Configure Connect:Direct Secure Plus Remote Node Record

Before you can configure the .Remote node record, you must either import your existing certificates or create and configure a CMS Key Store. For additional information, see Import Existing Certificates or Create CMS Key Store in the documentation library.

Configure the Remote node record with the protocol used by most of your trading partners. Because remote node records can use the attributes defined in the Remote node record, defining the Remote node record with the most commonly used protocol saves time. After you define the protocol in the Remote node record, all remote nodes default to that protocol. Also, identify the trusted root file to be used to authenticate trading partners.

To configure the local node, refer to the Local Node Security Feature Definition Worksheet that you completed for the Remote node record security settings and complete the following procedure:

  1. From the Secure+ Admin Tool Main Window, double-click the .Remote record. The Edit Record dialog box displays the Security Options tab, the node name, and the type of node.
  2. Set the Security Options for the local or remote node entry you are configuring and if necessary, modify the time-out value in Authentication Timeout.
    Refer to the following table for an explanation of the Security Options boxes:
    Note: The SSL3.0, TLS 1.0 and TLS 1.1 protocols are deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.2. If deprecated protocols are required, TLS 1.2 should not be enabled in the trading partner's configuration, otherwise the handshake may fail. Deprecated protocols should be exclusively configured per node. The Secure+ feature continues to support SSL 3.0, TLS 1.0 and TLS 1.1.
    Field Name Field Definition Valid Values
    Node Name Specifies the node record name.
    Important: Characters used in Netmap Node Names (or Secure+ Node Names or Secure+ Alias Names) should be restricted to A-Z, a-z, 0-9 and @ # $ . _ - to ensure that the entries can be properly managed by Control Center, SterlingConnect:Direct® Connect:Direct Browser User Interface, or IBM® Sterling Connect:Direct Application Interface for Java™ for Java (AIJ) programs.

    .Remote

    This is not an editable field.

    Base Record Specifies the name of the base record. If an alias record is selected, the base record name is displayed in this box. Name of the local Connect:Direct node.
    Type Specifies the current record type.

    Local for a local record and Remote for a remote record.

    This is not an editable field.

    Disable Secure+ Disables Connect:Direct Secure Plus.

    Default value is Disable Secure+.

    Note: If this option is selected, override is enabled, and no remote node definition exists for the remote node in the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus is bypassed.

    Enable SSL 3.0 Protocol Enables SSL protocol to ensure that data is securely transmitted.

    The SSL3.0 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.2.

    The default value is Disable Secure+.
    Enable TLS 1.0 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    TLS1.0 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.2.

    The default value is Disable Secure+.
    Enable TLS 1.1 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    The TLS1.1 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.2.

    The default value is Disable Secure+.
    Enable TLS 1.2 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Disable Disables the ability to override values in the .Remote node record with values in the remote node record. The default value is Disable.
    FIPS 140-2 Enables FIPS 140-2 security. The default value is Disable.
    SP800-131A Transition Enables NIST SP800-131a security in transition mode. The default value is Disable.
    SP800-131A Enables NIST SP800-131a security mode. The default value is Disable.
    Suite B 128 bit Enables Suite B 128 bit security. The default value is Disable.
    Suite B 192 bit Enables Suite B 192 bit security. The default value is Disable.
    Node or Copy Statement Override

    For PNODE, this parameter indicates whether process overrides, which may optionally be specified in Process, Submit, and Copy statements, will be allowed. For SNODE, this parameter indicates whether the Secure+ protocol specified by the PNODE will be allowed to override that specified by the SNODE.

    The default value is No.
    Authentication Timeout

    Specifies maximum time, in seconds, that the system waits to receive the Connect:Direct Secure Plus blocks exchanged during the Connect:Direct authentication process.

    If you specify a value of 0, Connect:Direct waits indefinitely to receive the next message.

    Specify a time to prevent malicious entry from taking as much time as necessary to attack the authentication process.

    A numeric value equal to or greater than 0, ranging from 0 to 3600.

    The default is 120 seconds.

  3. Click the TLS Options tab. The TLS Options dialog box is displayed.
  4. Select an existing Key Certificate from the key store. To select a Key Certificate from the keystore, click Browse next to Key Certificate Label. The CMS KeyStore Certificate Viewer appears.
    Note: You must add or import the key certificate into your key store prior to configuring your node. For additional information, see Import Existing Certificates or Create CMS Key Store in the documentation library. For additional information on how to use iKeyman, see http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/ikeyman_overview.html?lang=en.
  5. In the Key Certificates area, select the key certificate you want to use and click OK box.
  6. Click the External Authentication tab. The External Authentication dialog box is displayed.
  7. Choose one of the following options:
    • To enable external authentication on the remote node, click Yes in the Enable External Authentication box.
    • To disable external authentication on the remote node, click No.
  8. Type the Certificate Validation Definition character string defined in External Authentication Server.
  9. Click OK to close the Edit Record dialog box and update the parameters file.