Certificate Validity Check Used by Connect:Direct Secure Plus

To check the validity of certificates using Connect:Direct® Secure Plus, define the following initialization parameters:

  • SECURE.DSN - the name of the parameter file
  • CHECK.CERT.EXPIRE to perform a certificate validation check
  • CHECK.CERT.EXPIRE.TIME to perform certificate validation checks
  • CHECK.CERT.EXPIRE.WARNING.DAYS to indicate how many days before certificate expiration to issue a warning message

After certificate validation check is enabled, IBM® Connect:Direct automatically monitors the status of the certificates as specified and whenever IBM Connect:Direct and Connect:Direct Secure Plus are initialized.

When the certificate validation checks are performed, IBM Connect:Direct verifies the label name and node name of all certificates in the Connect:Direct Secure Plus parameter file. After verifying all trusted certificates in the key store, IBM Connect:Direct reads and validates each individual certificate label. When a certificate expires, IBM Connect:Direct displays a CSPA601E error message indicating which certificate expired so that you can take appropriate action to generate or obtain a new certificate. When a certificate is soon to expire, IBM Connect:Direct displays a CSPA600W warning message indicating the specific certificate and the date it will expire.

In addition to issuing messages, IBM Connect:Direct generates statistic records to document the status of the certificate and which node name the certificate is defined for. You can use IBM® Control Center or the SELECT STATS command to audit the certificates and nodes that need attention. On the SELECT STATISTICS panel, type Y in the CHANGE EXTENDED OPTS field, and then specify CX as a RECORD TYPE on the SELECT STATISTICS EXTENDED OPTIONS panel.

Note: If IBM Connect:Direct cannot validate the contents of the Connect:Direct Secure Plus parameter file, it displays a CSPA607W message indicating that it could not retrieve the necessary information for a particular certificate. Make sure that the certificate exists along with the correct label name—note that the label is case-sensitive and must match exactly.

Note that expiration dates in certificates include both a date and time. IBM Connect:Direct uses both date and time to validate the exact expiration period when checking a certificate's validity. For example, if the certificate is set to expire on 12/31/2010 at 10:00:00 and the validation check is performed on 12/01/2010 at 09:00:00 with CHECK.CERT.EXPIRE.WARN.DAYS=30, this certificate will not be flagged with a warning message until a check is performed after 10:00:00 on 12/01/2010.