How to mass change or automate the change of a CDSA node secure+ configuration parameter.

Body

There might be a need to change the secure+ settings of a Connect Direct server adapter (CDSA) node

without going through the UI; for example, if you want to change one of the secure+ certificates at some

given time.



This blog aims to provide you some hints and tips on how to possibly automate those changes using APIs and the XAPI service.



Database tables Information:



There are two tables that you might need to query to retrieve the information needed for the change:



- CD_NODE => Contains an entry for each CDSA node configuration, allows you to retrieve the NodeId using the node name.



Select NODE_ID from CD_NODE where NODE_NAME='MyTestNode'



- CD_NODE_SECURE_PARMS => contains an entry for every parameter set in the CDSA node secure+ configuration.

Using the SQL below will give you a full list of the parameters set for a particular node.

Every entry for the same node will contain the same NodeId but will have a unique ObjectId. The Name Column

will indicate the parameter name and the VALUE column will contain the actual value of the parameter, which are

the values you want to change.



select * from CD_NODE_SECURE_PARMS where NODE_ID IN (select NODE_ID from CD_NODE where NODE_NAME='MyTestNode')

The possible parameters names listed under the NAME column you may change are:



a) CACerts.x => you will have a CACerts.x entry for each certificate you assigned as a CA certificate where

the x will be an increasing number depending on the number of CA certificates assigned, so if for example

you would have three CA certificates assigned, you would have three entries in the table with a NAME like CACerts.1,

CACerts.2 and CACerts.3



b) CACerts.length => This indicated the total number of CA certificates assigned to the node.



c) SystemCert => Indicates the name of the system certificate assigned.



d) CommonName => The common name assigned.



e) CipherSuites.x => The cipher suites assigned, as for the CACerts, it will contain an entry for each cipher suite assigned

where the x will be a increasing number depending on the amount of ciphers assigned.



f) CipherSuites.length => Indicates the total number of cipher Suites assigned to the node.



g) SSLOptions => Indicates the version of SSL/TLS chosen.



h) ClientAuth => Indicates if client authentication is enabled or not, valid values are Yes or No.









Procedure to follow:



Note: In this example we are assuming you want to change a CA certificate of a certain CDSA node secure+ configuration.

We will assume that the certificate you want to change is called CompA-SSL.





1. Import the new CA certificate into the IBM Sterling B2B Integrator (ISBI) CA store and note the name assigned to it.

For this example, we will call it NewCert.



2. Create a BP that uses the XAPI service that will use the modifyCDNodeSecureParms api.

This api can be used to change a CDSA node secure+ settings.



<process name="test_XAPI">

<sequence name="Sequence Start">

<operation name="XAPI Service">

<participant name="XAPIService"/>

<output message="XAPIServiceTypeInputMessage">

<assign to="." from="*"></assign>

<assign to="api">modifyCDNodeSecureParms</assign>

<assign to="UserId">admin</assign>

</output>

<input message="inmsg">

<assign to="." from="*"></assign>

</input>

</operation>

</sequence>

</process>





3. Now you need to create an input file for the above BP and for that you need the following information:



- ObjectId => The ObjectId of the secure+ configuration you want to change, you could use a SQL query

like the following to obtain it:



select OBJECT_ID from CD_NODE_SECURE_PARMS where NODE_ID IN (select NODE_ID from CD_NODE where NODE_NAME='MyTestNode') AND NAME LIKE

'%CACerts%' AND VALUE='CompA-SSL'



- Value => The name of the new certificate that you want to replace the old one with.



The input file should follow the format below:



<CDNodeSecureParms Name="" NodeId="" ObjectId="Required" ParmVersion="" Value=""/>





4. For this example my input file should look like:



<CDNodeSecureParms Name="" NodeId="" ObjectId="rhel65_templ:3865c6cd:152aff4c83b:6ce1" ParmVersion="" Value="NewCert"/>



To be extra careful, you can also add the rest of the info not required:



<CDNodeSecureParms Name="CACerts.1" NodeId="rhel65_templ:3865c6cd:152aff4c83b:65c4" ObjectId="rhel65_templ:3865c6cd:152aff4c83b:6ce1" ParmVersion="1" Value="NewCert"/>



Adjusting the SQL query above a little bit will give you all the info needed:



select OBJECT_ID, NODE_ID, NAME, VALUE, PARM_VERSION from CD_NODE_SECURE_PARMS where NODE_ID IN (select NODE_ID from CD_NODE where

NODE_NAME='MyTestNode') AND NAME LIKE '%CACerts%' AND VALUE='CompA-SSL'









Once you run the BP with the above input file, The value of the CACerts.1 entry will be changed to the name of the New Certificate.









Note that the BP provided is a sample BP and you need to upload the input file manually when running the BP.

You can fully automate the change by inputting into your BP simply the new and old certificates names as well as the node name;

then use the LJDBC adapter to run the necessary SQL queries to retrieve the info needed from the database and create your input

file using the XSLT service accordingly.





More information about the XAPI service can be found in the IBM Sterling B2B Integrator documentation:



http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.svcs_adpts_m_z.doc/XAPI_svc.html





For other api's available and their documentation, you can consult the xapidocs directory of your ISBI installation:



<ISBI_installDir>/xapidocs