Adding a 2-Way SSL/TLS Certificate for a Partner
To handle any inbound business documents, a 2-Way SSL/TLS certificate can be used to authenticate a partner interaction with IBM® webMethods B2B by verifying the provided digital certificate so that both parties are assured of the others' identity. It refers to a client (web browser or client application) authenticating itself to a server and the server also authenticating itself to the client by verifying the public key certificate or digital certificate issued by Certificate Authorities (CAs).
The 2-Way SSL/TLS document exchange applies to AS2-IN, HTTP-IN, and RNIF-IN channels.
2-Way SSL/TLS certificate capability provides additional level of validation and security. Along with the current partner-user-credential based authentication, 2-Way SSL/TLS usage ensures secure exchange of business documents. To uniquely identify a partner, only a single set of certificates per partner is allowed.
The default signing algorithm used by IBM webMethods B2B to generate the 2-Way SSL certificate is SHA-256.
Before You Begin
-
Ensure that you use one inbound channel per partner when you use a 2-way SSL certificate for the document exchanges.
IMPORTANT The default port number for the 2-Way SSL/TLS exchanges is 8443. You must append this port number along with the host name in the inbound channel URL. For example,
https://hostname:8443/saas/webmethods-b2b/routes/channel/channel\_ID.If you do not use this port number, the transactions are processed in default mode (that is, without certificate validation).
- Ensure that you have the partner-user credentials with you.
To add a 2-Way SSL/TLS certificate
-
On the Partner profiles page, click a partner profile to which you want to add a certificate set.
-
In the left navigation bar, select Certificates.
-
Click Add partner certificate set and upload the 2-Way SSL/TLS certificate:2-Way SSL/TLS.
-
Select the manner in which you want to use the 2-Way SSL/TLS certificate feature:
Method Action to take Upload new certificate Click Upload to add an existing 2-Way SSL/TLS certificate. The certificate is validated and then applied for all the upcoming interactions. Generate certificate Click Generate to create a 2-Way SSL/TLS certificate for the partner. While generating the certificate, the partner information you already added is auto filled. See Source of Information Automatically Filled During Certificate Generation for more information. You can also modify the partner information for the purpose of generating the certificate, but the modification does not affect the partner information in the partner profile. Uncheck the field, if you do not want to include any field information in the certificate. A 2-Way SSL/TLS certificate can be generated in .jks, .pfx, and .p12 formats. A copy of the certificate is automatically downloaded to your system along with the public and private key. IBM webMethods B2B does not store the private key of the generated certificates. Only a copy of the public certificate remains with the system to perform authentications of inbound business documents. You can replace the certificate by uploading a new one. NOTE The default password for the generated certificate is changeit. IBM recommends that you change this default password.
Example: Sending Documents to IBM webMethods B2B using 2-Way SSL/TLS
After you configure the 2-Way SSL/ TLS certificate for a partner as mentioned in instructions above, a partner can send the inbound documents to IBM webMethods B2B with channel URLs appended with port 8443.
To test following instructions, use any software with which you can post an HTTP request to IBM webMethods B2B after generating a 2-Way SSL/TLS certificate. In the following example, a document is sent to a channel that is associated with partner1, using a 2-way SSL certificate with the Postman REST client.
-
Open the Postman REST client, click Settings > Certificates, and click Add Certificate. Configure the 2-Way SSL/TLS certificate for the post operation by adding the host name, the 2-Way SSL/TLS port number, and upload the 2-Way SSL/TLS certificate with which the document exchange will be authenticated for the documents that will be sent to partner1.
-
Post a document payload to the channel endpoint that is associated with partner1.
-
Ensure that you post the document with required header information. In this example, the document payload is sent to an AS2 channel. And an EDIINT AS2 identity type exists in the partner profile of Partner1.
-
Click Send to post the document payload to partner1.
Source of Information Automatically Filled During Certificate Generation
The information that is automatically filled during the certificate generation process is taken from the Partner profile of the selected business partner. The following table lists where the field information is selected from.
| Field Name | Source of Information |
|---|---|
| Common Name | Server name or host name |
| Organization | Partner > Organization unit |
| Organizational Unit | Partner > Profile name |
| Locality | Partner > Contact (Administrative type) > City |
| State Or Province Name | Partner > Contact (Administrative type) > State/Province |
| Country Name | Partner > Contact (Administrative type) > Country |
| Partner > Contact (Administrative type) > Email |
Next Steps
You can also update the certificate by either adding a new certificate or modifying the field content and regenerate the 2-Way SSL/TLS certificate.
Click Download to download a copy of the public certificate to your local system.
You can download the available certificate only in .crt format. If your browser downloads the certificate in a compressed file format (for example, .zip format), then rename the certificate file to have only the .crt file extension.