SHA-2 type certificate in WM

Hi,

We are using webmethods IS version 8.2.2.0.
One of our trading partners asked to update their new AS2 certificate from SHA1 to SHA2.
After the certificate update in TN, we got authentication error.
I believe 8.2.2.0 version supports SHA2 type.
Is there any other places to change configuration or setting other than TN?
How can we fix this problem?
(We tried in Liaison and it worked without any issues just by changing the certificate.)

Thanks in advance.

Can you please make sure the SHA2 cert your loaded from the partner was installed properly and also check with your partner side they were loaded properly (all certs chain) and so it works fine during SSL auth/handshake?

I believe it is due to a miss-match some where.

HTH,
RMG

1 Like

Thanks for your response.

I tried couple of times at my end and the partner did also.
We even tested on different software (Liaison ECS) and it worked without issues.

TN is the only place to update certificate, right?
No additional configuration needed for SHA2?

Yes… So where did you update the SHA2 cert on the receiver’s partner profile (assuming your TP) ?

HTH,
RMG

TP → Security tab → Sign/Verify tab and Descrypt/Encrypt tab with ‘Use alternative sign/verify certificate set’ and ‘Use alternative decrypt/Encrypt certificate set’ selected

Is this correct?

Joh,

Beofre you update any certs first delete the existing chains Sign/Verify,and Encrypt/Decrypt and Save it Then
On Sign/Verify → click edit option and under Certificate Chain section click on Add Certificate and upload the New Certificate provide with your new(SHA2) cert .pb7 and click ok to save the section finally.

Follow the Same steps for Descrypt/Encrypt and save the section.

So are we on the same page? Please try again!

HTH,
RMG

Hi John, you may need to add the new cert to your Truststore as defined in IS>Security>Keystore. Then reload the Truststore (IS>Security>Keystore) and clear the SSL cache (IS>Security>Certificates).

  • Mary

I believe Mary’s comments This only applies only when you are updating SHA-2 keycert on your enterprise or Sender Profile.

HTH,
RMG

  1. for inbound authentication error:
    Please define new ssl certificate in IS > security > Configure Client Certificates >
    Import the new Certificate > Certificate Path , User & Usage = SSL authentication
    Delete the old one.

  2. for outbound authentication error:
    Please define new ssl certificate in TN > partner profile > security > ssl client > delete old certificate and add new one.

  3. add “Root CA and intermediate certificates” to your Truststore.

  4. reload the Truststore (IS>Security>Keystore)

Hi John

Is that issue resolve after adding the cert in trustore. We are also having the same issue.

Also which trust store we need to add- IS>Security>keystore>default_trustore

what is the password for the same.

Hi amitsinghal75,
Please
IS > Security > Keystore > Create Truststore Alias > to create a new Truststore for yourself.

Use KeyStore Explorer 5.1.1 to create "edi_ca.jks"

example:
Alias=edi_ca
Type=JKS
Provider=SUN
Location=D:\webMethods98\IntegrationServer\instances\default\config\security\keystore\edi_ca.jks

Thanks Rocky,

We already have the trust store - we created at the time of migrating our IS URL from HTTP - HTTPS.

Can we use the same trustore. Attaching the screen shot…

c:\webMethods98_7712\IntegrationServer\instances\default\config\security\keystore\PROD_DR_IS_MWS_TS.jks

Hi amitsinghal75,
Yes, you may use the same trustore files.

Please double check the Alias :

Security > Keystore > View Truststore Alias > Certificate Aliases

To make sure ca certificates in Certificate Aliases of default_trustore .