Managing certificates
A digital certificate, also known as a public key certificate, is an electronic document that is used to indicate the ownership of a public key. Senders and receivers of documents can securely exchange documents by using digital certificates.
webMethods B2B uses certificate sets. A certificate set is a certificate chain when it has one or more ordered certificates and a private key. If a certificate chain has a single certificate, it must be self-signed. If a set has multiple certificates, it must have a root, intermediate (optional), and a node certificate. Intermediate certificate is nested in the root certificate and the node certificate is nested in the intermediate certificate.
Either upload a certificate for each of the business partners (referred to as partner-specific certificates) or use a default certificate for all the partners. For example, you can use one set of certificates for sending documents to partner A, and a different set of certificates for sending documents to partner B. When webMethods B2B does not find a partner-specific certificate for a sender-receiver pair, it uses the default certificate set.
webMethods B2B supports three usages as authentication mechanisms for certificates.
- Sign-Verify
- Encrypt-Decrypt
- Secure Socket Layer (SSL)
Each usage can contain two certificate sets. The first set that you upload is the primary certificate set and the second set you upload is the secondary certificate set.
Use certificates with these file extensions: .cer, .der or
.p7b.
The following image lists the usage based on the profile and the action that webMethods B2B performs:
Secure document exchange
The following certificate usages are available to securely exchange documents with your business partners:
| Usages | Usage Description |
|---|---|
| Sign - Verify | To sign a document or verify the digital signature. In the
sender's profile, webMethods B2B
uses the private key that is associated with the receiver to digitally
sign documents. webMethods B2B checks the sender's profile to retrieve the sender’s public certificate. This certificate that is associated with the receiver, is then used to verify the document that was digitally signed by the sender. |
| Encrypt - Decrypt | To decrypt or encrypt documents. In the receiver's profile, webMethods B2B
uses public certificate that is associated with the receiver to encrypt the information. webMethods B2B checks the receiver's profile for the private key that is associated with the sender to decrypt the document. |
| SSL |
webMethods B2B
acts as an SSL client and connect to a remote secure server. If you
enable this usage to send documents, upload a valid private key in the sender's profile. The
supported private key file extensions are |
Secondary certificate set for SSL certificate type
You can upload up to two certificate sets each (referred to as the primary and secondary certificate sets) for SSL certificate types. The certificate that you add first for each usage is considered as the primary certificate set. When a primary certificate expires, webMethods B2B continues to process the documents by switching to the secondary set.
In the following situations webMethods B2B automatically switches to the secondary certificate set:
- The primary certificate expires, but the secondary certificate has not.
- The sign-verify or SSL primary certificate set of the receiver does not match the sign-verify or SSL certificate set of the sender.
For a detailed explanation about how the automatic switching occurs, see Certificates Overview for Secure Communication Between Business Partners.
Verify digital signatures
When a sender signs a document, webMethods B2B uses the receiver's certificate in the sender's profile for verification. If webMethods B2B finds a set of certificates to use for that specific receiver, it uses the primary certificate in that set. Else, it uses the default set of certificates that are specified in the sender's profile.
webMethods B2B performs the following checks during a sign-verify scenario:
- Verifies that the CA (certificate authority) that signed the certificate is included in the list of trusted CA certificates.
- Verifies document integrity and sender identity by matching digital signature certificates.
Digitally sign the documents
webMethods B2B supports x.509v3 certificates. To send the documents to business partners, you must digitally sign the documents. To digitally sign a document, the sender's profile must have a private key.
webMethods B2B locates the sender from the business document to retrieve the correct signed certificate. The owner of the certificate is the sender, and the receiver is the business partner.
webMethods B2B supports you to set up unique partner-specific certificates for each of your business partners.
Also, you can set up a default sign certificate by providing the certificate information in the sender’s profile. If you upload a default sign certificate, webMethods B2B uses it when a partner-specific sign certificate is not available.
Encrypt and decrypt data
When a business partner encrypts a document to send it to another partner, webMethods B2B retrieves the partner's public certificate from the sender's profile. If webMethods B2B does not find a certificate set to use for that sender, it uses the default certificate set specified in the receiver’s profile.
When a partner sends an encrypted document to the enterprise, webMethods B2B checks the receiver's profile to see whether it contains the specific private key to decrypt the document. If webMethods B2B does not find a certificate set to use for that specific receiver, it uses the private key in the default certificate in the receiver's profile.