Overlapping certificates in webMethods Trading Networks
Welcome to another Hidden Gem, where we will highlight a lesser-known but valuable feature of the webMethods suite. There are many such hidden gems you may not have stumbled upon in training or documentation. Get to know them because they could make your life easier and your implementation even better. This edition’s hidden gem is overlapping certificates in webMethods Trading Networks.
What are overlapping certificates?
Trading Networks provides support for up to two active certificate sets each for sign/verify, encrypt/decrypt and SSL certificate types. Typically, these certificates are created with a small overlap in their validity periods—hence, the name overlapping certificates. The certificate that is actively used is referred to as the primary certificate, and the unused one is referred to as the secondary certificate.
What is the need for overlapping certificates?
A secure exchange of documents between partners requires that valid certificates are maintained for all partners, at all times. Any certificate that is close to expiration must be updated before expiration. Otherwise, costly interruptions to the flow of business documents may occur. This is a daunting challenge for administrators who must regularly update certificates, particularly when interacting with hundreds or thousands of partners.
By using overlapping certificates, Trading Networks can automatically switch to the secondary certificate when a primary certificate expires and continue processing documents. This provides an additional time cushion for administrators to update certificates and complete these updates in a scheduled manner rather than react to certificate expiration-related outages.
How do you set up overlapping certificates?
You can define overlapping certificates in Trading Networks by going to the partner profiles page, selecting the profile, and clicking the certificates tab as shown in Figure 1.
Figure 1: Primary/secondary certificate management in Trading Networks
Note:
The certificate set that you add first to SSL, sign/verify or encrypt/decrypt certificate types is the primary certificate set. This is indicated by a ✔ in the Status column. The next certificate set that you add to the same certificate type becomes the secondary certificate.
Certificate switching
Trading Networks automatically switches from the primary certificate set to the secondary one when any of the following occurs:
- The primary certificate has already expired and the secondary certificate has not expired
- The receiver’s sign/verify or SSL primary certificate set does not match the sender’s sign/verify or SSL certificate set
Trading Networks does not switch encryption/decryption certificates at the receiver’s end. The receiver of the document must write a flow service that first obtains the certificate ID of the appropriate decrypt certificate, using the wm.tn.security:getAllCertificateData service. That certificate must then be set as the primary one for that partner using the wm.tn.security:setPrimaryCertificate service. Doing this ensures that the correct decryption certificate is retrieved for future transactions with that partner.
The following few scenarios demonstrate how Trading Networks automatically switches certificates:
Sign/verify scenario 1
Trading Networks automatically switches certificates from primary to secondary when the primary certificate expires as shown in Figure 2.
Figure 2: Sign/verify scenario 1
Step 1: The trading partner sends a document signed with certificate C2 to the enterprise.
Step 2: Trading Networks on the enterprise side switches the primary certificate to C2 and retrieves certificate C2 because certificate C1 has expired.
Step 3: Trading Networks on the enterprise side verifies the document with C2. Verification is successful.
Sign/verify scenario 2
Trading Networks automatically switches certificates when the receiver’s verify certificate set does not match the sender’s sign certificate set as shown in Figure 3.
Figure 3: Sign/verify scenario 2
Step 1: The trading partner sends a document signed with certificate C2 to the enterprise.
Step 2: Trading Networks on the enterprise side retrieves certificate C1 for the trading partner and verifies the document with certificate C1. Verification fails as the document is signed with certificate C2.
Step 3: Trading Networks on the enterprise side retrieves certificate C2 and verifies the document with C2. Verification is successful.
Step 4: Trading Networks on the enterprise side sets certificate C2 as the primary certificate for the trading partner.
Learn more
Overlapping certificates are available in webMethods Trading Networks 9.5 and later versions. You can find detailed documentation on overlapping certificates in the webMethods Trading Networks Administrator’s Guide in the documentation section of the Tech Community or the documentation website at http://documentation.softwareag.com.
Let us know what you think of our new Hidden Gems series by commenting on this article on the Tech Community blog. And look for another hidden gem in the next issue of TECHniques.
#webMethods#issue3-2014-techie#newsletter#hidden-gems