Generating a SSL Private Key
- Install webMethods Certificate Toolkit which can be found in version 6.5 image.
- Run webMethods Certificate Toolkit
- Use default keysize of 1024 bits
- Label filename as MyEnterprise_PrivateKey.der
Generating the SSL Certificate Signing Request (CSR)
- Run webMethods Certificate Toolkit
- Select the private key generated above
- Label the CSR filename as MyEnterprise_CSR.pem
- Fill in the Server Information as required
- Send the Certificate Signing Request (CSR) to an authorised person who deal commercially with VeriSign.
Extracting SSL certificates from VeriSign's response
- Once the purchase of SSL Certificate is complete VeriSign will response with an email
- The cert.p7b attachment received from verisign is a PKCS#7 file which contains the CA certificate and the signed/public key, you will need to extract them.
- Save this attachment as MyEnterprise.p7b
- Double-click on the MyEnterprise.p7b to inspect the certificates, note the expiration date
- Double-click CA cetrificate (Issued To=www.verisign.com...)
- Navigate to the Details tab
- Click on the Copy to File button
- Export file as DER encoded binary X.509 format, label filename as MyEnterprise_CA.cer
- Rename MyEnterprise_CA.cer to MyEnterprise_CA.der
- Double-click CA cetrificate (Issued To=b2b.jemena.com.au...)
- Navigate to the Details tab
- Click on the Copy to File button
- Export file as DER encoded binary X.509 format, label filename as MyEnterprise_Signed.cer
- Rename MyEnterprise_Signed.cer to MyEnterprise_Signed.der
Configure SSL certificate support for incoming transactions
- Request MyEnterprise's private key, signed/public key and CA certificates from Security Team
- Send MyEnterprise's signed/public key and CA certificates to CompanyA
- Request CompanyA's signed/public key and CA certificates from CompanyA
- Navigate to Reverse Invoke Server > IS Adminstration > Security > Ports > Gateway External
- Upload MyEnterprise_PrivateKey.der and MyEnterprise_Signed.der onto Reverse Invoke Server under /IntegrationServer/config/cert/myent directory
- Upload MyEnterprise_CA.der onto Reverse Invoke Server under /IntegrationServer/config/cert/cas directory
- Under Listener Specific Credentials, select Protocol as HTTPS
- Set Server's Certificate as config/cert/myent/MyEnterprise_Signed.der
- Set Authority's Certificate as config/cert/cas/MyEnterprise_CA.der
- Set Private Key as config/cert/myent/MyEnterprise_PrivateKey.der
- Set Trusted Authority Directory as config/cert/cas
- Navigate to Internal Server > IS Adminstration > Security > Certificates > Configure Client Certificates
- Upload MyEnterprise_Sign.der onto Internal Server under /IntegrationServer/config/cert/com_a directory
- Under Import Certificate, set Certificate Path as /IntegrationServer/config/cert/com_a/CompanyA_Signed.der
- Set User as Administrator (recommend you create unique user on IS for easy supportability)
- Set Usage as SSL Authentication
- Click on Import Certificate
Configure SSL certificate support for outcoming transactions
- Request v's private key, signed/public key and CA certificates from Security Team
- Send MyEnterprise's signed/public key and CA certificates to CompanyA
- Request CompanyA's signed/public key and CA certificates from CompanyA
- Run webMethods Trading Networks Console, logon to Internal Server
- Navigate Enterprise profile > Security > SSL Client
- Under Certificate Chain, add MyEnterprise_Signed.der and MyEnterprise_CA.der
- Set Private Key as MyEnterprise_PrivateKey.der
- Save Enterprise profile
- Upload MyEnterprise_CA.der and CompanyA_CA.der onto Internal Server under /IntegrationServer/config/cert/cas directory
- Navigate to Internal Server > IS Adminstration > Security > Certificates > Edit Certificates Settings
- Under Trusted Certificates, set CA Certificate Directory as config/cert/cas
- Save changes
You might have notices the Outbound SSL Certificates section, why is that there? That's only required if you use pub.client:http service to invoke HTTPS URL, the IntegrationServer will act as a client.
