Configuring API certificate authentication

Client Authentication must be enabled on the Connect:Direct Secure Plus .Client record. Client authentication is not enabled by default in Connect:Direct Secure Plus. During an API connection, a peer certificate is required from Control Center or the AIJ client. That certificate must contain a common name field of an SSL/TLS certificate whose contents match a Connect:Direct local user record in the Connect:Direct node. That certificate must be imported into Secure Plus key database. You also must use a blank password in order for Connect:Direct to trigger the API certificate authentication process.

A new user authorization parameter CERTUSERAUTH is added to authorization file. The parameter specifies whether a specific user can log in as a client via API certificate authentication, and it must be set to Yes when you configure API certificate authentication.

If you want to allow only specific API connections for certificate authentication, then you must specify these API connections (Address and Port) in the ALT.COMMunication of the PNODE=SNODE Local Node Netmap entry.

For example, if only API connections from 10.120.10.130:4399 and 10.120.10.131:4399 are allowed for certificate authentication, then update the PNODE=SNODE Local Node Netmap entry as displayed below:
$$UPDATE
   ADJACENT.NODE=(( CDZ.LOCAL M1DEVMW1) -
     LDNS=ZOSIRV   -
     ENVIRONMENT=ZOS     -
     TCPAPI=(4198,)    -
     PARSESS=(4 2) -
     APPLIDS=(M1DEVMW2 M1DEVMW3 M1DEVMW4) -
     ALT.COMM=(ALT.DIR=TOP,                 -
     (ALT.ADDR=10.120.10.130 -
        ALT.PORT=4399,ALT.TYPE=TCP) -
     (ALT.ADDR=10.120.10.131   -
        ALT.PORT=4399,ALT.TYPE=TCP) –
    ))