KB Article #182907

Understanding Certificates in Flow manager

Problem

Flow manager is using many Certificate for TLS exchange. We want here to details FM certificate management(*), what are the certificates used by FM and how they are used.

(*) This KB is based on FM DOCS certificate management, link here: https://docs.axway.com/bundle/FlowManager_20_allOS...

  • Where do we start?

From Flow Manager installation during the setup provided by Axway. The setup is creating the certificates of the various components.


    • 4 are created during the setup: [Governance CA], [Business CA], [ST-PLUGIN & root], [MONITORING-PLUGIN & root]
    • 4 are created during the run: [FM HTTPS], [CFT Governance], [HTTPS Client], [CFT Business]

  • FM Certificate Who’s Who: (Concept used in this KB)
    • certificate = public-certificate + key-certificate
    • certificate chain = root-certificate + intermediate(s) certificate(s)
    • full certificate = root-certificate + intermediate(s) certificate(s) + public-certificate + key-certificate
    The certificatse are build as following

[Governance CA] = Full certificate, root from Governance CA is used to validate FM identity(by other TSL participant). used only with CFT, ST, ST Plugin, Monitoring Plugin. To be changed by the customer(**)

[Business CA]Full certificate, root from Business CA is used to validate the identity of CFTs during protocol exchange. Certificate for CFT only used in the context of secure CFT exchanges (PeSITs, sFTP, FTPs) the full text PeSIT does not use this certificate. To be changed by customer(**)

[CFT Business] = Full certificate defined like this “root-Business CA + intermediate(s) certificate(s) + public-certificate CFT Business + key-certificate CFT Business”. It is generated when registering a CFT in FM (***).
It is used to encrypt secure protocol communication . Important to remind [CFT Business] = root from Business CA + intermediate(s) certificate(s) + public-certificate CFT Business + key-certificate CFT Business. This is why changing [Business CA] has an impact on all CFTs.

[CFT Governance]= Full certificate defined like this “root-Governance CA + intermediate(s) certificate(s) + public-certificate CFT Governance + key-certificate CFT Governance”. It is generated when registering a CFT in FM (***).
It is used to to validate CFT identity. Important to remind [CFT Governance] = root-Governance CA + intermediate(s) certificate(s) + public-certificate CFT Governance + key-certificate CFT Governance. This is why changing [Governance CA] has an impact on all CFTs.

[FM HTTPS]= Full certificate defined like this “root-Governance CA + intermediate(s) certificate(s) + public-certificate FM HTTPS + key-certificate FM HTTPS”. Used when a browser connects to FM UI it validates the identity of FM. This certificate is generated automatically at the first FM startup and at the boot following the expiration of this certificate.
Allowed to be changed by customer, access to the UI via your browser can be authenticated by a proprietary certificate (custom full certificate), for this you must activate the option FM_HTTPS_USE_CUSTOM_CERT=true

[HTTPS Client] = Full certificate defined like this “root-Governance CA + intermediate(s) certificate(s) + public-certificate HTTPS Client + key-certificate HTTPS Client”. Used by the plugins to authenticate FM, to explain fully, plugins will validate FM thanks to the root-Governance CA of [HTTPS Client]. Must not be changed by customer, for renew see KB

[ST-PLUGIN] = Full certificate defined like this “root-ST-PLUGIN + intermediate(s) certificate(s) + public-certificate ST-PLUGIN + key-certificate ST-PLUGIN”. Used when the ST plugin talks to FM, FM authenticates it thanks to this root-certificate [root-ST-Plugin] set in setting. Must not be changed by customer, for renew see KB

[MONITORING-PLUGIN] = Full certificate defined like this “root-MONITORING-PLUGIN + intermediate(s) certificate(s) + public-certificate MONITORING-PLUGIN + key-certificate MONITORING-PLUGIN”.
Used when the MONITORING-PLUGIN talks to FM, FM authenticates it thanks to this root-certificate [root-MONITORING-PLUGIN] set in setting. Must not be changed by customer, for renew see KB

(**)= It is highly recommended to be changed by customer following KB

(***) = https://docs.axway.com/bundle/FlowManager_20_allOS...

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.