Specifying Integration Server SSL Certificates and Keys

Software AG Products 10.7 | Integrating On-Premises and Cloud Applications | Administering Integration Server | Configuring Integration Server for Secure Communications | Preparing to Configure SSL in Integration Server | Configuring Integration Server SSL Keys and Certificates | Specifying Integration Server SSL Certificates and Keys

The Integration Server SSL configuration settings are organized into several groups. You can select a Keystore Alias and Key Alias for the following groups of settings:

SSL Key, which specifies the Integration Server private and public key pair to use when presenting Integration Server's SSL credentials to a requesting partner application, Internet resource, or web service. This setting determines the Integration Server's SSL identity.

Signing Key, which specifies the private key with which to sign outgoing documents, messages, and data streams from Integration Server.

Decryption Key, which specifies the private key to use for decrypting incoming documents, messages, and data streams from external sources, where the information was encrypted with the associated Integration Server public key.

For the Truststore, which specifies the location of the signing CA certificates for SSL authentication, you specify its Truststore Alias. This is generally known as the default outbound truststore.

Important:
The settings on the Server > Certificates page are the default SSL values used to identify the Integration Server and specify the SSL keys to use with any Integration Server document, web service, or built-in service. Additionally, HTTPS or FTPS ports created in Integration Server uses the default server SSL key and truststore alias if there is not a keystore, key alias, and/or truststore configured for that port. Consequently, do not change the values on the Server > Certificates page without first consulting with your system administrator or security administrator.

To configure Integration Server for SSL authentication

1. Open the Integration Server Administrator if it is not already open.

2. Go to Security > Certificates.

3. Click Edit Certificates Settings.

4. Under SSL Key, do the following:

In the Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used for server authentication

In the Key Alias list, select the user-specified text identifier for a private key located in the keystore specified by the keystore alias above.

5. Under Signing Key, do the following:

In the Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used to sign outgoing messages.

In the Key Alias list, select the user-specified text identifier for a private key located in the keystore specified to sign outgoing messages.

6. Under Decryption Key, do the following:

In the Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used to decrypt incoming messages.

In the Key Alias list, select the user-specified text identifier for a private key located in the keystore specified to decrypt incoming messages.

7. Under Truststore, in the Truststore Alias list, select the truststore alias that contains the CA certificates needed for trust verification.

8. Click Save Changes.

Notes:

When Integration Server acts as an SSL client, Integration Server uses the truststore specified under Truststore for trust verification only if a truststore is not specified in the service making the outbound call (for example, the trustStore input in the pub.client:http service).

If you leave the Truststore setting blank, for an outbound call where the invoked service does not specify a truststore for trust verification, Integration Server relies on the watt.security.cert.wmChainVerifier.trustByDefault parameter to determine if Integration Server will accept and trust any certificate it receives during the SSL handshake of an outbound request. When set to true, the default, Integration Server will accept and trust any certificate it receives during the SSL handshake of an outbound request. If watt.security.cert.wmChainVerifier.trustByDefault=false, Integration Server will not accept any certificate it receives during the SSL handshake of an outbound SSL request unless the trustStore parameter is provided or the Truststore is configured on the Server > Certificates page.

Integration Server never implicitly trusts a certificate for the purpose of authenticating an inbound request or validating an S/MIME signature. When you use either of these features, you must specify a truststore alias containing the certificates of the CAs that your server trusts.