What are the necessary items to function IS as an SSL Client

Hi Guys,
I have gone through the IS Administrator guide and even Cert Dev. Toolkit , too. Still I am not clear what are the mandatory items to function IS Server as an SSL Client.

Could someone clear this doubt ?

I have the understanding that if my IS is to function as an SSL Client …

  • I have to ask my partner (who will be the SSL Server) to send his digital certificate with public key.
  • I have to import that in IS using IS administrator.
  • I am not clear about asking my partner to send me certificates of CA chain also.

If someone, clear or confirm the above items, I can go ahead and request the same to my partner.

Is anywhere I need to use cert. toolkit to create private key or Certificate Chain Request (CSR) to function as an SSL client ?

Appreciate your help.

  • nilesh

Nilesh,

Is anywhere I need to use cert. toolkit to create private key or Certificate Chain Request (CSR) to function as an SSL client ?

Ans)yes use the cert toolkit to create privatekey and CSR(send this to verisign for signing)and later give this to your partner for SSL Handshaking and similarly you request the partner to send their certificate of CA chain.So load this cert in the ISAdmin Certificates/
Trusted Certificates section of CA Certificate Directory:IS/certs (create this folder).

And also in the Outbound SSL Certificates section:load these cert files.

Server’s Signed Certificate – config/cert.der
Signing CA’s Certificate – config/cacert.der(your companies CA cert)
Server’s Private Key – config/privkey.der

Configure a Https port with RequireClientCertificates for SSL handshaking.

Also use the Searchfunctionality lot of threads discussed on this procedure SSL related.

HTH,
RMG.

RMG,
Thank you very much for the prompt response.
Now It is clear that I need the following files (or Certs) to initiate an SSL handshake

Server’s Signed Certificate – config/cert.der
Signing CA’s Certificate – config/cacert.der(your companies CA cert)
Server’s Private Key – config/privkey.der

Could you clear me here what do you want to say by "Server’s Signed Certificate’ ?? Here what “Server” means ? Does it mean my own IS Server or is this the ‘Server’ to which i m sending request to ?

I want to be more specific about my application so you can get exact idea what i have to do.

I am calling a webService on my partner’s server. Currently this webservice call is an HTTP (soapHTTP) call for Proof of concept.

Now we are going to move communication to HTTPS.

So I have to configure my IS Server to be able to succussfully make a web service request to my partner. My partner is using tomcat web server. So first my webservice will hit the tomcat authorization.

So at this time, i have told my partner to send their digital certificate along with their public key and also CA certificates, too.
Once I will get those from partner, i will go ahead and install/import on my IS Server using the IS Admin.

Now in this scenario, Do I need to use certificate toolkit ?

Or Did I make wrong request to my partner to send those item which i metioned earlier to you ?

thanks in advance.

-nilesh

Nilesh,

Have a look in the “Security” section of the built-in services guide for information about services which allow you to specify the certificate to use when communicating with a remote server using HTTPS.

Pay special attention to the usage scenarios in the pub.security:clearKeyAndChain documentation.

Chapter 7 of the IS Administration Guide addresses how IS behaves when acting as an SSL Server and as an SSL client. This chapter also provides a checklist of tasks to perform to enable Integration Server SSL support.

For development, I prefer to start out using a self-signed certificate. One way to do this is to use OpenSSL. See this post for details.

Mark

Mark,

Thanks.

There is really good and well defined documentation given in Built-in service user guide under “Security folder”. while discussed with my team regarding the encryption of data and digitally signing of data, they are not really ready for that. they want to send data as it is but through SSL (HTTPS) channel.

The section which you said in Chapter 7, I read. It really gives you a very good overview about the items checklist required for IS to act as an SSL client.

I will try to get installed openSSL on my system. It may take time, because of security constraints I dont have administrative rights on my system.

To be an SSL client, do I need my own digital certificate ?
Can my IS act as an SSL client if I have my partner’s ( who will be acting as SERVER in HTTPS communication ) digital certificate and public key ?

As I am going to make an httpSOAP call over HTTPS on my partner’s server, I need to install only my partner’s digital certificate and his publick key, right ?

May my questions be silly but I am not sure what exactly i have to do to configure my IS to act as SSL client even after reading the WebM IS Admin guide.

Please bear with me.

  • nilesh

Nilesh,

Whether you need a certificate to act as an SSL client really depends on the security deployment of your partner’s server. The partner can configure their SSL server to require client certificates. In practice though, you typically do not need one.

You will need one of the certificates from your partner’s certificate chain to establish trust.

Ed

Nilesh,

I believe Edurado comments work for you, since your IS acting as an SSLclient,so check with your partner and so that you dont have to go thru hard situations.Anyways SSL communication knowledge,setup is good to know in general.

you will need a publickey and CA signed certificate from your partner when communicating with their SSL enabled server.

HTH,
RMG.

RMG / Ed,

Thank to both of you.

Now gotcha what I need. In fact, my partner want us to communicate with them on HTTPS. As a part of our Proof of Concept (POC), we were making a web service call over soapHTTP with the username and password given by our partner. So they used to authenticate us , by verifying the user and password. Now POC did well, so they want real communication over HTTPS. So they intimated us that we had to send them certificates for HTTPS. But I argued with them (on basis of some of the replies of WMUSERS forums and rest of the WebMethods IS Admin guide ) that we need not to give you anything because we are making a request on your server. so its your job to give us your certificate and public key. Hence when we send you the request, we can attach the public key given by you and you can verify that we are the verified requestor to your web service. And I think now, I was right.

Thank you very much to all of you.

Now RMG,
According to you, if I get publickey and CA signed certificate from my partner, I believe I have to install them on wM IS using the following procedure. Please correct me, if i m wrong …

  1. Go to Wm IS Admin page
  2. Follow : Security > Certificates > Configure Client Certificates
  3. Locate the CA Signed certificate of partner
  4. Import certificate

If this is ok, then where to keep publickey or how to import it in wM IS ?

Thanks in advance.

  • nilesh

Nilesh,

You will install the public key of your partner (server certificate) in the Client Certificates section. This can then be used to authenticate the partner on your server when he makes requests on it. Furthermore the public certificate (or server certificate) could be freely ditributed since it’s “public”. Just make sure your private key is never compromised.

regards,
Jordy

Jordy,

Thanks for giving time to reply my post. But when would i need private key ?

  • nilesh

Nilesh,

Import the publickey also in this location

  1. Go to Wm IS Admin page
  2. Follow : Security > Certificates > Configure Client Certificates
  3. Locate the CA Signed certificate of partner
  4. Import certificate

HTH,
RMG.

If IS act as a SSL Client

For test env. I need only partner’s home grown certificate, right?

For Production env. I would need partner’s public key and CA signed certificate.

Please confirm above info.
Do I need to provide any key/certificate to partner?

You need to provide your public and CA_ROOT certs to your partner if their server is performing client authentication.

You will need a private key on your server when your IS acts as a server. You will provide your public key to your partner. Your parter will provide their public key and CA to you and you will load as specified above. When your partner makes the request to send data to your server, they will provide their public key for you to authenticate them. After successful authentication, they will use your public key to encrypt the data and send it over to your server. Your server will use your private key to decrypt the data. That is why you should never give your private key to anyone.