Sterling B2B Integrator - Managing Keys

You can insert, update, and retrieve certificates present in the Sterling B2B Integrator repository.

You can insert a base64-encoded certificate (public or private) and import and export certificates into the Sterling B2B Integrator repository.

You can also perform the following tasks in Sterling B2B Integrator:

  • Create a self-signed certificate with the key length 2048 for EBICS
  • Manage CA certificates
  • Store certificates, and manage the renewal and expiration of certificates
  • Accept a public certificate of a user
  • Validate the following subscriber keys using SHA256 as the hash algorithm:
    • Identification and Authentication Key Hash Value (in Hex format)
    • Encryption Key Hash Value (in Hex format)
    • Electronic Signature Key Hash Value (in Hex format)

Use the EBICS Export Certificate service to export the certificates present in Sterling B2B Integrator to an external system. Use this service when you want to synchronize the certificates present in Sterling B2B Integrator with an external database or system.

Use the EBICS Import Certificate service to add certificates from an external repository to Sterling B2B Integrator. You can also delete the expired or invalid certificates.

Functions of the Key Manager

The Key Management and Storage performs the following functions:

  • Duplicate Key Validation – The certificate used for authentication or encryption cannot be the same as the ES certificate. Use a unique set of keys for authentication or encryption and signing.
  • X.509 Key Usage Extension – EBICS Banking Server supports the use of X.509 as the key usage extension.
  • OCSP and CRL certificate verification

The Key Manager manages the certificates in the Sterling B2B Integrator repository. It inserts, updates, and retrieves certificates in the Sterling B2B Integrator repository and runs functions such as, calculating the hash value of the certificate, on the certificates.

The Key Manager validates the client certificates checked into the server before they can be used. You must obtain the CA-signed certificates from a Certificate Authority. In a CA-signed certificate, the issuer signs the certificate. To verify the authenticity of the user certificate, the EBICS Banking Server performs chained signature verification up to the root CA certificate.

The EBICS administrator must check in the CA-signed certificates and Intermediate CA-signed certificates in the Sterling B2B Integrator CA certificate store before commencing the EBICS transactions.

The client must provide three types of certificates:

  • Authentication certificate
  • Encryption certificate
  • Electronic Signature (ES) certificate

The public key of the authentication certificate is used to verify digital signatures. Authentication certificates can be either CA-signed or self-signed. The value of the key usage field for an authentication certificate is Digital Signature. A digital signature is used for entity authentication and data origin authentication with integrity.

The public key of the encryption certificate is used to encrypt order data. Encryption certificates can be either CA-signed or self-signed. The value of the key usage field for an encryption certificate is Key Encipherment. In EBICS, a symmetric key is used to stream encrypted or decrypted order data. The symmetric key is encrypted with the public key value of encryption certificate for transportation. Key Encipherment is used when a certificate with a protocol that encrypts keys exists.

The public key of the Electronic Signature (ES) certificate is used to verify the signature of order data. The public key value of an Electronic Signature certificate should not be the same as an authentication or encryption certificate. The value of the key usage field for an electronic signature certificate is Non-Repudiation. Non-repudiation protects against the signing entity falsely denying an action, excluding certificate or CRL signing.

Electronic Signatures are of two types:

  • Transport Signature – can be CA-signed or self-signed
  • Personal Signature – must be CA-signed

Previous Topic

Managing EBICS Transactions

Parent Topic

Sterling B2B Integrator - EBICS Server Concepts

Next Topic

Generating and Retrieving EBICS Reports