Keys and Certificates

e-docs > WebLogic Integration - Business Connect > Using WebLogic Integration - Business Connect > Keys and Certificates

Using WebLogic Integration - Business Connect

Keys and Certificates

WebLogic Integration - Business Connect offers true security by providing authentication, confidentiality, integrity and non-repudiation of documents. WebLogic Integration - Business Connect uses state-of-the-art cryptography to ensure the security of the documents you exchange over the public Internet. The following topics are provided.

Concepts

Windows

Procedures

These topics provide the information you need to:

Understand the basics of encrypting and signing documents. You use this information when you and your trading partners agree upon and select the security settings in your partner profiles.
Complete preparations to use certificates.
Create and manage certificates for your company profile.
Manage the certificates for your partner profiles.

What Is PKI?

WebLogic Integration - Business Connect supports public key infrastructure (PKI) to securely trade business documents over the Internet. PKI is a system of components that use digital certificates and public key cryptography to secure transactions and communications.

PKI uses certificates issued by certificate authorities (CAs) to provide authentication, confidentiality, integrity and non-repudiation of data. The following defines these in more detail.

Authentication	Authentication is verification of the identity of a person or process. Authentication confirms that a message truly came from the source that sent it.
Confidentiality	Confidentiality is the assurance that a message has been disclosed only to the parties authorized to share the information.
Integrity	Integrity is the assurance that the information has not been altered in any way and is precisely true to the source.
Non-repudiation	Non-repudiation is proof that a recipient received a message. This protects a sender from a false denial that a recipient did not receive a message.

PKI Options

There are two PKI options, and WebLogic Integration - Business Connect supports both. They are self-signed certificates and commercial PKIs. The option you choose can depend on a number of factors, such as cost, human and system resources and the degree or sophistication of security desired.

Self-signed certificates generated by WebLogic Integration - Business Connect and certificates generated by commercial PKIs all support the X.509 standard for public key certificates. You can use any X.509 certificate, regardless of the source, in document transactions with partners. For example, you can generate a self-signed certificate for your company profile and export a public encryption key in a certificate with the profile to a partner for use in encrypting and signing documents sent to you. Meanwhile, you can engage in trading with partners who have sent you public keys in Entrust or VeriSign certificates.

The following sections explain each security option in more detail.

Self-Signed Certificates

WebLogic Integration - Business Connect can generate root certificates in which you are, in effect, acting as your own certificate authority. WebLogic Integration - Business Connect supports single-key pair self-signed certificates for both encrypting and signing documents and dual-key pair self-signed certificates in which one certificate is used for encrypting and the other for signing.

Self-signed certificates are easy to make and use. They are best suited for use within relatively small trading groups. This is because you must implicitly trust a partner's self-signed certificate; there is no chain of trust to independently vouch for the certificate. Such a trust relationship can more suitably be managed among a small number of partners.

Although self-signed certificates can provide a high-degree of security, the degree is dependent on the vigilance and administrative skills of the persons managing them. Generally speaking, the use of self-signed certificates does not have the rigorous discipline and orderly structure inherent to a commercial PKI.

Commercial PKIs

A commercial PKI is an organization set up for the centralized creation, distribution, tracking and revocation of keys for a potentially large community of partners. A commercial PKI has a documented certificate policy (CP) that indicates the applicability of a public key certificate to a specific community or class of application with common security requirements. A commercial PKI also has a certification practice statement (CPS), which details the practices the CA follows for issuing public key certificates.

There are two types of commercial PKIs:

In-house

An in-house PKI enables you to achieve complete control of security policies and procedures, but also carries the burden of management and cost to set up and maintain the system.

Outsourced

You can leverage the services of PKI systems such as VeriSign, Baltimore and other third-party certificate authorities. You purchase keys and certificates for use in trading partner relationships and let the CA manage security policies and such details as certificate revocation. The level of outsourcing can range from purchasing an end-entity public key certificate of a certain validity period from a commercial PKI to outsourcing all of the PKI services that your organization requires.

The Role of Trust in PKI

PKI establishes digital identities that can be trusted. The CA is the party in a PKI responsible for certifying identities. More than generating a certificate, this entails verifying the identity of a subscriber according to established policies and procedures. This is the case for in-house and outsourced PKIs. In an organization that generates and uses its own self-signed certificates, the trading parties must verify the certificates and establish a direct trust. Once established that an identity or issuer of an identity can be trusted, the trust anchor's certificate is stored in a local trust list.

WebLogic Integration - Business Connect has a local trust list for storing and managing established trust relationships (select Tools—>Certificates—>Trusted Roots in Administrator). The application maintains a list of common public CA certificates similar to those kept in web browsers. Although convenient, this pre-determination of trust might not compliment your organization's security policy. The decision of who to trust rests with your organization. For example, a trader might accept certificates issued by its own root CA and its trading partners' root CA, but not from company B, who the trader has not done business with in the past. If you choose not to accept company B's root CA certificate, your system will not accept any certificates issued by company B. The greater the number of root CA certificates you choose to accept, the more open your community is to others.

Scalability

The use of self-signed certificates relies on users to exchange certificates and establish trust in each other. This informal web of trust works for small groups, but can become unmanageable for large numbers of partners. In contrast, an in-house or outsourced PKI uses hierarchies, where a certificate authority serves as a trust anchor for many users. Once trust has been established for the certificate authority, it is unnecessary to re-establish the trust for other certificates the CA issues. Establishing hierarchies of users scales equally well for small and large groups.

Certificate Revocation

A certificate is expected to be usable for its entire validity period. However, there are circumstances when a certificate should no longer be considered valid even though it has not expired. Possible circumstances range from a user name change to suspected compromise of the private key. In such circumstances an in-house or outsourced CA can revoke the certificate. WebLogic Integration - Business Connect can be configured to compare your partners' certificates against lists of revoked certificates issued by CAs. However, self-signed certificates cannot be revoked. You must notify all partners using the certificate that it should no longer be trusted.

Dual-Key Pairs

Support for two pairs of public-private keys is a fundamental requirement for some PKIs (for example, Entrust). One key pair is for data encryption and the other key pair is for digitally signing documents. Encryption key pairs and signing key pairs are a result of conflicting requirements. One such requirement is to support different algorithms for encryption and digital signature pairs and different validity periods. Another reason is to support data recovery, which requires the private keys for decrypting to be securely backed up, but non-repudiation, which requires the private keys for signing, not to be backed up. There also might be the requirement to support updating encryption key pairs and managing decryption key histories even though this conflicts with the requirement to securely destroy the private key used for signing when updating signing key pairs. Using two key pairs, an encryption key pair and signing key pair, solves these conflicting requirements.

Why Use Encryption and Digital Signatures?

Encrypting and digitally signing documents by using certificates provides WebLogic Integration - Business Connect users with the following assurances about each of their document transmissions:

Only the addressee can read the message and not any unauthorized people. Encryption provides this assurance.
The message cannot be tampered with. That is, data cannot be changed, added or deleted without you knowing it. A document's digital signature provides this assurance.
Partners who send you documents are genuinely who they claim to be. Likewise, when partners receive documents signed by you, they can be confident the documents came from you. A document's digital signature provides this assurance.
The partners who send you documents cannot claim they did not send them. This is referred to as non-repudiation of origin. A document's digital signature provides this assurance.
Partners to whom you send documents cannot claim they did not receive them. This is referred to as non-repudiation of receipt. A signed document acknowledgment provides this assurance.
Figure 7-1 Encrypting a Document Using a Key

WebLogic Integration - Business Connect Encryption Method

WebLogic Integration - Business Connect uses a combination of public-private key encryption, which is also known as asymmetric encryption, and symmetric key encryption. This hybrid system uses the best characteristics of each method and minimizes the shortcomings of each. It follows the widely adopted S/MIME standard for securing messages.

The advantage of symmetric key encryption is that it performs the encryption task more quickly than asymmetric encryption. The advantage of asymmetric encryption is that it allows you to send an encrypted message to a partner who does not hold your secret key.

To use the best of both, WebLogic Integration - Business Connect uses the faster symmetric key to encrypt the document, such as a lengthy EDI transaction set, and the asymmetric key for the smaller task of encrypting the one-time session key. The session key can then be securely included with the message for transmission and allows your partner to decrypt the contents without sharing your secret key.

Note: As noted in Transport Selection Considerations, if you send documents using the HTTPS transport, double encrypting adds only marginally to data security. You can turn off document encryption by clearing the encrypt documents check box on the Partner Profile window Security tab.

Symmetric Key Encryption Algorithms

WebLogic Integration - Business Connect supports RC2, ARCFour, DES, and Triple DES encryption algorithms. The encryption algorithm is used in conjunction with a randomly generated session key to encrypt your document. When you set up a partner profile with WebLogic Integration - Business Connect, you must choose one of these encryption algorithms. WebLogic Integration - Business Connect provides you a full range of choices so that you are capable of trading with whatever algorithm your partner might require. However, when you choose an algorithm, you need to be careful to choose one your trading partner can support.

Symmetric Key Lengths

WebLogic Integration - Business Connect supports several key lengths for the symmetric key you choose. The choice you make depends on which encryption algorithm you choose. If you choose the RC2 or ARCFour algorithm, you can select 40-, 64-, or 128-bit key length. If you choose DES, the default key length is 56 bits. Triple DES, as the name implies, uses a 168-bit key length. As with algorithms, you need to be careful to choose a key length your trading partner can support.

Note: ARCFour is an independently developed algorithm that is interoperable with RSA RC4.

Public-Private (Asymmetric) Key Algorithms

WebLogic Integration - Business Connect uses the RSA cryptosystem for asymmetric encryption and the digital signatures provided by using certificates.

You can use two types of asymmetric RSA keys:

Keys issued to you, typically by a certificate authority, and subsequently imported into WebLogic Integration - Business Connect. Such keys are sometimes called managed keys.
Keys generated by you in WebLogic Integration - Business Connect. Such keys are called self-signed keys.

Public-Private (Asymmetric) Key Lengths

WebLogic Integration - Business Connect supports encryption key lengths of 512, 1024, and 2048 bits for the public-private key. You must choose one of these key lengths when you generate or obtain your certificate. You do not need to choose the same key length as your trading partner.

Summary of Algorithms and Key Lengths

To use strong encryption you must ensure that the partner's software supports such strong encryption algorithms and key lengths. The following table summarizes algorithms and key lengths for symmetric and asymmetric keys.

Table 7-1 Algorithms and Key Lengths

Symmetric algorithm for document encryption
RC2 ARCFour	The default is 40 bits. You can use this length for trading partners located in the U.S. and internationally. You can also choose stronger key lengths of 64 or 128 bits. Longer key lengths require more processing time to encrypt and decrypt, but provide more protection against cryptographic attacks.
DES Triple DES	The key length is 56 bits. The key length is 168.
Asymmetric algorithm for authentication
RSA	The default key length is 512 bits when generating a self-signed certificate. You can also choose a key length of 1024 or 2048. The length of imported RSA keys is determined outside of WebLogic Integration - Business Connect.

Support for Dual Keys

WebLogic Integration - Business Connect supports single- and dual-key certificates. You do not need to do anything different to trade documents with a partner who uses dual keys.

When you import the certificates from a partner who uses two keys, both are displayed in the Certificates information viewer. How certificates are used is labeled in the Certificates information viewer as follows:

Encryption
The key in the certificate is used for encryption.
Signature
The key in the certificate is used for digital signature purposes.
Signature and Encryption
The key in the certificate is used for encryption and digital signature purposes.

Encryption and Signing Summary

Described in the simplest terms, WebLogic Integration - Business Connect exchanges encrypted and signed documents in S/MIME format.

WebLogic Integration - Business Connect is certified S/MIME-compliant by RSA Data Security, Inc.

Outbound Documents

The document contains the data that needs to be protected. The encryption and signing processes take place for every document that WebLogic Integration - Business Connect sends over the Internet.

WebLogic Integration - Business Connect encrypts and signs each document by building three parts: the encrypted document, the encrypted session key and the digital signature. The following is the process for an outbound document:

A hashing routine (MD5 or SHA-1) creates a digital digest of the document. This digest is a number. If the data in the transaction are changed, added to or subtracted from, reapplying the hashing routine will produce an entirely different digest. This characteristic of hashing routines makes it easy for a partner to verify the integrity of an inbound document.
The digital digest is encrypted using your private key. This encrypted digest is the digital signature for this document. It ensures that the data in the document were not changed and that the document came from you and only you.
WebLogic Integration - Business Connect generates a one-time session key. This is the symmetric key part of WebLogic Integration - Business Connect's hybrid encryption method.
The session key is used to encrypt the document.
Your partner's public key is provided in the certificate inside the profile your partner gave you. It is used to encrypt the session key for transmission. Thus, the key to decrypting the document has itself been encrypted by your partner's public key and can be decrypted only by your partner's private key.
The document is then sent using whatever transport method you chose for this partner.

Inbound Documents

When a document is received by your trading partner, the process is reversed according to the following steps.

Upon receiving the document, your partner's WebLogic Integration - Business Connect begins security processing.
Your partner uses his or her private key (the matching half to the asymmetric public key you used to encrypt it) to decrypt your symmetric key.
The one-time key that was just decrypted is used, in turn, to decrypt the document. Your partner now has your message in clear text.
With the public half of your public-private key pair that you sent your trading partner in your certificate (inside your company profile), your trading partner decrypts the digital signature.
Your partner uses the same hashing routine (MD5 or SHA-1) to create a digital digest of the document. This is called rehashing. Your trading partner then compares this to the digest in the digital signature you sent. If the two are identical, your partner has proof that the contents of the document were not altered and that it came from you and only you.
The document is now ready to be read into and used by your partner's business application.

Note: Any documents that cannot be successfully processed are placed in the Rejected directory, and a notification message is sent to your WebLogic Integration - Business Connect point of contact.

Certificate Basics

A certificate contains the public half of your public-private key pair along with other identifying information about your WebLogic Integration - Business Connect company profile and point of contact. WebLogic Integration - Business Connect uses certificates to distribute your public key and those of your partners. You use the public key in your partner's certificate to encrypt a document for transmission over the Internet. Your partner uses the public key in your certificate to verify the digital signature of a document received from you.

The following is some basic information about how WebLogic Integration - Business Connect uses certificates:

Every company profile used to exchange secure documents must have a certificate. WebLogic Integration - Business Connect can generate the certificate or it can be generated externally.
Every partner profile for partners with whom you exchange signed and encrypted documents must have a certificate.
A company or partner profile can have only one active certificate at a time. Or, in the case of dual certificates, one active pair of certificates (one for signature, one for encryption).
A company or partner profile must have an active certificate to successfully exchange signed and encrypted documents.
A company or partner profile can have multiple valid or retired certificates.
Certificates can be used to sign documents you transmit by all transport methods.
You can delete a certificate from the Certificates information viewer, but it remains on the system in Retired status. WebLogic Integration - Business Connect does not use the keys in retired certificates to encrypt, decrypt, sign or verify documents.
The key length for a certificate does not have to be the same as that for a partner's certificate.

Where Certificates and Keys Are Stored

WebLogic Integration - Business Connect stores certificates and keys in two files: ConfigDB.db and keys.db. The ConfigDB.db file is in the root application directory. The keys.db file is in the keys subdirectory. The contents of these files are encrypted to ensure security. Do not attempt to alter these files.

The following describes the roles of these two files.

ConfigDB.db

All certificates are stored in ConfigDB.db. Certificates that you choose to trust are copied to keys.db.

keys.db

The public and private keys for your certificates are stored in keys.db. The trusted public keys of your partners and trusted anchors of certificate authorities also are stored in keys.db.

Certificate Status

WebLogic Integration - Business Connect manages certificates by using the following status categories.

Active Certificate (Yellow Bulb)

A certificate identified with a yellow bulb is the active certificate for your company profile or for your trading partner's partner profile.

You distribute your public key to your trading partners in your certificate. Your trading partners use this key to verify the digital signature of documents they receive from you.

You receive your trading partner's public key in his or her certificate. You use your partner's public key to encrypt documents for transmission over the Internet.

There can be only one active certificate for signature and encryption or one active pair (one for signature, one for encryption) on your system. The active certificate on your system is also the active certificate on your partners' systems.

When you create or obtain a new certificate for your company profile, you can choose to activate it immediately or to save it in Pending status. If you choose to activate it immediately, WebLogic Integration - Business Connect places the active certificate for your profile in Valid status.

If you import your partner's certificate, WebLogic Integration - Business Connect activates it and places the active certificate for that profile in Valid status.

Valid or Inactive Certificate (Blue Bulb)

A certificate identified with a blue bulb is in the Valid or Inactive state.

A valid certificate is one that was formerly active on your computer. You can have multiple valid certificates on your system.

If WebLogic Integration - Business Connect fails to verify an inbound document using the public key in the active certificate, the application tries again with each of the valid keys. If one of these succeeds, processing proceeds normally and no alert is sent.

An inactive certificate is one that is valid but is not used to verify signatures or to encrypt messages to a partner.

Pending Certificate (Red Bulb)

A certificate identified with a red bulb is in the Pending state:

A new certificate you created or imported for one of your company profiles. At the time of creation, you answered No to the question, "Do you want to activate this certificate?" which caused the certificate to be placed in Pending status rather than to replace an existing, active certificate.
An untrusted certificate that WebLogic Integration - Business Connect receives electronically from one of your trading partners is automatically imported in Pending status. Before you activate this certificate, you should contact the partner from whom you received the unsigned certificate and verify the certificate's fingerprint.

In either of the preceding cases, you must use the Certificate Profile window to activate a pending certificate. See Activating a Pending or Valid Certificate.

Retired Certificate (Clear Bulb)

A retired certificate is one that was formerly active or valid. You can have multiple retired certificates on your system.

WebLogic Integration - Business Connect does not use the keys associated with retired certificates to sign, verify, encrypt or decrypt documents.

Exchanging Profiles and Certificates

Before you can exchange encrypted and signed documents with a trading partner, each of you must obtain the other's public key. You do this after you have created your company profile. Each of you generates a self-signed certificate or obtains one from a certificate authority (CA). Either way, the process creates a public-private key pair for your company profile. The private half of this key pair always remains on your computer. The public half is exported to a file and distributed to your trading partners on diskette by a secure means.

The following describes how to exchange profiles and certificates with your WebLogic Integration trading partners. In all cases, it is recommended that you confirm the certificate fingerprint with your trading partner before exchanging documents.

Exchanging Certificate Information with WebLogic Integration Trading Partners

If you are using the Bundled HTTPS transport to exchange messages with a WebLogic Integration trading partner, the certificate information is exchanged as follows:

Certificate information will not be included in the partner profile your WebLogic Integration trading partner provides. Instead, your WebLogic Integration trading partner must provide the certificate information in a file which you import, as described in Importing a Partner's Certificate.
When your WebLogic Integration trading partner imports your company profile, the certificate information will not be imported. You must export the certificate information to a separate file, as described in Exporting Your Certificate for Backup or Distribution.

When you update the certificate associated with your company profile, it is important to coordinate the update process with your trading partners. For guidelines, see Obtaining New and Replacement Certificates.

Self-Signed or CA Certificates

You and your trading partners should decide whether to use WebLogic Integration - Business Connect self-signed X.509 certificates or X.509 certificates from a third-party certificate authority (CA).

If your organization has an Entrust/PKI server and administrator and will use Entrust certificates, see Entrust Certificates.

Consider the following in deciding whether to generate a self-signed certificate or obtain one from a CA:

WebLogic Integration - Business Connect self-signed certificates are easily created. Their primary disadvantage is that they are not verified by a trusted third party. If you decide to use self-signed certificates, see Setting Up Certificates for Your Company Profile.
The primary advantage of using certificates from a CA is that the identity of the certificate holder is verified by a trusted third party. Disadvantages include the extra cost and administrative effort.
A CA provides a centralized source for posting and obtaining information about certificates, including information about revoked certificates.

Entrust Certificates

WebLogic Integration - Business Connect fulfills a client role in supporting the certificate management tasks of an Entrust server. The prerequisites for this client-server relationship are your Entrust server and a person who is designated as your organization's Entrust administrator. Lacking these two requirements, your organization cannot use Entrust certificates in exchanging documents with your trading partners through WebLogic Integration - Business Connect.

WebLogic Integration - Business Connect enables an organization with an Entrust/PKI server to:

Create Entrust X.509 certificates
Re-initialize Entrust certificates when replacements are needed
Update Entrust certificates before they expire

WebLogic Integration - Business Connect does not support Entrust certificate revocation or recovery.

WebLogic Integration - Business Connect supports Entrust versions 4 and 5.

The following describes the certificate-generation process involving WebLogic Integration - Business Connect and the Entrust server.

After WebLogic Integration - Business Connect creates the key pair for signing documents, the application hands the public key to the Entrust server. The Entrust server creates the signing certificate and passes the certificate to WebLogic Integration - Business Connect. The public key is within the certificate. WebLogic Integration - Business Connect retains the private signing key. The private signing key is not disclosed to the Entrust server; the private key remains secure within WebLogic Integration - Business Connect. This guarantees security integrity.

Meanwhile, the Entrust server creates the encryption key pair and creates an encryption certificate, which includes the public key. The Entrust server passes to WebLogic Integration - Business Connect the encryption key pair and the encryption certificate.

Obtaining New and Replacement Certificates

You can generate or obtain new certificates when:

You know or suspect a certificate has been compromised.
You need to replace a certificate that is about to expire.
You want to change your encryption key at planned intervals just as you would change a password.
You need to set up an additional company profile.

Also, by using the Certificates information viewer, you can make sure you and your trading partners keep your certificates current.

Note: WebLogic Integration - Business Connect notifies you when an active certificate associated with an active company profile is about to expire. See Preferences General Tab.

The procedure used depends on whether you are generating or loading a certificate for your company profile, or importing certificate information for one of your partners. See Setting Up Certificates for Your Company Profile or Importing a Partner's Certificate.

When you generate or load a new certificate for your company profile, you must export the certificate information (your public key) to a file for distribution to your partners. See Exporting Your Certificate for Backup or Distribution.

When you generate a new certificate for your company profile because it has expired, become defective or corrupted, or cannot be used for any other reason, we recommend that you distribute it to your trading partners on diskette by a secure means. Recommended secure means include in-person, U.S. mail or private delivery service.

When you generate or load a new certificate for your company profile, you can choose to have WebLogic Integration - Business Connect activate the certificate, or save the certificate in Pending status until a later date. To avoid rejection of documents it is important that you coordinate the process of distributing and activating a replacement certificate. The following topics provide guidelines:

Replacing a Certificate for Non HTTPS Encryption

When you update a non-HTTPS certificate for your company profile (that is, one used to encrypt documents exchanged), you must carefully coordinate the timing of the update with your partners. If possible, you should perform such updates when your server is not processing outbound documents. By observing this precaution you can avoid documents being rejected by your trading partners.

If you create and activate a new certificate while WebLogic Integration - Business Connect is encrypting and signing outbound documents, documents that are signed by the private key associated with the new certificate will be rejected by your trading partners, if they have not yet received and activated the new certificate.

The update process for a non-HTTPS certificate does not affect inbound documents because your WebLogic Integration - Business Connect can decrypt and verify them with the last valid certificate.

Replacing a Certificate for Bundled HTTPS with Authentication

If you have enabled the bundled HTTPS inbound transport, with the authenticate check box selected, you should exercise care when you create and distribute a new certificate. We recommend that you:

Save the new certificate in pending status.
Export and distribute the certificate to your partners.
Coordinate the activation of the certificate with the trading partners who use bundled HTTPS. Ideally, choose a time when no documents are being exchanged in either direction.

It is important to coordinate the update with each partner ahead of time so they avoid sending you any documents until the new certificate has been activated on their system. The reason you must exercise this care is that your bundled HTTPS server can use only the active certificate to authenticate the SSL connection. Likewise, each partner must also hold your current certificate to authenticate the connection with you.

To minimize the number of errors during the process of certificate update, you and your partners should activate the new certificate nearly simultaneously, at a pre-designated time when traffic is at a minimum.

If you implement a new certificate while you are trading documents, your trading partners will not be able to establish the SSL connection required to communicate with you. During this time, your trading partners receive alerts stating that their system cannot connect with you. This situation clears itself up after your partners receive and begin using your new certificate to authenticate the SSL connection.

Certificates Information Viewer

The Certificates information viewer in Administrator enables you to manage certificates for your company and partner profiles. Open the viewer by selecting Certificates on the Administrator bar. To expand or collapse the certificate tree, click the plus or minus signs.

Using the viewer you can:

View a list of all active, valid and pending certificates for company and partner profiles on your system.
Open and view the details about active, valid and pending certificates.
Access the New Certificate wizard to generate or import a key pair and certificate for a company profile.
Export an active certificate to a file for transmittal to your trading partners.
Import a trading partner's certificate.
Retire a certificate.
Open the Certificate Profile window, where you can view details about certificates and the chain of trust for certificates. Here you can activate a valid or pending certificate. You can also view your retired certificates and bring one of these out of retirement. See Certificate Profile Window.
Figure 7-2 Certificates Information Viewer

Certificate Window

Use the Certificate window to view information about a certificate for a company or partner profile. You also can export a certificate to a file.

To open the window, display the Certificates information viewer. Select the certificate you want and double-click it or click Open.

When you finish viewing the certificate information, click Close. To export the certificate, click Export to display the Export Certificate window. See Exporting Your Certificate for Backup or Distribution.

Figure 7-3 Certificate Window for a Self-Signed Certificate

Field Descriptions

The following describes the fields on the Certificate window The information displayed on the window is defined by the X.509 standard.

Version

The version of the X.509 standard that applies to the certificate.

Serial Number

The serial number uniquely identifies the certificate. The CA or entity that issued the certificate assigned this number. If the issuer revokes a certificate, it can place the serial number on a certificate revocation (CRL) list.

Issuer and Subject

The issuer is the X.500 distinguished name of the CA or entity that signed the certificate. In cases of a self-signed certificate, the issuer and subject are the same. Using the certificate implies trusting the signer.

The subject is the X.500 distinguished name of the entity whose public key the certificate identifies.

A distinguished name has the following parts:

C	Two-letter ISO country code. See ISO Country Codes.
L	City or locality name
O	Organization name
OU	Organizational unit.
CN	Common name of a person

Valid Not Before

The date the certificate became valid.

Valid Not After

The date the certificate expires, provided it is not compromised or revoked before that date.

Signature Algorithm

The algorithm the CA used to sign the certificate.

Key Usage

Identifies the purpose of the key in the certificate, such as encipherment, digital signature or certificate signing.

Public Key

An algorithm identifier that specifies the public key crypto system this key belongs to and any associated key parameters, such as key length.

Extension

Optional information present in version 3 certificates. Extensions can be key and policy information, certificate subject and issuer attributes, certificate path constraints, distribution points for certificate revocation lists (CRLs) and private extensions.

For a CA-issued certificate, the CRL distribution point information is present in the form of a URL. This is one place you can find a CA's distribution point for a CRL if you want to configure WebLogic Integration - Business Connect to use CRLs. See Using Certificate Revocation Lists. A self-signed certificate does not have CRL distribution point information.

Fingerprint

The fingerprints are a way to verify the source of a certificate. After you import or export a certificate, you should contact your partner and ensure that the fingerprints at both ends are identical. You should do this before you attempt to exchange documents. If the fingerprints do not match, one of the certificates might be corrupted or out of date.

Setting Up Certificates for Your Company Profile

Use this procedure to create new, self-signed certificates for your company profile or to load a new, third-party certificate for your company profile.

If you want to use a certificate from a third-party CA such as VeriSign, you must obtain that certificate using your Internet browser and export it to a file before you begin this procedure. You must export the certificate to a file that contains the private key and the entire chain of trust. You will need the password used to export the file from your browser to load the certificate into WebLogic Integration - Business Connect.

This is not the procedure to use for importing a partner's certificate. See Importing a Partner's Certificate.

Steps

When you save a new company profile, the system prompts you to associate a certificate with the profile. Click Yes on the dialog box prompt to start the New Certificate wizard.

If you want to associate a certificate with an existing company profile, click Certificates on the Administrator bar to display the Certificates information viewer. Select the company you want and click New to start the New Certificate wizard.

Figure 7-4 New Certificate Wizard, Select Certificate Type Window

Select the appropriate certificate option, as described in the following table.

Table 7-2 Certificate Options

Option	Description
Generate self-signed certificates	Click if you want WebLogic Integration - Business Connect to generate one self-signed certificate, for both signature and encryption, or two self-signed certificates, one for signature and one for encryption. Go to Generating Self-Signed Certificates.
Acquire Entrust certificates	Click if your organization has an Entrust Technologies server and administrator and plans to use Entrust certificates. Go to Importing Entrust Certificates.
Acquire a VeriSign XKMS certificate	Click to import a new VeriSign XML Key Management Specification (XKMS) certificate. Go to Importing a VeriSign XKMS Certificate
Import from PKCS #12 file (.pfx or .p12)	Click if you want to use a third-party certificate. Go to Importing a Third-Party CA Certificate.

Generating Self-Signed Certificates

Use this procedure if you selected generate self-signed certificates in step 2 of Setting Up Certificates for Your Company Profile.

The following are the steps for generating and associating with a company profile either a single self-signed certificate for both encrypting and signing documents or two self-signed certificates, one for encrypting and one for signing.

Steps

On the first New Certificate wizard window, click Next to display the New Certificate select key type window.
Figure 7-5 New Certificate Wizard, Select Key Type Window
Click single key if you want one certificate for both signing and encrypting documents. Click dual key if you want two certificates, one for signing documents and another for encrypting documents.

Select one of the following encryption key lengths from the key length drop-down list.

512	Standard encryption. For highly sensitive or valuable information, stronger encryption is recommended.
1024	Strong encryption.
2048	Very strong encryption.

For the validity period, if you want other than the default value of 2 years, type the length of time you want the certificate to be valid in the validity period field. Select days, months or years from the drop-down list.
Click Next to display the New Certificate summary window.
Figure 7-6 New Certificate Wizard, Summary Window

Review the information in the window. Click Back to change any information or click Finish to generate the certificate.

When you click Finish, a dialog box appears with a message that the certificates are being generated and might take a few minutes to complete.
If there are no other certificates for this company profile, the new certificate is placed in Active status.
If a certificate already exists for this company profile, a dialog box appears asking whether you want to activate the new certificate. Figure 7-7 Activate Certificate Dialog Box
When this message appears, click Yes or No as follows: Yes Places the new certificate in Active status and any earlier certificate in Valid status. No Places the new certificate in Pending status.
After the certificate is generated, the Company Profile or Certificates information viewer reappears, depending on whether you imported a certificate for a new or existing company profile. The new certificate appears on the Certificates information viewer.

Whether you are adding a certificate to new company profile, or replacing the certificate for an existing company profile, you must distribute the new certificate to partners on diskette or by some secure means. To export certificate information to a file for distribution, see Exporting Your Certificate for Backup or Distribution. For guidelines on coordinating the update of your certificate, see Obtaining New and Replacement Certificates.

Note: Before you attempt to exchange encrypted and signed documents, you should contact each partner with whom you exchanged certificates and confirm that the fingerprints in both your certificates are identical. For more information see Certificate Window.

Importing Entrust Certificates

Use this procedure if you selected acquire Entrust certificates in step 2 of Setting Up Certificates for Your Company Profile.

The following are the steps for importing a new Entrust certificate into WebLogic Integration - Business Connect or for updating an Entrust certificate that is already associated with a company profile. Before you can use this procedure, you must consult with your organization's Entrust administrator about the information required to connect with the Entrust/PKI server and import a new or updated certificate for your company profile.

Steps

On the first New Certificate wizard window, click Next to display the Entrust server information window.
Figure 7-8 New Certificate Wizard, Entrust Server Information Window
Consult with your Entrust administrator on whether to select CMP or SEP.
Have your Entrust administrator provide the information for completing the host and port fields.
Click whether you want to update or acquire certificates. For acquiring certificates, have your Entrust administrator provide the information for the reference and authorization fields.
Click Next to display the New Certificate summary window.
Figure 7-9 New Certificate Wizard, Summary Window

The window displays applicable summary information depending on the option you specified in step 4.

Review the information in the window. Click Back to change any information or click Finish to acquire or update a certificate.

If there are no other certificates for this company profile, the new certificate is placed in Active status.
If a certificate already exists for this company profile, a dialog box appears asking whether you want to activate the new certificate. Figure 7-10 Activate Certificate Dialog Box
When this message appears, click Yes or No as follows: Yes Places the new certificate in Active status and any earlier certificate in Valid status. No Places the new certificate in Pending status.
After the certificate is generated, the Company Profile or Certificates information viewer reappears, depending on whether you imported a certificate for a new or existing company profile. The new certificate appears on the Certificates information viewer.

Whether you are adding a certificate to new company profile, or replacing the certificate for an existing company profile, you must distribute the new certificate to partners on diskette or by some secure means. To export certificate information to a file for distribution, see Exporting Your Certificate for Backup or Distribution. For guidelines on coordinating the update of your certificate, see Obtaining New and Replacement Certificates.

Importing a VeriSign XKMS Certificate

Use this procedure if you selected acquire a VeriSign XKMS certificate in step 2 of Setting Up Certificates for Your Company Profile.

The following are the steps for importing a new XML Key Management Specification (XKMS) certificate into WebLogic Integration - Business Connect and associating it with a company profile. Before you can use this procedure, you must register for a new XKMS certificate from VeriSign. When the new certificate is ready, you will receive an e-mail containing the information needed to connect to a server and import the certificate for your company profile.

XKMS was designed in an effort to combine the interoperability afforded by Extensible Markup Language (XML) in business-to-business electronic commerce with secure and easy to use public key infrastructure (PKI). For information about XKMS see http://xmltrustcenter.org/index.htm.

Steps

On the first New Certificate wizard window, click Next to display the VeriSign XKMS certificate window.
Figure 7-11 New Certificate Wizard, VeriSign XKMS Certificate Window
Using the information provided to you, complete the fields for importing the certificate. Type this information in the URL, key name and shared secret fields. In the password field, type a password that you can remember. You will need this password if you later ask VeriSign to revoke the certificate.
Click Next to display the New Certificate summary window.
Figure 7-12 New Certificate Wizard, Summary Window

Review the information in the window. Click Back to change any information or click Finish to import the certificate.

If there are no other certificates for this company profile, the new certificate is placed in Active status.
If a certificate already exists for this company profile, a dialog box appears asking whether you want to activate the new certificate. Figure 7-13 Activate Certificate Dialog Box
When this message appears, click Yes or No as follows: Yes Places the new certificate in Active status and any earlier certificate in Valid status. No Places the new certificate in Pending status.
After the certificate is generated, the Company Profile or Certificates information viewer reappears, depending on whether you imported a certificate for a new or existing company profile. The new certificate appears on the Certificates information viewer.

Whether you are adding a certificate to new company profile, or replacing the certificate for an existing company profile, you must distribute the new certificate to partners on diskette or by some secure means. To export certificate information to a file for distribution, see Exporting Your Certificate for Backup or Distribution. For guidelines on coordinating the update of your certificate, see Obtaining New and Replacement Certificates.

Importing a Third-Party CA Certificate

Use this procedure if you selected to import from PKCS #12 file in step 2 of Setting Up Certificates for Your Company Profile.

The following are the steps for importing a third-party CA certificate into WebLogic Integration - Business Connect and associating it with a company profile. Such a certificate file contains both the public and private keys. Before you can use this procedure, you must perform the following tasks:

Obtain a certificate from a certificate authority such as VeriSign.
Export the certificate from a browser or mail client to a file. Assign a password when exporting the file; you will need this same password upon importing the file.
Export both the public and private keys with the certificate. A certificate file with both keys is a P12 or PFX file.
If you export the certificate from Microsoft Outlook or Internet Explorer, select the check box for "include all certificates in the certification path if possible." You want the exported file to include the entire chain of trust.

Steps

On the first New Certificate wizard window, click Next to display the New Certificate third-party certificate window.
Figure 7-14 New Certificate Wizard, Third-Party Certificate Window
To locate the PKCS#12 file containing your certificate, click Browse to display the Browse dialog box.
Locate and select the certificate file. The file must have an extension of .pfx or .p12. Click Open and the New Certificate third-party certificate window reappears.
Type the same password you used when you exported the certificate file from a browser or mail client.
Click Next to display the New Certificate summary window.
Figure 7-15 New Certificate Wizard, Summary Window

Review the certificate information in the window. Click Back to change any information or click Finish to import the certificate.

If there are no other certificates for this company profile, the new certificate is placed in Active status.
If a certificate already exists for this company profile, a dialog box appears asking whether you want to activate the new certificate. Figure 7-16 Activate Certificate Dialog Box
When this message appears, click Yes or No as follows: Yes Places the new certificate in Active status and any earlier certificate in Valid status. No Places the new certificate in Pending status.
After the certificate is generated, the Company Profile or Certificates information viewer reappears, depending on whether you imported a certificate for a new or existing company profile. The new certificate appears on the Certificates information viewer.

Whether you are adding a certificate to new company profile, or replacing the certificate for an existing company profile, you must distribute the new certificate to partners on diskette or by some secure means. To export certificate information to a file for distribution, see Exporting Your Certificate for Backup or Distribution. For guidelines on coordinating the update of your certificate, see Obtaining New and Replacement Certificates.

Importing a Partner's Certificate

When your trading partner provides a new or updated certificate in a file, use this procedure to import the certificate.

Note: WebLogic Integration - Business Connect automatically places any existing partner certificate in Valid status when it imports a new one. The new certificate is automatically set to Active status.

Steps

Make sure you can access on your system the replacement certificate file that your partner sent you.
From the Certificates information viewer, select the partner you want and select File—>Import to open the Import Certificate window.
Figure 7-17 Import Certificate Window
Click Browse to open the Browse dialog box.
Figure 7-18 Browse Dialog Box
Select the certificate file you want to import and click Open to redisplay the Import Certificate window.
Click Next to display the Import Certificate summary window.
Figure 7-19 Import Certificate Summary Window
Review the certificate information in the window. Click Back to change any information or click Finish to import the certificate. When you click Finish a dialog box appears with the message that the active certificate already associated with the profile will be set to valid so the new certificate can be set to active.
Click OK. The Certificates information viewer is redisplayed with the new certificate you imported. The certificate you just imported has a status of active. The replaced certificate has a status of valid.

Note: Before you attempt to exchange encrypted and signed documents, you should contact the partner from whom you imported the certificate and confirm that the fingerprints in both your certificates are identical. For more information see Certificate Window.

Exporting Your Certificate for Backup or Distribution

Use this procedure to export a certificate to a file.

When exporting your certificate for distribution to your partners, only export your public key. Never give your partner a certificate that contains your private key.

When exporting your certificate for backup purposes, you can export a certificate that contains your private key. If you do so, keep this certificate in a secure place and never give it to anyone.

After you export a certificate with a public key for distribution to your trading partners, you can send the file to your trading partners by e-mail or on diskette. This is one way to save a certificate to a file. For another way to export a certificate see Viewing Certificate Information.

Steps

On the Certificates information viewer, select the certificate you want to export and select File—>Export to open the Export Certificate selection window.
Figure 7-20 Export Certificate Selection Window

Select an export option.

Table 7-3 Export Options

Export option	Description
DER encoded binary X.509 (.cer)	Select this option to export a certificate containing a public key. Note: If you are exporting a certificate for distribution to a WebLogic Integration trading partner, you must select this option.
PKCS #7 (.p7c)	Select this option to export a certificate containing a public key.
Include all certificates in the certification path if possible	If you select PKCS #7 (.p7c), select this option to include all certificates in the chain of trust for the certificate. This is applicable for third-party certificates, but not for self-signed certificates.
PKCS #12 (.p12, .pfx)	Select this option to export a certificate containing your private key. You should do this only if you can keep the certificate in a highly secure place. This option is only available for exporting one of your certificates and not one of your partner's certificates. Your partner would not send you a certificate that contains a private key.

Click Next to display the Export Certificate file name and path window.
Figure 7-21 Export Certificate File Name and Path Window
Review the file name and path for the file you are exporting. If you want to change the path or name, type your changes or click Browse to open a Browse window.
Click Next to display the Export Certificate summary window.
Figure 7-22 Export Certificate Summary Window
Review the certificate information in the window. Click Back to change any information or click Finish to export the certificate. When you click Finish a dialog box appears with the message that the export succeeded. Click OK.
If you exported the certificate for a partner, send the certificate file to the partner by a secure means.

Deleting Certificates

Use this procedure to retire certificates that you or your partners no longer use for verifying signatures or encrypting messages.

Retiring a certificate is a pseudo-deleting process that results in its removal from the Certificates information viewer. However, the certificate remains in the system as a dormant entity that can be reactivated if need be. Allowing a certificate to be retired but not deleted is a safeguard for the future in the event a signature must be re-validated or a secure message decrypted again.

This is one way to retire certificates. You also can use the Certificate Profile window for a selected company or partner profile. See Retiring a Certificate.

For the steps to reactivate a certificate, see Un-Retiring a Certificate.

You can view a details window for retired certificates after you have withdrawn them.

Steps

At the Certificates information viewer, select the certificate you want to retire and click Delete. A dialog box appears with a message asking whether you want to retire the certificate.
Click Yes to retire the certificate or No to cancel the operation.

If you click Yes, the certificate no longer appears on the Certificates information viewer.

If you want to verify that the certificate has been retired, select the profile associated with the retired certificate and click Open to open the Certificate Profile window. Select the Retired Certificates tab. The certificate you retired appears on the tab. To view details of the retired certificate, click View Certificate.

Certificate Profile Window

The Certificate Profile window can be opened from the Certificates information viewer. You can use the Certificate Profile window to manage the certificates associated with company and partner profiles. The following topics are provided for using the window.

To open the window from the Certificates information viewer, select the name of the company or partner with the certificates you want and click Open.

The window has two tabs: Available Certificates and Retired Certificates.

Figure 7-23 Certificate Profile Window, Available Certificates Tab

Figure 7-24 Certificate Profile Window, Retired Certificates Tab

Viewing Certificate Information

Use this procedure to view information about a certificate for a company or partner profile. You also can export a certificate to a file.

This procedure uses the Certificate window, which is the same one described in Certificate Window, but here you access the window through the Certificate Profile window. See Certificate Profile Window for details about the window.

Steps

At the Certificates information viewer, select the name of the company or partner with the certificates you want. Click Open to open the Certificate Profile window with the Available Certificates tab selected.
Select the certificate you want to view and click View Certificate to open the Certificate window.
Figure 7-25 Certificate Window for a Self-Signed Certificate

See Certificate Window for a description of the fields.

If you want to export the certificate, click Export. See Exporting Your Certificate for Backup or Distribution.
When you finish viewing the certificate information, click Close to return to the Certificate Profile window.

Viewing the Certificate Path

Use this procedure to view information about a certificate's chain of trust. You also can export a certificate or its trusted roots to a file.

This procedure uses the Certificate Profile window. See Certificate Profile Window for details about the window.

A chain of trust or certificate chain is an ordered list of certificates that includes the certificate of the end-user and certificates of the issuing CA. A trusted root is a public key that is verified as belonging to an issuing CA, which is called a trusted third party.

Steps

At the Certificates information viewer, select the name of the company or partner with the certificates you want. Click Open to open the Certificate Profile window with the Available Certificates tab selected.
Select the certificate you want to view and click View Cert Path to open the View Complete Certificate Path window.
Figure 7-26 View Complete Certificate Path Window
To view details about a certificate in the chain, select the certificate and click View to open the Certificate window. See Certificate Window for a description of the fields.
To export a certificate in the chain, click Export on the Certificate window to display the Export Certificate window. You have the option to export a certificate file with an extension of .cer or .p7c. For procedure see Exporting Your Certificate for Backup or Distribution.
Click Close to return to the Certificate Profile window.

Activating a Pending or Valid Certificate

Use this procedure to change the status of pending or valid certificates to active. A profile can have many certificates, but only one active certificate at a time. The active certificate is the one used for document trading.

This procedure uses the Certificate Profile window. See Certificate Profile Window for details about the window.

Steps

At the Certificates information viewer, select the name of the company or partner with the certificates you want. Click Open to open the Certificate Profile window with the Available Certificates tab selected.
Select the certificate with the pending or valid status that you want to set as the active certificate and click Set As Active. A dialog box appears asking you to confirm that you want to activate the certificate.
Click Yes to activate the certificate or No to cancel the activation. If you click Yes, the Available Certificates tab shows the status of the certificate as active. If there was an existing active certificate, its status is changed to valid.

Note: WebLogic Integration - Business Connect does not automatically distribute the certificate to your trading partners. You must use some method to distribute the certificate.

Retiring a Certificate

Use this procedure to retire a certificate. This procedure uses the Certificate Profile window and is one way to retire or delete a certificate. For details about inactivating certificates see Deleting Certificates.

For the steps to reactivate a certificate, see Un-Retiring a Certificate.

See Certificate Profile Window for details about the window.

At the Certificates information viewer, select the name of the company or partner with the certificates you want. Click Open to open the Certificate Profile window with the Available Certificates tab selected.
Select the certificate to retire and click Retire.
Click Yes to confirm you want to retire the certificate.

Un-Retiring a Certificate

Use this procedure to change the status of a retired certificate to valid or active.

As explained in Deleting Certificates, certificates you have retired from use are maintained in the system in a dormant state in the event they are needed again. When you un-retire a certificate, its status changes to valid and it appears once more on the Certificates information viewer. After changing the status to valid, you can make the certificate active if you want.

This procedure uses the Certificate Profile window. See Certificate Profile Window for details about the window.

Steps

At the Certificates information viewer, select the name of the company or partner with the certificates you want. Click Open to open the Certificate Profile window with the Available Certificates tab selected.
Select the Retired Certificates tab to view a list of the retired certificates, if any, associated with the profile.
Select the certificate you want to bring out of retirement and click Un-retire. A dialog box opens with a message asking whether you want to bring the certificate out of retirement.
Click Yes to un-retire the certificate or No to cancel the operation.

If you click Yes, the certificate disappears from the Retired Certificates tab. The certificate status changes from retired to valid. The certificate now appears on the Available Certificates tab and the Certificates information viewer.
To change the status of the un-retired certificate from valid to active, see Activating a Pending or Valid Certificate.

Trusted Roots

Trusted roots are the foundation upon which chains of trust are built in certificates. Underlying a certificate issued by a certificate authority is a root, self-signed certificate. In WebLogic Integration - Business Connect trusting a CA root means you trust all certificates issued by that CA. Conversely, if you elect not to trust a CA root, WebLogic Integration - Business Connect will not trust any certificates issued by that CA. Document trading fails in WebLogic Integration - Business Connect when a non-trusted certificate is used.

The self-signed certificates you can generate in WebLogic Integration - Business Connect are root certificates. This is because you are, in effect, your own CA when you generate a self-signed certificate.

WebLogic Integration - Business Connect by default trusts your and your partners' self-signed certificates that were generated by WebLogic Integration - Business Connect. WebLogic Integration - Business Connect also by default trusts the roots of many CA-issued certificates. You can, however, specify whether WebLogic Integration - Business Connect should not trust all or some certificates issued by a specific CA. You also can explicitly not trust a partner's self-signed certificate.

The Trusted Roots window displays trusted roots for various certificate authorities. It also displays the self-signed certificates of your partners and the certificates used by the WebLogic Integration - Business Connect SOAP-RPC HTTPS server and API HTTPS server (see Application Security).

Importing a trusted root is a task that rarely, if ever, must be performed. You might have to import a trusted root if, for example, your partner sends you a CA-issued certificate and your system does not have the trusted root for it. In such a case, document trading would fail. As a solution, you would need to import the root underlying the certificate and trust it.

WebLogic Integration - Business Connect can import trusted roots contained in files with the following extensions: .cer, .p7c and .p7b. There are various ways you can obtain such trusted root files:

You can use WebLogic Integration - Business Connect to export a certificate file with an extension of .p7c. See Viewing the Certificate Path.
You can check whether trusted root files are available for download on the web site of the public CA that issued the certificate.
If the certificate was issued by an in-house CA such as Entrust, you can ask the CA administrator for a trusted root file.
If the certificate is present in a browser, you can use the application's trusted roots option to export the trusted root to a file.

When you import a trusted root for a certificate to WebLogic Integration - Business Connect, we recommend that you compare the MD5 fingerprints in both the trusted root and the certificate to verify that they match.

Viewing, Editing or Importing Trusted Roots

Use this procedure to specify whether to trust roots, view root details or import trusted roots. For details about trusted roots, see Trusted Roots.

Steps

In Administrator select Tools—>Certificates—>Trusted Roots to open the Trusted Roots window. The window displays a list of CA roots and self-signed certificates your partners have sent you.

Self-signed certificates that you have generated in WebLogic Integration - Business Connect for document trading do not display on the window. This is because you must trust your own self-signed certificates created for document trading; you cannot elect not to trust them. However, the self-signed certificates for the SOAP-RPC HTTPS server and API HTTPS server are listed on the window and are trusted by default. See Certificate Tool (certloader).

Figure 7-27 Trusted Roots Window
Check or clear the trust check boxes to indicate whether to trust certain CA roots or self-signed certificates.

There are multiple lines for each CA because each has multiple roots, each with unique fingerprints under which it issues certificates.
To view the fingerprints, select a root and click View to open the Certificate window. By comparing fingerprints you can choose to trust or not trust some but not all of a CA's certificates. See Certificate Window for a description of the fields on the window.
To import a trusted root, click Import on the Trusted Roots window to open the Import Certificate dialog box. Select the certificate file to import and click Open. You can import a file with an extension of .cer, .p7c or .p7b.
Click OK to save your changes and close the Trusted Roots window or Cancel to cancel the operation and close the window.

Using Certificate Revocation Lists

Use this procedure to configure WebLogic Integration - Business Connect to compare your partners' certificates against lists of invalid certificates that are maintained by the issuing certificate authorities.

A certificate revocation list (CRL) is a list of third-party certificates that are no longer valid. Certificate authorities maintain such lists of certificates they issued, but later invalidated for one reason or another. CRLs are accessible on the Internet, and you need an Internet connection for WebLogic Integration - Business Connect to use them.

WebLogic Integration - Business Connect enables you to check your partners' certificates against CRLs. When you direct WebLogic Integration - Business Connect to use CRLs, your partners' certificates are checked each time documents are exchanged. For example, when a partner sends you an encrypted document, WebLogic Integration - Business Connect checks the certificate associated with the inbound document against the CRL. If the certificate is on the CRL, WebLogic Integration - Business Connect rejects the inbound document.

Although using CRLs can enhance security, the checking process can result in longer processing times. Consequently, your decision whether to use CRLs should weigh the security advantage against the performance handicap.

You can configure WebLogic Integration - Business Connect to check certificates against the CRLs of one or more certificate authorities. However, WebLogic Integration - Business Connect checks a specific certificate only against the appropriate CRL. For example, if you configure WebLogic Integration - Business Connect to use CRLs maintained by VeriSign, Inc. and GlobalSign and an inbound document is associated with a VeriSign certificate, the system checks only against the VeriSign CRL and not the GlobalSign CRL.

You are responsible for obtaining from the certificate authority the information required for accessing the CRL. WebLogic Integration - Business Connect downloads the latest CRL in performing certificate checks. It also downloads updates of the CRL, based on the update interval in the previously downloaded CRL.

Steps

In Administrator, select Tools—>Certificates—>Cert. Revocation List to open the Certificate Revocation List window. Go to one of the following:

Adding CRLs

Do the following on the Certificate Revocation List window to configure WebLogic Integration - Business Connect to use one or more CRLs.

Select the Use CRLs check box.

Obtain the information required to access the CA's CRL. This includes the CRL distribution point, the host name, port number and the TCP/IP protocol. Type the CRL access information in the appropriate fields.

The protocols are hypertext transfer protocol (HTTP) and lightweight directory access protocol (LDAP). For example, VeriSign CRLs are accessed via HTTP and Entrust CRLs are accessed via LDAP.
You can obtain the CRL information by viewing the details of a CA-issued certificate. See Certificate Window. The information, if present, is in the extensions section and is labeled as CRL distribution point.
As an example, the following is the CRL distribution point within a VeriSign certificate. This is a URL as follows:
http://crl.verisign.com/class1.crl
This URL corresponds to the fields on the Certificate Revocation List window as described in the following table. Table 7-4 URL Components http: Select http from the protocol drop-down list. [port number] When a port number does not follow http:, the port number is 80 for HTTP only. Type 80 in the port field. If the port is other than 80, the URL will specify the port number. crl.verisign.com This is the value for the host field. class1.crl This is the value for the distribution point field.

Click Add to add to the CRL and display it on the window. By default the Update check box next to the new CRL is selected. The Update check box must be selected for WebLogic Integration - Business Connect to initially download and subsequently perform update downloads of the CRL.
Repeat the previous steps to add another CRL.
Click OK to complete the configuration.

After you add one or more CRLs and if the Server application is running, the system downloads the CRLs into the crls directory under the WebLogic Integration - Business Connect installation directory. There might be a delay of up to one hour before Server downloads a CRL the first time. This is because the application polls for new CRLs once an hour.

Each CRL contains a refresh date that indicates when the CA updates the list. WebLogic Integration - Business Connect downloads the updated CRL after each refresh date, provided the Update check box next to the CRL is selected.

The Update check boxes next to the CRLs tell WebLogic Integration - Business Connect whether to monitor the refresh dates within the CRLs and download updated CRLs from CAs at the appropriate times. When the Update check boxes are selected, WebLogic Integration - Business Connect downloads the latest available CRLs.

Deleting CRLs

Do the following on the Certificate Revocation List window to delete CRLs.

Make sure the Use CRLs check box is selected.
Select the CRL you want to delete and click Delete. Repeat to delete another CRL.
Click OK for the deletions to become effective.

Turning CRL Checking On and Off

Do the following on the Certificate Revocation List window to turn CRL checking on and off.

If you want WebLogic Integration - Business Connect to check your partners' certificates against CRLs, select the Use CRLs check box. If you want to turn off CRL checking, clear the Use CRLs check box.

The Use CRLs check box controls whether all CRL checking is turned on or off. You cannot turn on or off checking for a particular CRL by selecting or clearing the Update check box next to a CRL.
Click OK for the selection to become effective.

Yes	Places the new certificate in Active status and any earlier certificate in Valid status.
No	Places the new certificate in Pending status.

http:	Select http from the protocol drop-down list.
[port number]	When a port number does not follow http:, the port number is 80 for HTTP only. Type 80 in the port field. If the port is other than 80, the URL will specify the port number.
crl.verisign.com	This is the value for the host field.
class1.crl	This is the value for the distribution point field.