Certificates

Hi -

I am very interested on how certificates works in WM and would like to know

  • When do we require our TP to provide a complete chain of certificates or just the main one. To be simple, when do i have to ask my TP to provide main cert over the complete chain.
  • Do we need the chain of certs for one way auth or two way?
  • What is the difference between global signed and self-signed
  • Where should the certfiicates needs to be installed in IS to avoid any certificate related errors

I know this is a lengthy questions… I appreciate any response :slight_smile:

  1. two cases:
    your WM connecting to theirs: your WM needs to trust their root & intermediate cert, so load them into your WM trust store.
    Their server connecting to yours: if they use cert for authentication, your WM need to trust their root & intermediate cert, and their server cert need to be loaded as client cert.
  2. yes, read answer for point 1
  3. There should be CA signed: a cert issued by a common Certificate Authority; and self-signed, cert created by the client. Global signed is confusing term
  4. Depends on your use cases, read point 1. for some cases (RN, AS2 etc.) you need to load certs to TN partner profiles, in addition to the server’s trust store.
1 Like

Thanks Tong for your response. Additional clarification please:

  1. We are connecting to TP (using one way auth) via AS2 - do we need the chain of cert for CA signed? Or the intermmediate and main cert are enough?

  2. TP is connecting to us (signedAndEncrypted) via AS2 (EDI INT) - do we need to ask their chain of cert for CA signed?

for AS2, cert can be used for:
Authentication
Signing/verification
Encryption/Decryption
Depends on your case, configurations can be very different.
There are too many combinations, hard to list here.
For authentication: read my point 1 above.
For signing, encryption, refer to the “Understanding webMethods B2B: webMethods Trading Networks Concepts Guide Version 8.0”, B Security within Trading Networks

Hi Tong -

I know its to much to ask but can you list some combinations here. Ohh, i forgot to mention, we are using WM TN 7.1.2

It can be:
–Authentication :
use cert or use user/pass,
as client or as server
–Signing/verification : yes/no
–Encryption/Decryption : yes/no
These are all independent decision points/use cases, you need to config your system accordingly depends on the choice for each.

Additional question: How am i able to verify if the system we are using is using certificate chaining or not? What WM or server configuration we need to look at to verify this?

The reason for asking is that, everytime our TP renew their certificate, our Infrastructure team requires the chain of certificates instead of just the main cert. I read online about certificate chaining, which requires the root certificate to be present in order to verify the authenticity of a certificate that is received.

Cert chain is almost always used for serious business, the very existence of CA is that they provide credibility, so system can trust their root/intermediate, so they can trust the leaf certs. when exchanging cert between partners, always provide the full chain.

When the server cert changes (the leaf), normally they won’t need to update the root/intermediate, so your truststore doesn’t need a update. But your team still need the full chain to be sure that the root/intermediate are the ones you are trusting already.
HTH,

1 Like

When a TP connect to MW to deliver the inbound EDI message, what is expected to be part of the SSL handshake for verification/certification, our full certificate chain or just the main information?

If the client is using cert for authentication, the client system need to present the full chain.

Sorry, i was lost here. Can you identify who is the client here? and who is the server?

client is the system initiate the HTTPS connection.

Thank you so much Tong for your response. This really helps me understanding how certfiicate works in WM.