Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 4 System Settings : Certificate Store

Certificate Store
The certificate store allows you to manage all credentials (certificates and private keys) in one location. These credentials are owned by participants, the BusinessConnect server, and by the trusted CAs (Certificate Authorities). You can add and remove CA certificates, and you can create new identity (leaf) certificates, which you can send to a certificate authority for signing using Certificate Signing Request (CSR). For information about certificates and security in general, see Credentials Tab for Participants and TIBCO BusinessConnect Concepts, Security.
To learn how to work with keys, you can use the samples provided with this program in the directory BC_HOME/samples/keys. Keep in mind that the chosen password is Password1.
Credentials Tab
This tab allows you to add or to remove trusted root certificates from the system. Certificates are only valid if both trading partners trust the CA that signed the other’s root certificate.
Adding Certificate Authority
1.
Expand BusinessConnect > System Settings > Certificate Store.
2.
Click Add Certificate Authority.
3.
4.
Click Browse to upload the CA certificate file that should be already available on your machine. If not, make sure to acquire a root certificate before proceeding with this configuration.
5.
Click OK twice.
Removing Certificate Authority
1.
Expand BusinessConnect > System Settings > Certificate Store.
2.
3.
Click Remove Certificate Authority.
4.
New Identities Tab
This tab allows you to create new identities (private keys with X.509v3 leaf certificates) and add them to your system. To create a new public key certificate for your server, you will first create a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA) for verification. When you create a CSR, a new private key will be also created for decryption/ verification.
You will send the CSR, which only carries public information, to a CA. Once the signed certificate is returned, it will be attached to the corresponding private key and this new identity becomes usable for decryption/verification, representing itself as stated in the certificate.
Creating New Identity
1.
Expand BusinessConnect > System Settings > Certificate Store > New Identities.
2.
Click Create New Identity.
Certificate Signing Request Wizard
A six-step Certificate Signing Request wizard is displayed that will allow you to generate a CSR.
Step 1. General Information  
1.
2.
Step 2. Confirm Settings
This dialog displays the information you have entered. If everything is correct, click Next.
Step 3. Generated CSR
This dialog displays the content of the CSR you have generated.
Figure 8 CSR Wizard Step 3, Generated CSR
3.
Copy the text file including both the string “-----BEGIN CERTIFICATE REQUEST-----“and “-----END CERTIFICATE REQUEST-----“, and save it to a separate text only file such as newCsr.txt.
You will send the generated CSR to a certificate authority (CA) of your choice for verification.
4.
Click Next.
Step 4. CA Response
5.
Figure 9 CSR Wizard Step 4, CA Response
6.
Click Next to proceed.
Step 5. Complete Certificate Chain
In this step, you can upload the CA root certificate to complete the certificate chain.
7.
The dialog is displayed with an error message Missing CA Certificate. Certificates are only operable if both trading partners trust the CA that signed the other’s root certificate.
a.
b.
Figure 10 CSR Wizard Step 5, Complete Certificate Chain
8.
Click Next.
Step 6. Success
After successfully uploading the verified certificate, you arrive to step 6, Success.
Figure 11 CSR Wizard Step 6, Success
Your new leaf certificate, verified by the CA, is available for you to use. You have to assign the new leaf certificate to your server by selecting the server from the list next to the label Host.
9.
Click Finish.
Server Identities and Certificates Tab
In the Server Identities and Certificates tab, you can add an LDAP, a JMS, or an Email server certificate to use with the main system.
Adding LDAP/JMS/Email Server Certificates
The JMS certificate is a credential of the JMS server, which is expected to be configured according to the corresponding guidelines. Before the BusinessConnect palette can verify the identity of a JMS server, this certificate has to be added and the check box Verify JMS Server has to be selected.
A server certificate is stored in the certificate store and must be created before it is assigned to a transport. To create it, perform the following steps:
1.
Expand BusinessConnect > System Settings > Certificate Store > Server Identities & Certificates.
2.
Click Add Third Party Server Certificate.
3.
4.
The imported certificate will appear in the Credential Name list.
Figure 12 Imported Server Certificate
5.
Click Done.
Fetching a Server Certificate
Besides adding a server certificate, you can also fetch a server certificate in the Fetch Third Party Server Certificate Tab.
For example, to fetch a Gmail SMTP server certificate, perform the following steps:
1.
Expand BusinessConnect > System Settings > Certificate Store > Server Identities & Certificates.
2.
Click Fetch Third Party Server Certificate.
3.
a.
Enter the host in Host field. For example: smtp.gmail.com.
b.
Enter the port number in Port field. For example: 465.
c.
Click OK to save the certificate.
4.
Click Done.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved