Client certificate management

Hi all,

Sorry if this is a bit long winded, just wanted to be clear about the problem we are having.

Having a bit of a problem understanding how wm handles certificates. All the documentations seems to talk about using a CA, which seems to imply a common certificate being used for public access for all clients to wm services.

We don’t have any public services, just specific private connections between ourselves and select outside 3rd parties and therefore don’t use or intend to use a CA.

These connections are currently done using FTP/s SSL connection with the Cleo LexiCom application. All the connections are initiated by us as the client, connecting to them as a server.

Each of these connections has a certificate associated with that connection, and the public certificate for that connection is sent to the relevant 3rd party, so they can recognise us when we connect to them.

We are migrating to wm and the intention is to use the built in FTP/s functionality, rather than Cleo LexiCom.

Under wm the only association I can find for certificates is to associate a certificate to a specific username, for incoming connections, when using an FTPS port, which is the wrong direction for us. I can’t find anything related to outgoing connections. And the only outgoing SSL settings I’ve found are under the ftp/login service, which only asks what type of auth to use, not which certificate to use for that connection.

Is it possible to associate outgoing (initiated by wm) FTP/s clients/users with specific certificates? Or is wm restricted to only using a single common certificate for all outgoing connections?

Our preference would be to not have any common certificates, and to assign a single certificate per client connection and that that certificate could only be used by that one client. That way we could remove an individual certificate if we decided to revoke a connection for some reason.

Thanks in advance for any help,

Hi Mark - by default, webMethods will use your IS server certificate as a client certificate when you make outbound HTTPS (SSL) connections. To dynamically change the set of certificates you want to use for a delivery, you have to use a webMethods security service ( I think) – you invoke it in Flow before calling the pub.client… services.

I am not sure if this behavior extends to FTP/S but it would be logical if it did.

Also, are you using Trading Networks? TN has partner profiles settings where you can specify the certs to use with specific partners. I am not an expert in this though.


Thanks for the reply, looks like something to investigate with the setKeyAndChain service.

We don’t currently use TN, were new to wm, so still learning our way with the product and the best ways forward with certain things.