How to automate the addition of a CDSA node secure+ configuration parameter.

Body

There might be a need to add a Connect Direct server adapter (CDSA) node secure+ parameter to its configuration
without going through the UI; for example, if you want to add a secure+ certificate at some given time.

This blog aims to provide you some hints and tips on how to perform those changes in an automated way using APIs and the XAPI service.

Database tables Information:

There are 2 tables that you might need to query to retrieve information needed for the change:

- CD_NODE => Contains an entry for each CDSA node configuration, allows you to retrieve the NodeId using the node name.

Select NODE_ID from CD_NODE where NODE_NAME='MyTestNode'

- CD_NODE_SECURE_PARMS => contains an entry for every parameter set in the CDSA node secure+ configuration.
The SQL below will give you a full list of the parameters set for a particular node.
Every entry for the same node will contain the same NodeId but will have a unique ObjectId. The Name Column
will indicate the parameter name and the VALUE column will contain the actual value of the parameter.

select * from CD_NODE_SECURE_PARMS where NODE_ID IN (select NODE_ID from CD_NODE where NODE_NAME='MyTestNode')

The possible parameters names listed under the NAME column you may change are:

a) CACerts.x => you will have a CACerts.x entry for each certificate you assigned as a CA certificate where
the x will be an increasing number depending on the number of CA certificates assigned, so if for example
you would have 3 CA certificates assigned, you would have three entries in the table with a NAME like CACerts.1,
CACerts.2 and CACerts.3

b) CACerts.length => This indicates the total number of CA certificates assigned to the node.

c) SystemCert => Indicates the name of the system certificate assigned.

d) CommonName => The common name assigned.

e) CipherSuites.x => The cipher suites assigned, as for the CACerts, it will contain an entry for each cipher suite assigned
where the x will be a increasing number depending on the amount of ciphers assigned.

f) CipherSuites.length => Indicates the total number of cipher Suites assigned to the node.

g) SSLOptions => Indicates the version of SSL/TLS chosen.

h) ClientAuth => Indicates if client authentication is enabled or not, valid values are Yes or No.

Procedure to follow:

Note: In this example we are assuming you want to add a CA certificate to a certain CDSA node secure+ configuration.
Therefore there are two things that need to be adjusted, first you need to add the CACerts entry with the name of the
new certificate and then you need to adjust the CACerts.length and increase that by one.

1. Import the new CA certificate into the IBM Sterling B2B Integrator (ISBI) CA store and note the name assigned to it.
For this example, we will call it NewCert.

2. Verify the number of CA certificates already assigned to the node; in this example from the print screen above we can
see that we have already 2 CA certificates assigned (CACerts.1 and CACerts.2), so we want to add a third one, CACerts.3

3. Create a BP that uses the XAPI service that will use the createCDNodeSecureParms api.
This api can be used to add secure+ settings to a CDSA node.

<process name="test_XAPI">
<sequence name="Sequence Start">
<operation name="XAPI Service">
<participant name="XAPIService"/>
<output message="XAPIServiceTypeInputMessage">
<assign to="." from="*"></assign>
<assign to="api">createCDNodeSecureParms</assign>
<assign to="UserId">admin</assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>

4. Now you need to create an input file for the above BP and for that you need the following information:

- Name => The name of the parameter to be added, in this case it would be CACerts.3 since we already have 2 Certificates.
- NodeId => The node Id of the CDSA node to which you are adding the parameter.
- ObjectId => A unique ObjectId needs to be assigned, it needs to be a unique value within the database table CD_NODE_SECURE_PARMS.
- Value => the value to be assigned to the parameter, in this case it would be the name of the certificate to be added to the configuration

The input file should follow the format below:

<CDNodeSecureParms Name="Required" NodeId="Required" ObjectId="Required" Value="Required"/>

5. For this example I used the following SQL query to retrieve the NodeId of the CDSA node I want to modify:

select NODE_ID VALUE from CD_NODE where NODE_NAME='MyTestNode'

And my input file should look like:

<CDNodeSecureParms Name="CACerts.3" NodeId="rhel65_templ:3865c6cd:152aff4c83b:65c4" ObjectId="rhel65_templ:3865c6cd:152acustom1:6ce1" Value="NewCert"/>

Note: be sure to assign a unique ObjectId, in the example above I have replaced 6 characters on an existing ObjectId for this node with "custom1".


Once you run the BP with the above input file, a new entry will be seen in the database table with the assigned parameters.


 

5. Now that you have added a new CA certificate to the secure+ configuration of the node, you need to modify the CACerts.length accordingly,
since this value should show the total amount of CA certificates assigned.
In this example, we need to modify it from 2 to 3.

This can be done by using the API modifyCDNodeSecureParms to modify the entry named CACerts.length, please see below link to another blog
that explains how to use the modifyCDNodeSecureParms api.
Change a CDSA node secure+ parameter blog

Note that the BP provided is a sample BP and you need to upload the input file manually when running the BP.
You can fully automate the change by inputting into your BP simply the new certificate name, the node to be modified, as well as the name of the value to be added;
then use the LWJDBC adapter to run the necessary SQL queries to retrieve the info needed from the database to create your input files; you would create your first input
file using the XSLT service accordingly and use the XAPI service with the createCDNodeSecureParms api to add the parameter.
After the addition of the parameter use another instance of the XSLT service to create a second input file to be used with a second XAPI service that this time will use the modifyCDNodeSecureParms api to increase the CACerts.length parameter by one for that node.


More information about the XAPI service can be found in the IBM Sterling B2B Integrator documentation:

http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.svcs_adpts_m_z.doc/XAPI_svc.html

For other api's available and their documentation, you can consult the xapidocs directory of you SB2BI installation:

<ISBI_installDir>/xapidocs