Adding a Remote Node Record to the Parameter File Manually for the SSL or TLS Protocol
Refer to the Remote Node Security Feature Definition Worksheet that you created for the remote node you are adding when you complete this procedure. The following procedure assumes that this remote node uses the SSL or TLS protocol and client authentication with Connect:Direct® Secure Plus unless you want to override the Connect:Direct Secure Plus parameter settings from the PROCESS statement. For more information, see Override Settings in IBM® Connect:Direct Processes.
To add a remote node record manually for the SSL or TLS protocol:
-
On the Option line type I (Insert Node) on the
Secure+ Admin Tool Main Screen and press Enter to add
a node. The Secure+ Create/Update Panel displays.
File Edit Help ------------------------------------------------------------------------------- Secure+ Admin Tool: Main Screen Row 1 of 1 Option ===> Scroll CSR Table Line Commands are: U Update node H View History D Delete node I Insert node V View node CL Clone node Node Filter : * Secure+ External Client LC Node Name Type Protocol Override Encryption Auth Auth -- ---------------- ---- -------- -------- ---------- -------- -------- I MY_LOCAL L TLSV13 Y Y N Y ******************************* BOTTOM OF DATA ******************************** -
On the Secure+ Create/Update Panel:
- In the Node Name field, type the name for the remote node that corresponds to its name in the network map.
-
Type R in the Type (Local or Remote) field.
Secure+ Create/Update Panel Option ===> Node Name: MY.REMOTE Type: R (Local or Remote) -------------------------------------------------------------------------- | Security Options | EA Parameters | SSL/TLS Parameters | | --- -- --- | -------------------------------------------------------------------------- Secure+ Protocol: Security Mode (Yes , No , Default to Local) Enable SSL N Enable FIPS N Enable TLS 1.0 N Enable SP800-131a Transition N Enable TLS 1.1 N Enable SP800-131a Strict N Enable TLS 1.2 N Enable NSA Suite B 128 bit N Enable TLS 1.3 N Enable NSA Suite B 192 bit N Auth Timeout: 120 Enable Override N Alias Names: TCP Information: IPaddr: Port: OK Cancel
-
To implement SSL, do one of the following, depending on whether you want to use SSL for all
data transfers or on a Process-by-Process basis:
- Type Y beside the Enable SSL field to enable the SSL protocol for this remote node.
- Type N beside the Enable SSL field to disable the SSL protocol
-
To implement TLS, do one of the following, depending on whether you want to use TLS for all
data transfers or on a Process-by-Process basis:
- Type Y beside the Enable TLS 1.0 field to enable the TLS protocol for this remote node. Repeat for TLS 1.1, TLS 1.2, and TLS 1.3
- Type N beside the Enable TLS field to disable the TLS protocol.
Note: If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.Note: Set the required protocols to override the default protocols in the Local record. -
In the Security Mode field, type Y, N, or D to enable or disable
multiple protocolssuch as, FIPS, SP800-131a and NSA Suite B.
- Alias Names field do not apply to remote node. This field should be left blank.
- TCP Information fields (IP addr and Port) do not apply to remote node. This field should be left blank.
-
Depending on whether you want to use the Connect:Direct Secure Plus parameter settings override
feature, type Y to enable or N to disable beside the
Override field. Enabling Override for the Remote record allows not only the
Process to override the security settings but also allows the SNODE to override the security
setting. Use caution when enabling this option on the Remote record to override any setting defined
in the Local node record
.
-
Select the SSL/TLS parameters panel by typing SSL
and press Enter to display the Secure+ Create/Update
panel:
Secure+ Create/Update Panel <Change Pending> Option ===> Node Name: MY.REMOTE Type: R (Local or Remote) -------------------------------------------------------------------------- | Security Options | EA Parameters | SSL/TLS Parameters | | --- -- --- | -------------------------------------------------------------------------- Enable Client Auth D (Yes , No , Default to Local) Enable Data Encrypt D ------------------------------------------- Certificate Label | * | Cipher Suites | FFFF | Certificate Pathname | * | Certificate Common Name | | ------------------------------------------- OK Cancel - To implement Client Authentication and/or Data Encryption, type Y for enable or N to disable, or D for default to local record, beside the Client Auth and/or Data Encrypt field.
-
Select Certificate Label field by placing the cursor on the text and
press Enter. On the entry panel specify the Certificate Label as defined in
the certificate or leave blank to use the default certificate defined in the key database or key
ring. Leaving the certificate label blank will generate a warning message up on saving the parameter
file. This is meant as a warning that the key store must define a default certificate. Select the
Certificate Label field and press Enter.
Note: The Certificate label field is automatically set to '*' (Default to Local) in the Remote Node record. You are not allowed to update this field for a remote node.
- Certificate Pathname does not apply to a remote node. This field should be left blank
-
Select Cipher Suites by placing the cursor on the text and press
Enter:
-
To select ciphers, order the list in All Available Cipher-Suites by placing them 1 through n (maximum of 10).
-
As ciphers are selected they move to the Enabled Cipher-Suites on the right side. This list is the default cipher list.
This is a scrollable panel so use the F8 key to more forward and F7 to move back.
Option ---> Cipher Filtering:Protocol Cipher Sorting:Strongest Update the order field below to enable and order Cipher Suites O All Available Cipher Suites Enabled Cipher Suites == ==================================== ==================================== More: + 1 TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 2 TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 3 TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384 4 TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_RSA_WIT_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WIT_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WIT_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WIT_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHANote: DEAULT_TO_LOCAL_NODE can be used to use the Cipher list defined on Local node record.Note: Select Ciphers carefully since deprecated ciphers may not be available on all systems. Check with your Security Administrator before selecting these ciphers. -
-
Select the EA parameters option from the panel selection bar and press
Enter to display the EA parameters panel.
Secure+ Create/Update Panel <Change Pending> Option ===> Node Name: MY.REMOTE Type: R (Local or Remote) -------------------------------------------------------------------------- | Security Options | EA Parameters | SSL/TLS Parameters | | --- -- --- | -------------------------------------------------------------------------- Enable External Auth N (Yes , No , Default to Local) External Auth Server Def External Auth Server Address External Auth Server Port OK Cancel -- --- -
To implement the External Authentication Server application:
- Type N in the External Auth field to disable External Authentication Server application.
- Type Y in the External Auth field to enable External Authentication Server application
- External Auth Server Def, External Auth Server Address, and External Auth Server Port are unavailable because they are valid only for the .EASERVER remote node record.
- Select OK and press Enter to display the values for the local node record.
- Using the Save As or Save Active option displays error and warning messages. Read all warning and error messages. Continue configuring the environment without resolving warning messages, but resolve errors before you save the parameter file.
- After you configure the remote node record, you can save and submit the parameter file using the procedures in Connect:Direct Secure Plus Operation Enablement and Validation, but if you have not added a remote node record, connections are not secure.