Hi,
I need to do an https call to one of our partner from the IS.
The IS only acts as a client, and our partner is the server.
Our partner provided us with their certificate (and URL), in a .pfx format. I already converted this file into a .cer format with windows explorer, and converted into a .der format with the webMethods Certificate Toolkit.

I read loads of the Threads and documentation, but the mix of information when webMethods is acting as a client or as a server is very confusing for me.
In my case, I only need to do https outbound calls using our partner certificate.

Do I need to install the certificate within the IS, and if yes how, by importing it (Configure Client Certificates)?
Do I also need to edit the Certificates Settings (Outbound SSL Certificates and Trusted Certificates)?

Can I use the service pub.client.http on its own, or do I need to use the service pub.security:setKeyAndChain?
If yes, the service pub.security:setKeyAndChain has a mandatory private key input, but my partner only provided me with a certificate! How do I populate this field?

IS properties are also so many.
Do I need to set some of those:

watt.security.ssl.ignoreExpiredChains=true
watt.security.ssl.cacheClientSessions=false
watt.security.ssl.client.ignoreEmptyAuthoritiesList=true
watt.security.cert.wmChainVerifier.trustByDefault=true

Please, any help will be very welcomed!

Thanks in advance,
Michael.

> The IS only acts as a client, and our partner is the server.
In this case, you only need to do the following:

1. Install your partners root and intermediate CA certificates in IS trusted CA certificates directory (look in ‘Security > Certificates’ if you don’t know where that directory is). You will need to restart your server.

2. Setup your server SSL certificates properly (again, see ‘Security > Certificates’)

3. Use pub.client:http to establish an HTTPS connection - this will automatically use your server certificate as a client certificate.

You should not need to import a client certificate, change server.cnf etc.

The most valuable advice I can give you: setup an in-house test harness: on a second IS server, setup a SSL port with a ‘require client certificates’ setting, import your server cert as a client certificate mapped to a test user, and start testing…

Thanks Sonam.

I installed our partner certificate in our IS trusted CA certificates directory (step 1).

Concerning step 2, do we really need to configure the Outbound SSL Certificates? If yes, this means my company aslo has to get a certificate from CA like VeriSign or Entrust? But once again, our partner never sends request to us.

Can you just confirm this to me.

Thanks,
Michael.

Michael - The title of your thread: “Https call with certificate” led me to believe your tranding partner requires X.509 client certificate authentication when your server connects to their server? If not, and you are using Basic Authentication or no authentication at all, you don’t need to do step #2. It should just work.

Sonam

Yes!
I finally managed to get it working!

From the IS main page (WmRoot)

Settings/Extended:
I didn’t setup any of the watt.security properties.
Security/Certificates:
I didn’t specified any Trusted Directory
I didn’t specified any Outbound SSL Certificates
I didn’t import (configure) any Client Certificates

From the flow service:

pub.security:setKeyAndChain:
Points to the private key which I extracted from the certificate (.der)
Points to the certificate (.der)

Pub.client.http
Points to the https url
Method POST

pub.security:clearKeyAndChain

That’s it.

But it was first needed to extract the private key from the certificate we received!
To do so, we used open ssl (openssl.exe pkcs12 -in certificate.pfx -out outfile)
We extract the private key section from the PEM default format
We did convert the key into a .der format (openssl rsa -inform PEM -outform DER -in privKey.pem -out privKey.der)

Hope this will help someone in the future.
Michael.

Mike -

> pub.security:setKeyAndChain:
> Points to the private key which I extracted from the certificate (.der)
> Points to the certificate (.der)

So you are using X.509 digital certificate client authentication.

Most setups use their server certificate as a client certificate as well. Hence if you set the server certificate in ‘Security > Certificates’ as under:

Outbound SSL Certificates

• Server’s Signed Certificate = PUBLIC.KEY.DER
• Signing CA’s Certificate = thawte.crt
• Server’s Private Key = private.der

Trusted Certificates

• CA Certificate Directory = <whatever>

… you can avoid the call to setKeyAndChain entirely - the HTTP client will automatically use your server cert for X.509 client authentication.

Sonam,
You are right!
We can also do it without using setKeyAndChain but using Outbound SSL instead.
But why do we have to extract the private key from the certificate our partner provided us? So tricky! We have to use open ssl to extract the private key and to convert it into der. Not very straight forward, isn’t it!
Thanks to you,
Michael.

You’re welcome Michael.
Normally, the partner won’t provide you a certificate, it will be the other way around.

I think this is the normal sequence for key generation:

1. You generate a private key - this stays secret at all times and is only known to you. It is not provided to your partners, and not even to the CA.

2. You generate a certificate signing request (CSR) using your private key.

3. You send off the CSR to the CA, who signs it and sends back your public certificate, as well as the CA’s public certificate.

4. You send off your newly signed public certificate, as well as the CA’s public certificate, to your partners. Your partners set their system to ‘trust’ your CA (if they don’t do so already) and ‘map’ your public certificate to your account on their system.

5. Now, your system can use the private key to authenticate a request from your system to your partner’s system - your partner will be able to authenticate you as only your public key can decrypt communication encrypted with your private key.

You said your partner provided you with the certificate in a .pfx format. I’m not conversant with that format, but what may have happened, is some companies are very strict on X.509 authentication. In order to save time and skip steps #1-4 above, your partner may simply have procured/generated a certificate for you - but that may mean they have your private key for the certificate.

Cheers.
Sonam

Hi Sonam

As suggested by you i am testing with two IntegrationServers.

We are using self signed certificates and i tried making call from one IS to other.

I tried using the setKeyAndChain service by providing the same PrivateKey which we generated in the server side.

But i am gettting the following error in Server side

Aborting connection from /10.248.11.206: [ISS.0084.9001] Invalid credentials

I tried configuring the certificates in Outbound SSL Certificates as well but i am still getting the same error

All the certificates are valid and i have tried all the suggested extended settings but i am still getting the error?

Could you please help me with this issue

Thanks in Advance

Regards

Mani

Hi Michael,

My problem looks similar to your.

"Hi All,

I am trying to do a “get” call by hitting “https://URL:9001/xyz” link. It is Enovia CAS server. i am passing all parameters correctly but getting below error.

Error Message:

Bad Request

Your browser sent a request that this server could not understand.

I am using pub.client:http service to hit above link. Other team is telling to bypass self signed certificate and send request. So please may i know how do i ignore or bypass self signed certificate."

"pub.security:setKeyAndChain:
Points to the private key which I extracted from the certificate (.der)
Points to the certificate (.der) "

I did not understand above points. please can you share inputs what i have to give to “pub.security.keystore:setKeyAndChain”
Inputs:
keyStoreAlias
keyAlias

Hi Darsharn,

which version of webMehtods are you using?

As already answered in another post with similar subject, certificate handling in IntegrationServer has changed with wM 8.x and newer in comparison to previous versions.

You will have to create a JavaKeyStore-File (JKS) with all the certificates you want to trust and configure this one as a Truststore in your IS.

Keystore file can be created by using keytool, which is part of every jvm distribution.

See IS Administrators Guide for details.

Regards,
Holger