Configure the Connect:Direct Secure Plus .Local Node Record

Before you can configure the .Local node record, you must either import your existing certificates or create and configure a CMS Key Store. For additional information, see Import Existing Certificates or Create CMS Key Store in the documentation library.

It is recommended that you configure the .Local node record with the protocol used by most of your trading partners. Because remote node records can use the attributes defined in the .Local node record, defining the .Local node record with the most commonly used protocol saves time. After you define the protocol in the .Local node record, all remote nodes default to that protocol. Also, identify the trusted root file to be used to authenticate trading partners.

To configure the local node, refer to the Local Node Security Feature Definition Worksheet that you completed for the .Local node record security settings and complete the following procedure:

  1. From the Secure+ Admin Tool Main Window, double-click the .Local record. The Edit Record dialog box displays the Security Options tab, the node name, and the type of node.
  2. Set the Security Options for the local or remote node entry you are configuring and if necessary, modify the time-out value in Authentication Timeout.
    Refer to the following table for an explanation of the Security Options boxes:
    Note: The SSL3.0, TLS 1.0 and TLS 1.1 protocols are deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.3 or TLS 1.2. If deprecated protocols are required, TLS 1.3 should not be enabled in the trading partner's configuration, otherwise the handshake may fail. Deprecated protocols should be exclusively configured per node. The Secure+ feature continues to support SSL 3.0, TLS 1.0 and TLS 1.1.
    Field Name Field Definition Valid Values
    Node Name Specifies the node record name.

    .Local

    This is not an editable field.
    Base Record Specifies the name of the base record. If an alias record is selected, the base record name is displayed in this box. Name of the local Connect:Direct® node.
    Type Specifies the current record type.

    Local for a local record and Remote for a remote record.

    This is not an editable field.
    Disable Secure+ Disables Connect:Direct Secure Plus.

    Default value is Disable Secure+.

    Note: If this option is selected, override is enabled, and no remote node definition exists for the remote node in the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus is bypassed.
    Enable SSL 3.0 Protocol Enables SSL protocol to ensure that data is securely transmitted.

    The SSL3.0 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.3 or TLS 1.2.

    		 The default value is Disable Secure+.
    Enable TLS 1.0 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    The TLS 1.0 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.3 or TLS 1.2.

    		 The default value is Disable Secure+.
    Enable TLS 1.1 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    The TLS1.1 is deprecated and should not be used. It is recommended that trading partners using deprecated protocols migrate to TLS 1.3 or TLS 1.2.

    		 The default value is Disable Secure+.
    Enable TLS 1.2 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Enable TLS 1.3 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Disable Disables the ability to override values in the .Local node record with values in the remote node record. The default value is Disable.
    FIPS 140-2 Enables FIPS 140-2 security. The default value is Disable.
    SP800-131A Transition Enables NIST SP800-131a security in transition mode. The default value is Disable.
    SP800-131A Enables NIST SP800-131a security mode. The default value is Disable.
    Suite B 128 bit Enables Suite B 128 bit security. The default value is Disable.
    Suite B 192 bit Enables Suite B 192 bit security. The default value is Disable.
    Node or Copy Statement Override
    There are several types of overrides. For both PNODE and SNODE, this parameter indicates whether Remote Node record parameters will override the .Local Node record parameters or not. If it is set to No, or if set to Yes and there is no correlating Remote Node record for a given session, then:
    • For PNODE, this parameter indicates whether process overrides, which may optionally be specified in Process, Submit, and Copy statements, will be allowed.
    • For SNODE, this parameter indicates whether:
      • The Secure+ protocol specified by the PNODE will be allowed to override that specified by the SNODE.
      • To allow unsecured incoming sessions to proceed.
    		 The default value is No.
    Authentication Timeout

    Specifies maximum time, in seconds, that the system waits to receive the Connect:Direct Secure Plus blocks exchanged during the Connect:Direct Secure Plus authentication process.

    If you specify a value of 0, Connect:Direct waits indefinitely to receive the next message.

    Specify a time to prevent malicious entry from taking as much time as necessary to attack the authentication process.

    A numeric value equal to or greater than 0, ranging from 0 to 3600.

    The default is 120 seconds.
  3. Click the TLS Options tab. The TLS Options dialog box is displayed.
  4. Select an existing Key Certificate from the key store. To select a Key Certificate from the keystore, click Browse next to Key Certificate Label. The CMS KeyStore Certificate Viewer appears.
    Note: You must add or import the key certificate into your key store prior to configuring your node. For additional information, see Import Existing Certificates or Create CMS Key Store in the documentation library. For additional information on how to use iKeyman, see http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/ikeyman_overview.html?lang=en.
  5. In the Key Certificates area, select the key certificate you want to use and click OK box.
  6. Click the External Authentication tab. The External Authentication dialog box is displayed.
  7. Choose one of the following options:
    • To enable external authentication on the remote node, click Yes in the Enable External Authentication box.
    • To disable external authentication on the remote node, click No.
  8. Type the Certificate Validation Definition character string defined in External Authentication Server.
  9. Click OK to close the Edit Record dialog box and update the parameters file.