Establishing Secure TCP API Connections to a IBM Connect:Direct Secure Plus-Enabled Server

IBM® Connect:Direct® servers that use IBM Connect:Direct Secure Plus allow you to allow secure TCP API connections. Secure API applications can include Control Center and Sterling Connect:Direct Browser User Interface.

The Connect:Direct CICS Option, IBM Connect:Direct for z/OS® batch interface, ISPF IUI, Console interface and Interconnect Option (ICO) do not support a secure connection. If a .CLIENT record is enabled, ensure that SNA protocol is available and configured for these User Interfaces.

Note: To run IBM Connect:Direct Secure Plus using a nonsecure API connection, set the S+.CMD.ENFORCE.SECURE.CONNECTION parameter to NO. See Global Initialization Parameters, in the IBM Connect:Direct for z/OS Administration Guide. In addition, specify OVERRIDE=YES in step 4 in the following procedure.

To enable secure TCP API connections, define a remote node record called .CLIENT and disable override. Additionally, identify the protocol to use for secure API connections. Defining a remote node called .CLIENT and disabling override prevents nonsecure connections to the IBM Connect:Direct server without disabling override settings in the local node record.

An API configuration follows the same rules as other remote node connections with the following exceptions:

  • API connections use either the SSL or the TLS security protocol.
  • The IBM Connect:Direct server supports TCP and defines a TCP API port for these connections. Refer to IBM Connect:Direct for z/OS Administration Guide for instructions on setting up TCP API support on the server.
  • Settings in the .CLIENT node definition automatically override the local node.

To configure a .CLIENT remote node record when IBM Connect:Direct Secure Plus is enabled:

  1. From the Secure+ Admin Tool Main Screen, select Edit and press Enter to display the Edit menu.
  2. On the Edit menu, type 1 to select Create/Update Record and press Enter.
  3. On the Secure+ Create/Update panel:
    1. Type .CLIENT in the Node Name field.
      Note: You must name this node .CLIENT in order for IBM Connect:Direct to read this node and allow secure TCP API connections.
    2. Type R next to the Type field.
    3. Select EA Parameters and press Enter.
  4. In the EA Parameters panel:
    1. Type N beside the Enable External Auth field to disable it. The remaining EA parameters are unavailable because they are valid only for the .EASERVER remote node record.
    2. Select SSL/TLS Parameters and press Enter.
  5. Take one of the following actions, depending on whether you want to use the IBM Connect:Direct Secure Plus parameter settings override feature:
    Note: If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.
    1. Type N beside the Enable Client Auth field to disable it.
    2. Click Security Options.
  6. The remaining fields are not valid for the .CLIENT record.
  7. Click OK and press Enter to save and close the .CLIENT node record.
  8. Save the parameter file using the procedure in IBM Connect:Direct Secure Plus Operation Enablement and Validation.
  9. Ensure that the ISPF IUI and batch interface connections define SNA as the connection protocol.
    Note: If the .CLIENT node record disables the Override function, ISPF IUI and must use the SNA protocol.