Configuring a Remote Node Record for the SSL or TLS Protocol

About this task

After you configure the local node, you can configure remote node records. When you import the network map file, you create a remote node record in the parameter file for each remote node record in the network map. Depending on how you configured the local node record, you may or may not need to update the remote node records.

  • If you disabled the Connect:Direct® Secure Plus protocols in the local node record, IBM Connect:Direct Secure Plus is disabled for all remote node records. You must update all remote node records that use IBM Connect:Direct Secure Plus to identify which protocol is used by the trading partner.
  • If you enabled a protocol in the local node record, that protocol is enabled in all remote node records. You must disable the IBM Connect:Direct Secure Plus protocols in the records for all remote nodes that do not use IBM Connect:Direct Secure Plus, and update all remote node records that use a protocol that is different from the protocol defined in the local node record.
Note: To override security functions for a particular session, you can use the SECURE parameter in the PROCESS statement. For more information, see Override Settings in IBM Connect:Direct Processes. Note that the more flexible you make the environment by allowing override, the less secure that environment becomes.

The following procedure assumes that you enabled the SSL (or TLS) protocol in the local node record, this remote node uses the SSL (or TLS) protocol, and that you need to modify some SSL (or TLS) parameters for this remote node record.

To update a remote node record for the SSL (or TLS) protocol:

Procedure

  1. Type U next to the remote node record to update and press Enter to display the current values for the selected node in the Secure+ Create/Update Panel - SSL/TLS Parameters panel.
    Note: An asterisk in a field on the Secure+ Admin Main Screen indicates the value Default to Local Node. If the TLS protocol is enabled in the Local Node record, Y appears in the third position instead of the second position in the Secure 123C column below.
     File  Edit  Help                                                            
    _____________________________________________________________________________
     CD.ZOS.NODE         Secure+ Admin Tool: Main Screen              Row 1 of 7
     Option ===> __________________________________________________  Scroll CSR 
                            
                              Table Line Commands are:                             
                                                                                   
      U Update node           H View History          D Delete node                
      I Insert node           V View node                                          
                                                                                   
      Node Filter : *_______________                                                              
                                                                                   
                               Secure+                      External Client        
     LC Node Name         Type Protocol Override Encryption   Auth    Auth         
     -- ----------------  ---- -------- -------- ---------- -------- --------      
     __ .CLIENT            R   *            N         *         *       *          
     __ .EASERVER          R   TLSV10       N         *         N       *          
     __ .PASSWORD          R   Disabled     *         *         *       *          
     __ CD.UNIX.NODE       R   TLSV10       *         *         *       *          
     __ CD.UNIX.NODE2      R   TLSV12       *         *         *       *          
     __ CD.ZOS.NODE        L   Disabled     Y         N         N       N          
     __ CD.ZOS.NODE2       R   *            *         *         *       *          
    ********************************* BOTTOM OF DATA ****************************
  2. Select EA Parameters and press Enter.
  3. In the EA Parameters panel:
    1. Specify a value for the External Authentication parameter, if required, using the following table as a guide:
      Field Description Valid Values
      External Auth Allows validating certificates for secure sessions using External Authentication Server.

      Y to enable

      N to disable

      D to Default to local node

    2. Select SSL/TLS Parameters in the panel selection line and press Enter.
  4. Take one of the following actions depending on the protocol you are implementing:
    • If you defined default SSL settings in the local node record that this remote node record uses, verify that the Enable TLS field is disabled (set to N) or set to Default to Local Node (D). If you do not need to change any other settings, continue with step 10.
    • If you defined default TLS settings in the local node record that this remote node record uses, verify that the Enable SSL field is disabled (set to N) or set to Default to Local Node (D). If you do not need to change any other settings, continue with step 10.
    Note: If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.
    • To modify SSL (or TLS) protocol settings in a remote node record, continue with step 7.
  5. Take one of the following actions, depending on what information you want to encrypt: (From release 6.2, data will always be encrypted. In other words, it will be used as Encrypt.Data = Y. Though Encrypt.Data field is deprecated, but you can edit it and it is valid for lower versions.)
    • Type Y beside the Encrypt field to encrypt all information sent during the handshake to set up communication sessions and the actual files being transferred.
    • Type N beside the Encrypt field to encrypt only the control block information sent during the handshake to set up communication sessions and not the actual files being transferred.
  6. Take one of the following actions, depending on whether you want to use the IBM Connect:Direct Secure Plus parameter settings override feature.
    • To enable the IBM Connect:Direct Secure Plus parameter settings override feature in the PROCESS or COPY statement, type Y beside the Override field. For more information, see Override Settings in IBM Connect:Direct Processes.
      Note: Allowing override in the remote record not only allows the Process to override the security settings but also allows the SNODE to override. Use cation with this option, the more you allow override the less security the environment becomes.
    • To disable the IBM Connect:Direct Secure Plus parameter settings override feature, type N beside the Override field.
  7. Select Cipher Suites by placing the cursor on the text and press Enter:
    1. To select ciphers, order the list in All Available Cipher-Suites by placing them 1 through n (maximum of 10).
    2. As ciphers are selected they move to the Enabled Cipher-Suites on the right side. This list is the default cipher list.

      This is a scrollable panel so use the F8 key to more forward and F7 to move back.

      Option --->
      
            Cipher Filtering:Protocol         Cipher Sorting:Strongest
      
            Update the order field below to enable and order Cipher Suites
      
        O   All Available Cipher Suites          Enabled Cipher Suites
       ==   ==================================== ====================================
                                                                          More:     +
       1   TLS_AES_256_GCM_SHA384                TLS_AES_256_GCM_SHA384
       2   TLS_AES_128_GCM_SHA256                TLS_AES_128_GCM_SHA256
       3   TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384  TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384
       4   TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384  TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384
           TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
           TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256
           TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256
           TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
           TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
           TLS_ECDHE_ECDSA_WITH_NULL_SHA
           TLS_ECDHE_RSA_WIT_AES_256_GCM_SHA384
           TLS_ECDHE_RSA_WIT_AES_256_CBC_SHA384
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
           TLS_ECDHE_RSA_WIT_AES_128_GCM_SHA256
           TLS_ECDHE_RSA_WIT_AES_128_CBC_SHA256
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_RC4_128_SHA
      Note: DEAULT_TO_LOCAL_NODE does not apply to the Local node record.
      Note: Select Ciphers carefully since deprecated ciphers may not be available on all systems. Check with your Security Administrator before selecting these ciphers.
  8. To enable client authentication:
    1. Type Y beside the Client Auth field.
    2. To have the common certificate name verified during the authentication process, select Client Auth. Compare and when the next panel displays, type the certificate common name of the local node certificate and press Enter. To not have the name verified, leave this field blank by not selecting the Client Auth. Compare field. If the common name is not entered, the client name verification process is not performed but client authentication is.
      Note: This value is case-sensitive. Type it exactly as it appears in the certificate file.
  9. To specify the certificate label:
    1. Select the Certificate Label field and press Enter.
      Note: To use the default certificate of the key store, leave Certificate Label as blank.
    2. Press F8 to move to the editable portion of the panel containing the label field.
    3. This field is case sensitive; therefore, type the label of the certificate exactly as you defined it when you generated it using one of the security applications described in Configuration Worksheets, or type an asterisk (*) to specify the same label as the local node record, and press Enter. To use the Default Certificate defined in the keystore, leave the Certificate Label field blank.
    Note: The Certificate Pathname field is automatically set to '*' (Default to Local) in the Remote Node record. You are not allowed to update this field for a remote node.
  10. Select OK and press Enter to display the updated values.
  11. Read all warning and error messages. You can continue configuring the environment without resolving warning messages, but you must resolve all errors that occur before you can save the parameter file.
  12. Save the parameter file using the instructions in IBM Connect:Direct Secure Plus Operation Enablement and Validation.