connection. For the application, to have a client certificate, you must upload both the certificate and private key.

When you want to establish a TLS connection, the Sterling™ Order Management System application must trust the server with which it is connecting. To establish this trust, the Sterling Order Management System application must be able to validate the certificate that is returned by the server. The Sterling Order Management System application can either trust the certificates directly or can trust the issuers that created the certificates. If the Sterling Order Management System application trusts the issuers of the certificates, there is no impact when certificates are updated for a server.

By default, some standard issuers are trusted in the Sterling Order Management System application, which reduces the manual work to set up the trust. If you want to verify whether the server to which the Sterling Order Management System application is connecting, is by default in the trusted certificates list, you can examine your development environment's cacerts file. This file contains all the default certificates that are trusted. If the certificate that you want to trust is in this file, no further action is required. If you do not find the certificate in this file, you must upload the certificate chain by using Self Service. Use the following steps to verify whether your certificate is listed in the cacerts file:

Go to the jdk/bin directory in the extracted runtime of your developer toolkit.
devtoolkit_docker/runtime/jdk/bin

Run the following command.

./keytool -list -keystore ../jre/lib/omoc_security/cacerts

Enter changeit if prompted for a password.
A list of all trusted certificates is displayed which are also available in the cloud environments.

It is recommended that you provide the intermediate certificate and root certificate so that the application has a complete list of trust in the truststore. For client certificates, you can also use the trust chain to identify which certificate to use.

A certificate chain is an ordered list of certificates and contains an SSL Certificate and the certificate authority (CA) certificates. It enables the receiver to verify that the sender and all the CA certificates are trustworthy. The chain starts with an SSL certificate, and each certificate in the chain is signed by the entity that is identified by the next certificate in the chain.

Any certificate that is between the SSL Certificate and the Root Certificate is called a chain or Intermediate Certificate. The Intermediate Certificate is the signer or issuer of the SSL Certificate. The Root CA Certificate is the signer or issuer of the Intermediate Certificate. To make the SSL certificate compatible with all clients, it is mandatory that the Intermediate Certificate is installed. You can add multiple Intermediate Certificates.

The chain ends with a Root CA Certificate. The Root CA Certificate is always signed by the certificate authority itself. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

You can upload intermediate certificates as trust certificates so that an Sterling Order Management System environment can trust that certificate. If an Sterling Order Management System environment trusts an intermediate certificate, it can also trust all endpoint client certificates that are signed by that intermediate certificate.

You must not upload certificates directly and must use the trust chain. So, when the certificates change, you can update them easily.

For more information about accessing IBM Sterling® Order Management System applications, see Accessing IBM Sterling Order Management System applications.

Procedure

Access Self Service with your IBMid.
From the Self Service menu, click Environments.
From the list of environments, select an environment.
In the Certificates tab, click Outbound.
To upload client certificates, complete the following steps.
1. Click Add certificate and then select the Add client certificate option.
2. In the Add certificate page, enter the Alias, Certificate in the PEM format, Private key of the certificate in the PEM format, and the Certificate chain in the PEM format.
  Note: The private key of the certificate must be in the PEM format and must be decrypted. The key file must start and end in the following format:
```
-BEGIN PRIVATE KEY-
```
```
-END PRIVATE KEY- 
```
  If the key file starts in the following formats, you must covert the key file by using an openssl command.
  
  Key file begins with ---BEGIN RSA PRIVATE KEY---. It is a basic RSA key and Java™ does not handle this key.
  
  Key file begins with ---BEGIN ENCRYPTED PRIVATE KEY---. This is an encrypted key and is not processed.
  Use the following openssl command to covert the key file format and pass the new key in Self Service.
  openssl pkcs8 -in <old_key_file> -out <new_key_file> -nocrypt -topk8
3. If you want to add more certificates in the same chain, click Add another certificate to the chain.
4. Click Add.
Optionally, you can click Upload keystore to upload a .p12 or a .pfx file.
To upload trust certificates, complete the following steps.
1. Click Add certificate and then select the Add trust certificate option.
2. In the Add certificate page, enter the Alias and the Certificate in the PEM format.
3. Click Add.

What to do next

After you add outbound certificates, click Apply Changes to apply the certificates on your environment.