B2B Integration : Trading Networks Administrator's Guide : Understanding webMethods Trading Networks : Security : Certificates for Verifying, Signing, Encrypting, and Decrypting Documents and Authenticating Connections : Overlapping of Certificates
Overlapping of Certificates
You can upload up to two active certificate sets each (referred to as the primary and secondary certificate sets) for sign/verify, encrypt/decrypt, and SSL certificate types, so that when one certificate set expires, Trading Networks can switch to the other one without interrupting the processing of documents. The certificate set that you add first is the primary certificate set. Trading Networks automatically switches from the primary certificate set to the secondary one when any of the following occurs:
*The primary certificate has expired and the secondary certificate has not expired.
*The receiver's sign/verify or SSL primary certificate set does not match the sender's sign/verify or SSL certificate set.
Trading Networks does not switch encryption/decryption certificates at the receiver’s end. The receiver of the document must write a flow service that first obtains the certificate ID of the appropriate decrypt certificate, using the wm.tn.security:getAllCertificateData service, and then set that certificate as the primary one for that partner, using the wm.tn.security:setPrimaryCertificate service. Doing so ensures that the correct decryption certificate is retrieved for future transactions with that partner.
The following diagrams illustrate the sign/verify, encryption/decryption, and SSL scenarios:
Step
Description
1
The trading partner sends a document signed with certificate C1 to the enterprise.
2
Trading Networks on the enterprise side retrieves the certificate C1 for the trading partner from Trading Networks.
3
Trading Networks on the enterprise side verifies the document with C1. Verification is successful.
Step
Description
1
The trading partner sends a document signed with C2 certificate to the enterprise.
2
Trading Networks on the enterprise side switches the primary certificate to C2 and retrieves the certificate C2 because certificate C1 has expired.
3
Trading Networkson the enterprise side verifies the document with C2. Verification is successful.
Step
Description
1
The trading partner sends a document signed with certificate C2 to the enterprise.
2
Trading Networks on the enterprise side retrieves the certificate C1 for the trading partner from Trading Networks and verifies the document with certificate C1. Verification fails as the document is signed with the certificate C2.
3
Trading Networks on the enterprise side retrieves the certificate C2 and verifies the document with C2. Verification is successful.
4
Trading Networks on the enterprise side sets the certificate C2 as the primary certificate for the trading partner.
Step
Description
1
The encryption module on the trading partner requests the encryption certificate and gets the primary certificate C1.
2
The encryption module on the trading partner encrypts the document with the certificate C1 and sends the document to the enterprise.
3
The decryption module on the enterprise side requests Trading Networks for the decryption certificate and gets the certificate C1.
4
The decryption module on the enterprise side decrypts the document using certificate C1. Decryption is successful.
Step
Description
1
The encryption module on the trading partner requests the encryption certificate and gets the certificate C2 because C1 has expired.
2
The encryption module on the trading partner encrypts the document with the certificate C2 and sends the document to the enterprise.
3
The decryption module on the enterprise side requests Trading Networks for the decryption certificate.
4
Trading Networks on the enterprise side switches the primary certificate to C2 because certificate C1 has expired, and returns C2.
5
The decryption module on the enterprise decrypts the document using certificate C2. Decryption is successful.
Step
Description
1
The encryption module on the trading partner requests the encryption certificate and gets the certificate C2.
2
The encryption module on the trading partner encrypts the document with the certificate C2 and sends the document to the enterprise.
3
The decryption module on the enterprise side requests Trading Networks for the decryption certificate and gets the certificate C1.
4
The decryption module on the enterprise side decrypts the document using certificate C1. Decryption fails.
5
The decryption module requests for the secondary certificate C2 using the wm.tn.security:getAllCertificateData service.
6
The decryption module decrypts the document with certificate C2. Decryption is successful.
7
The decryption module calls the Trading Networks  setPrimaryCertificate service to switch the primary certificate to C2.
Step
Description
1
The enterprise sends a document to the trading partner over HTTPS using the private key from certificate C1.
2
The trading partner's server authenticates the document using the SSL certificate C1 configured on the server. Authentication is successful and the transaction is complete.
Step
Description
1
The enterprise sends a secure document to the trading partner over HTTPS using the private key from certificate C1.
2
The trading partner's server authenticates the document using the SSL certificate C2 configured on the server. Authentication fails.
3
The trading partner's server sends an error message to the enterprise.
4
The enterprise switches the SSL certificate to C2 and resends the document to the trading partner over HTTPS.
5
The server on the trading partner authenticates the document using the SSL certificate C2 configured on the server. Authentication is successful. The transaction is complete.
Copyright © 2016- 2017 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback