Adding the Local Node Record to the Parameter File Manually for the SSL or TLS Protocol

When you perform this procedure, refer to the Local Node Security Feature Definition Worksheet that you completed for the local node.

To add the local node record manually:

  1. Select Edit from the Secure+ Admin Tool Main Screen and press Enter.
  2. On the Edit menu, select 1 for Create/Update Record and press Enter to display the Secure+ Create/Update panel:
                              Secure+ Create/Update Panel
      Option ===>                                                                     
                                                                                      
      Node Name:   MY.LOCAL             Type:  L       (Local or Remote)              
      --------------------------------------------------------------------------      
     | Security Options     |  EA Parameters        |  SSL/TLS Parameters       |    
     | ---                     --                      ---                      |     
      --------------------------------------------------------------------------      
      Secure+ Protocol:                Security Mode  (Yes , No , Default to Local)   
       Enable SSL           N           Enable FIPS                     N            
       Enable TLS 1.0       N           Enable SP800-131a Transition    N             
       Enable TLS 1.1       N           Enable SP800-131a Strict        N            
       Enable TLS 1.2       N           Enable NSA Suite B 128 bit      N             
       Enable TLS 1.3       N           Enable NSA Suite B 192 bit      N             
                                                                                      
       Auth Timeout:         120        Enable Override                  N             
                                                                                      
       Alias  Names:                    TCP Information:                               
                                        IPaddr:                                       
                                        Port:                                        
                                                                                      
                                                                                      
                                                           OK        Cancel                                 
  3. On the Secure+ Create/Update panel:
    1. In the Node Name field, type the name for the local node.
    2. Type L in the Type (Local or Remote) field.
  4. To implement SSL, do one of the following, depending on whether you want to use SSL for all data transfers or on a Process-by-Process basis:
    • Type Y beside the Enable SSL field to enable the SSL protocol for this local node.
    • Type N beside the Enable SSL field to disable the SSL protocol.
      Note: Support for SSL will be removed in future release.
  5. To implement TLS, do one of the following, depending on whether you want to use TLS for all data transfers or on a Process-by-Process basis:
    • Type Y beside the Enable TLS 1.0 field to enable the TLS protocol for this remote node. Repeat for TLS 1.1, TLS 1.2, and TLS 1.3.
    • Type N beside the Enable TLS field to disable the TLS protocol.
    Note:
    • If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.
    • Set the protocols in the Local record as your defaults, allow the Remote record that require different protocols to enable those, and override the Local record.
  6. In the Security Mode field, type Y, N, or D to enable or disable
    multiple protocols
    such as, FIPS, SP800-131a and NSA Suite B.
  7. Alias Names field do not apply to local node. This field should be left blank.
  8. TCP Information fields (IP addr and Port) do not apply to local node. This field should be left blank
  9. Take one of the following actions, depending on whether you want to use the Connect:Direct Secure Plus parameter settings override feature. Override feature for Local nodes allows the remote parameter record to override any setting defined in the Local node record
    • To enable the Connect:Direct® Secure Plus parameter settings override feature, type Y beside the Override field.
    • To disable the Connect:Direct Secure Plus parameter settings override feature, type N beside the Override field.
  10. Select the SSL/TLS parameters panel by typing SSL and press Enter to display the Secure+ Create/Update panel:
                           Secure+ Create/Update Panel            
    Option ===> 
    
    Node Name:   CD.ZOS.NODE        Type:  L       (Local or Remote) 
    --------------------------------------------------------------------------
     Security Options     |  EA Parameters        |  SSL/TLS Parameters       |
     ---                     --                      ---                      |
    --------------------------------------------------------------------------
    
    Enable Client Auth            N                 (Yes   No   Default to Local)
    Enable Data Encrypt           N                 (Ignored  Forced to Y)
    
                                   ------------------------------------------- 
       Certificate Label          | CD_CERT                                   | 
           Cipher Suites          | 13021301009D003D0035009C003C002F000A003B  | 
    Certificate Pathname          | /u/USER11/CDDEMO1.kdb                     | 
    Certificate Common Name       |                                           | 
                                   ------------------------------------------- 
    
    
    
    
                                                         OK        Cancel    
                                                         --        ---
    
  11. To implement Client Authentication, type Y for enable or N to disable beside the Client Auth. Since Data Encryption field (Enable Data Encrypt) has been deprecated from release 6.2, it will not be effective on process though user can change it in secure parmfile. It will always work as Enable.
  12. Select Certificate Label field by placing the cursor on the text and press Enter. On the entry panel specify the Certificate Label as defined in the certificate or leave blank to use the default certificate defined in the key database or key ring. Leaving the certificate label blank will generate a warning message up on saving the parameter file. This is meant as a warning that the key store must define a default certificate. Select the Certificate Label field and press Enter.
    Note: *(default to Local) does not apply to the Local node record.
  13. Select Certificate Pathname field by placing the cursor on the text and press Enter.
    1. Enter the complete path of the key database or the key ring name.
    2. This is a scrollable panel, use F8 key to scroll forward and for the key database enter the case-sensitive password.
      Note: A key ring does not have a password and password field should be left blank.
      Note: If the SECURE.SSL.PATH.PREFIX initialization parameter has specified a prefix then the complete path name is not required only the name of the key database is sufficient.
      Note: Certificate pathname is a required for the Local record and cannot be specified on a Remote record.
  14. Select Cipher Suites by placing the cursor on the text and press Enter.
    1. To select ciphers, order the list in All Available Cipher-Suites by placing them 1 through n (maximum of 10).
    2. As ciphers are selected they move to the Enabled Cipher-Suites on the right side. This list is the default cipher list.
      This is a scrollable panel so use the F8 key to more forward and F7 to move back.
      Option --->
      
            Cipher Filtering:Protocol         Cipher Sorting:Strongest
      
            Update the order field below to enable and order Cipher Suites
      
        O   All Available Cipher Suites          Enabled Cipher Suites
       ==   ==================================== ====================================
                                                                          More:     +
       1   TLS_AES_256_GCM_SHA384                TLS_AES_256_GCM_SHA384
       2   TLS_AES_128_GCM_SHA256                TLS_AES_128_GCM_SHA256
       3   TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384  TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384
       4   TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384  TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384
           TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
           TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256
           TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256
           TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
           TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
           TLS_ECDHE_ECDSA_WITH_NULL_SHA
           TLS_ECDHE_RSA_WIT_AES_256_GCM_SHA384
           TLS_ECDHE_RSA_WIT_AES_256_CBC_SHA384
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
           TLS_ECDHE_RSA_WIT_AES_128_GCM_SHA256
           TLS_ECDHE_RSA_WIT_AES_128_CBC_SHA256
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_RC4_128_SHA
      Note: DEAULT_TO_LOCAL_NODE does not apply to the Local node record.
      Note: Select Ciphers carefully since deprecated ciphers may not be available on all systems. Check with your Security Administrator before selecting these ciphers.
  15. Select the EA parameters option from the panel selection bar and press Enter to display the EA parameters panel.
        Secure+ Create/Update Panel                           <Change Pending>                          
    Option ===>                                                                                            
                                                                                                                                      
    Node Name:   MY.LOCAL             Type:  L       (Local or Remote)                                      
     --------------------------------------------------------------------------                              
    | Security Options     |  EA Parameters        |  SSL/TLS Parameters       |                             
    | ---                     --                      ---                      |                             
     --------------------------------------------------------------------------                              
                                                                                                                                      
     Enable External Auth          N               (Yes , No , Default to Local)                           
                                                                                                                                      
     External Auth Server Def                                                                                
     External Auth Server Address                                                                            
     External Auth Server Port                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                      
                                                               OK        Cancel                                   
                                                                 --        ---
  16. To implement the External Authentication Server application:
    1. Type N in the External Auth field to disable External Authentication Server application.
    2. Type Y in the External Auth field to enable External Authentication Server application
    3. External Auth Server Def, External Auth Server Address, and External Auth Server Port are unavailable because they are valid only for the .EASERVER remote node record.
  17. Select OK and press Enter to display the values for the local node record.
  18. Using the Save As or Save Active option displays error and warning messages. Read all warning and error messages. Continue configuring the environment without resolving warning messages, but resolve errors before you save the parameter file.
  19. After you configure the local node record, you can save and submit the parameter file using the procedures in Connect:Direct Secure Plus Operation Enablement and Validation, but if you have not added a remote node record, connections are not secure.