Specifying Integration Server SSL Certificates and Keys
The Integration Server SSL configuration settings are organized into several groups. You can select a Keystore Alias and Key Alias for the following groups of settings:
SSL Key, which specifies the
Integration Server private and public key pair to use when presenting
Integration Server's SSL credentials to a requesting partner application, Internet resource, or web service. This setting determines the
Integration Server's SSL
identity.
Signing Key, which specifies the private key with which to sign outgoing documents, messages, and data streams from
Integration Server.
Decryption Key, which specifies the private key to use for decrypting incoming documents, messages, and data streams from external sources, where the information was encrypted with the associated
Integration Server public key.
For the Truststore, which specifies the location of the signing CA certificates for SSL authentication, you specify its Truststore Alias. This is generally known as the default outbound truststore.
Important:
The settings on the Server > Certificates page are the default SSL values used to identify the Integration Server and specify the SSL keys to use with any Integration Server document, web service, or built-in service. Additionally, HTTPS or FTPS ports created in Integration Server uses the default server SSL key and truststore alias if there is not a keystore, key alias, and/or truststore configured for that port. Consequently, do not change the values on the Server > Certificates page without first consulting with your system administrator or security administrator.
To configure
Integration Server for SSL authentication
1. Open the Integration Server Administrator if it is not already open.
2. Go to Security > Certificates.
3. Click Edit Certificates Settings.
4. Under SSL Key, do the following:
In the
Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used for server authentication
In the
Key Alias list, select the user-specified text identifier for a private key located in the keystore specified by the keystore alias above.
5. Under Signing Key, do the following:
In the
Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used to sign outgoing messages.
In the
Key Alias list, select the user-specified text identifier for a private key located in the keystore specified to sign outgoing messages.
6. Under Decryption Key, do the following:
In the
Keystore Alias list, select the user-specified identifier for the keystore containing the private keys and certificates used to decrypt incoming messages.
In the
Key Alias list, select the user-specified text identifier for a private key located in the keystore specified to decrypt incoming messages.
7. Under Truststore, in the Truststore Alias list, select the truststore alias that contains the CA certificates needed for trust verification.
8. Click Save Changes.
Notes:
When
Integration Server acts as an SSL client,
Integration Server uses the truststore specified under
Truststore for trust verification only if a truststore is not specified in the service making the outbound call (for example, the
trustStore input in the
pub.client:http service).
If you leave the
Truststore setting blank, for an outbound call where the invoked service does not specify a truststore for trust verification,
Integration Server relies on the watt.security.cert.wmChainVerifier.trustByDefault parameter to determine if
Integration Server will accept and trust any certificate it receives during the SSL handshake of an outbound request. When set to true, the default,
Integration Server will accept and trust any certificate it receives during the SSL handshake of an outbound request. If watt.security.cert.wmChainVerifier.trustByDefault=false,
Integration Server will not accept any certificate it receives during the SSL handshake of an outbound SSL request unless the
trustStore parameter is provided or the
Truststore is configured on the
Server > Certificates page.
Integration Server never implicitly trusts a certificate for the purpose of authenticating an inbound request or validating an S/MIME signature. When you use either of these features, you must specify a truststore alias containing the certificates of the CAs that your server trusts.