Once the Transport Dictionary emerges from the Add Header stage, it contains all the data required for transmission. Usually, to ensure the secure transmission of this data, you will want also to encrypt and/or digitally sign the data. Alternatively, you may want to MIME-encode or S/MIME encode the data.
You can approach the encryption of the working
_data
in one of numerous ways, depending usually on the type of business data you are sending, the level of security you need.
The Digitally Sign stage contains the DigitalSig component, which uses a sender certificate to sign either the working data, a hash of the working data, or both the data and the hash, using the Public Key Crypto System 7 (PKCS7) standard.
The Encrypt stage contains the EncryptPKCS component, which uses a receiver certificate to encrypt the business data object into a PKCS7 message.
The Add Header stage usually contains the EncodeMIME stage, while both the Digitally Sign and the Encrypt stages can contain the EncodeSMIME component. The EncodeMIME component supports MIME-encoding (Base-64 or Quoted Printable). The EncodeSMIME component uses certificates to MIME-encode, digitally sign, and/or encrypt the business data object in accordance with the S/MIME specification.
The Receive pipeline contains the Decrypt and Verify Digital Signature and stages. These stages contain components that perform the reverse of their counterparts in the transmit pipeline.
The Verify Digital Signature stage, for example, contains the VerifyDigitalSig component, which uses the sender's certificate to verify the digital signature on the business data object. The Encrypt stage contains the DecryptPKCS component, which uses the receiver certificate to decrypt the business data object.
When designing a transmit or receive pipeline, you can use virtually any combination of these components to secure the business data object. However, the following general considerations apply.
The design of your pipeline must be mirrored on the receiving side. For example, if you include the EncodeSMIME component in a transmit pipeline, the receive pipeline must contain a DecodeSMIME component. If your transmit pipeline contains a DigitalSig component, the receiving pipeline must contain a VerifyDigitalSig component.
Because most of the components in the Encrypt/Decrypt and Digitally Sign/Verify Digital Signature stages rely on certificates, you must also manage the exchange of these certificates with your trading partners, and must use the Certificate Management Tool to install the appropriate certificates on your system. If you include a DigitalSig component in your transmit pipeline, you must provide your trading partner with this certificate for use by the VerifyDigitalSig component in the receive pipeline. To use the EncryptPKCS component in your transmit pipeline, you must obtain a certificate from your trading partner (see Certificates).
Finally, because the encryption and digital signature components can be configured to use specific algorithms to perform their work, you must coordinate with your trading partners to ensure that the algorithm with which you choose to encrypt or digitally sign the business data object is available also on the receiving system.