I am very interested on how certificates works in WM and would like to know
When do we require our TP to provide a complete chain of certificates or just the main one. To be simple, when do i have to ask my TP to provide main cert over the complete chain.
Do we need the chain of certs for one way auth or two way?
What is the difference between global signed and self-signed
Where should the certfiicates needs to be installed in IS to avoid any certificate related errors
I know this is a lengthy questions… I appreciate any response
two cases:
your WM connecting to theirs: your WM needs to trust their root & intermediate cert, so load them into your WM trust store.
Their server connecting to yours: if they use cert for authentication, your WM need to trust their root & intermediate cert, and their server cert need to be loaded as client cert.
yes, read answer for point 1
There should be CA signed: a cert issued by a common Certificate Authority; and self-signed, cert created by the client. Global signed is confusing term
Depends on your use cases, read point 1. for some cases (RN, AS2 etc.) you need to load certs to TN partner profiles, in addition to the server’s trust store.
for AS2, cert can be used for:
Authentication
Signing/verification
Encryption/Decryption
Depends on your case, configurations can be very different.
There are too many combinations, hard to list here.
For authentication: read my point 1 above.
For signing, encryption, refer to the “Understanding webMethods B2B: webMethods Trading Networks Concepts Guide Version 8.0”, B Security within Trading Networks
It can be:
–Authentication :
use cert or use user/pass,
as client or as server
–Signing/verification : yes/no
–Encryption/Decryption : yes/no
These are all independent decision points/use cases, you need to config your system accordingly depends on the choice for each.
Additional question: How am i able to verify if the system we are using is using certificate chaining or not? What WM or server configuration we need to look at to verify this?
The reason for asking is that, everytime our TP renew their certificate, our Infrastructure team requires the chain of certificates instead of just the main cert. I read online about certificate chaining, which requires the root certificate to be present in order to verify the authenticity of a certificate that is received.
Cert chain is almost always used for serious business, the very existence of CA is that they provide credibility, so system can trust their root/intermediate, so they can trust the leaf certs. when exchanging cert between partners, always provide the full chain.
When the server cert changes (the leaf), normally they won’t need to update the root/intermediate, so your truststore doesn’t need a update. But your team still need the full chain to be sure that the root/intermediate are the ones you are trusting already.
HTH,
When a TP connect to MW to deliver the inbound EDI message, what is expected to be part of the SSL handshake for verification/certification, our full certificate chain or just the main information?