Appendix A: Certificates (OpenAS2)

Overview

To have a successfully and secured AS2 connection, certificates have to be exchanged between both trade partners. For on premise installations the customer has to do this, for hosted installation Informatica has to do this part. As the diagram below shows, the customer/Informatica has to create a public certificate / private key pair, send the public certificate to 1WorldSync or the respective data pool provider (usually via EMail) and put the private key to the key store of OpenAS2. Then the public certificate of 1WorldSync or the respective data pool provider should be retrieved (by EMail or download from the webpage) and also put to the OpenAS2 key store.

images/download/attachments/261738777/CertificationExchange.png

Create a private key / public certificate

OpenAS2 provides a command to create a private key / public certificate pair. The public certificate has to be sent to 1WorldSync or the respective data pool provider so they can encrypt their messages with this certificate. To create the pair go to the <OpenAS2>/config directory and execute (you can find the password in the config.xml file)

 ..\bin\gen_p12_key_par.bat <keyStore> <Customer>_<env>_to_1ws <sigAlg> "CN=<CommonName>, O=<Organization>, OU=<OrganizationalUnit>, L=<Locality>, S=<State>, C=<Country>"

or in a concrete example for Informatica

..\bin\gen_p12_key_par.bat as2_certs customer_dev_to_1ws sha256 "CN=informatica.com, O=Informatica GmbH, OU=R&D, L=Stuttgart, S=BW, C=GER"

The result should look like:

images/download/attachments/479246840/image2020-5-20_14-13-2.png

You now can send the public certificate (in this case informatica_to_1ws.cer) to 1WorldSync or the respective data pool provider and either use the generated key store or update an existing one.

How to import a new certificate

  1. Open a console and navigate to the <OpenAS2>/config

  2. Execute following command:

    ..\bin\import_public_cert.bat c:\Informatica\OpenAS2\config\<yourCertificate> <keyStore> <alias> <action> 

    or in example:

    ..\bin\import_public_cert.bat c:\Informatica\OpenAS2\config\as2_preprod_1worldsync_com_10Jan2020_der.cer c:\Informatica\OpenAS2\config\as2_certs.p12 1ws replace

    replace is optional and only needed if the certificate already exists.

  3. The password for the keystore can be found in the config.xml of OpenAS2 at the XML element <certifications>.

How to list all certificates (check)

  1. To list all certificates of your key store

    keytool -list -keystore <keystore> -storepass <password> -storetype PKCS12

    or in example:

    keytool -list -keystore as2_certs.p12 -storepass testas2 -storetype PKCS12

  2. Your keystore should look like this:

    images/download/attachments/479246840/image2020-3-30_14-40-15.png

How to delete a certificate

To delete a certificate of your key store

keytool -delete -keystore <keystore> -storepass <password> -alias <alias>

or in example:

keytool -delete -keystore as2_certs.p12 -storepass testas2 -alias 1ws

How to extract a certificate from a p7b file

When 1WorldSync or the respective data pool provider provide new certificates, you will not only get the required certificate itself but a p7b file. This file contains a collection of different certificate files. To extract and use the required certificate, you need to do the following steps:

On Windows, double click the p7b file, open the certificates path and right click the first file. Select All Tasks → Export...

images/download/attachments/479246840/image2022-2-8_14-12-31.png

Now follow the steps of the export wizard and provide a valid file name. Preferably the same name as the original file name as the file extension will be replaced. So for example: as2_preprod_1worldsync_com_10Jan2020_der. Finish the export and continue your required use case with the exported certificate.