Establishing Secure TCP API Connections to a Connect:Direct Secure Plus-Enabled Server
IBM® Connect:Direct® servers that use Connect:Direct Secure Plus allow you to allow secure TCP API connections. Secure API applications can include Control Center and Sterling Connect:Direct Browser User Interface.
The Connect:Direct CICS Option, IBM
Connect:Direct for z/OS®
batch interface, ISPF IUI, Console interface and Interconnect Option (ICO) do not support a
secure connection. If a
.CLIENT record is enabled, ensure that SNA protocol is
available and configured for these User Interfaces.
To enable secure TCP API connections, define a remote node record called
and disable override. Additionally, identify the protocol to use for secure API connections.
Defining a remote node called
.CLIENT and disabling override prevents nonsecure
connections to the IBM Connect:Direct
server without disabling override settings in the local node record.
An API configuration follows the same rules as other remote node connections with the following exceptions:
- API connections use either the SSL or the TLS security protocol.
- The IBM Connect:Direct server supports TCP and defines a TCP API port for these connections. Refer to IBM Connect:Direct for z/OS Administration Guide for instructions on setting up TCP API support on the server.
- Settings in the .CLIENT node definition automatically override the local node.
To configure a .CLIENT remote node record when Connect:Direct Secure Plus is enabled:
- From the Secure+ Admin Tool Main Screen, select Edit and press Enter to display the Edit menu.
- On the Edit menu, type 1 to select Create/Update Record and press Enter.
- On the Secure+ Create/Update panel:
- Type .CLIENT in the Node
Name field. Note: You must name this node .CLIENT in order for IBM Connect:Direct to read this node and allow secure TCP API connections.
- Type R next to the Type field.
- Select EA Parameters and press Enter.
- Type .CLIENT in the Node Name field.
- In the EA Parameters panel:
- Type N beside the Enable External Auth field to disable it. The remaining EA parameters are unavailable because they are valid only for the .EASERVER remote node record.
- Select SSL/TLS Parameters and press Enter.
- Take one of the following actions, depending on whether
you want to use the Connect:Direct Secure Plus parameter
settings override feature: Note: If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.
- Type N beside the Enable Client Auth field to disable it.
- Click Security Options.
- The remaining fields are not valid for the .CLIENT record.
- Click OK and press Enter to save and close the .CLIENT node record.
- Save the parameter file using the procedure in Connect:Direct Secure Plus Operation Enablement and Validation.
- Ensure that the ISPF IUI and batch interface connections
define SNA as the connection protocol. Note: If the .CLIENT node record disables the Override function, ISPF IUI and must use the SNA protocol.