Using Connect:Direct in NIST 800-131a compliance mode

The Connect:Dircect Protocol is a session oriented protocol supporting file transfer for remote (business) process execution and submission. Sessions may be secured using Secure+ server (and optional client) authentication and data encryption. Security may be enforced globally by requiring all sessions to use the same security definition. To do this, disable Netmap Node Override to configure one policy for all sessions. Security may also be enforced individually according to specific trading partner requirements. Enable Netmap Node Override to allow different policies for each trading partner.

The Admin User Interface makes available only NIST 800-131a compliant certificates and ciphers when Sterling B2B Integrator is operating in NIST 800-131a compliance mode.

Verifying NIST 800-131a Compliance

There are two ways to verify NIST 800-131a compliance:
  • Verify that all adapters are started successfully and are enabled.
  • Verify that the business process session status is error free.

Verify Adapters

The Services Configuration page displays an adapter’s Advanced State. If Sterling B2B Integrator is running in NIST 800-131a compliant mode and your Connect:Direct Server Adapters is configured in non-compliant mode, the Advanced State will display Start failed and the adapter will be disabled. For additional detail, select the link corresponding to the adapter to view its configuration.

All non-compliant service settings appear in red with a message, Not NIST 800-131a SP800-131a compliant.

The following table illustrates the Connect:Direct Server Adapter’s enablement policy with respect to the NIST 800-131a compliance mode used with Sterling B2B Integrator.
Table 1. Connect:Direct Server Adapter Enablement Policy
Connect:Direct Server Adapter Enablement Policy

Configuration

Sterling B2B Integrator Security Policy
None Strict

Global: Adapter defines the security policy for all sessions

Adapter enabled and all sessions allowed.

Adapter is enabled only if the Adapter’s configuration meet strict-level site policy.

Local: Individual Nodes define a node-specific security policy for their respective sessions.

Every Node in the Adapter’s netmap specifies a secure policy

Adapter enabled and all sessions allowed.

Adapter is Enabled only if every Node’s Secure+ configuration meets strict-level site policy.

At least 1 Node in the Adapter’s netmap does not specify a secure policy.

Adapter enabled and all sessions allowed.

Adapter is Enabled. Session only allowed if Node’s Secure+ configuration meets strict-level site policy.

Verify Business Processes

The Connect:Direct Begin Session Service Status Report displays service status. If Sterling B2B Integrator is running in NIST 800-131a compliance mode and either your Connect:Direct Server Adapter or the remote node in the adapter’s netmap is configured in noncompliant mode, the Begin Session will fail and its Status Report will display “Secure+ configuration is incompatible with the site security policy.