Setup certificate encryption

1. Generate Certificates

First, a certificate pair must be generated in the Encryption tab of the remark group settings in IBI-aws Admin.

2. Export client certificates

The just generated certificate pair must now be exported via the "Export client certificates" option.

3. Distribute certificates

In order for the IBI-aws clients to be able to read the message file that is later encrypted with the certificate pair, this certificate pair is required for decryption. For this purpose, the certificate pair must be made available to all clients.

Replace certificate

If a certificate pair is to be exchanged, both the new and the old certificate pair must be distributed until the new certificate pair is activated (in a later step).

The following options are available for this purpose

Certificate store (recommended)
The exported client certificates can be imported into the certificate store of any computer.

File
Alternatively, the certificate pair can be provided directly via the exported client certificate file.

Further details on the configuration of the two variants can be found at CertificateSource.

4. Wait until the certificate is available everywhere

The certificate pair cannot be used until it is available everywhere.

Please check with the appropriate people for the current distribution status.

5. Extend IBI-aws client call

If the client certificates were distributed as a file or not via the computer's certificate store [LocalMachine]\My, the IBI-aws Client call must be extended via the CertificateSource start parameter.

6. Wait until the adjusted IBI-aws call has been executed everywhere

This step is only necessary if the IBI-aws Client call was adjusted in the previous step.

Make sure that all IBI-aws Clients were/are started with the extended start parameter, e.g. by adjusting the corresponding start script.

Continue only when is ensured.

7. Activate certificates

If the client certificates are available everywhere and, if necessary, the IBI-aws Client call has been adjusted, the certificate pair can be marked as "active" in the IBI-aws Admin.

For more information, see Encryption.

8. Publish message group

Finally, the message group should be published so that the message file is written encrypted.

9. Enable only encrypted data in IBI-aws client (optional)

Perform this step only when you are sure that all IBI-aws Clients use encryption.

By specifying the start parameter AcceptEncryptedDataOnly you can prevent the IBI-aws Client from continuing to process unencrypted message files and thus increase the protection against unauthorized manipulation.