Node Configuration Overview

Edit online

Before you begin using Connect:Direct® Secure Plus, you must configure nodes for secure operations.

When you import the network map records into the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus parameters are disabled and you will need to configure the .Local node record.

To configure the nodes for Connect:Direct Secure Plus, complete the following procedures:
  • Configure or create a new PKCS12 Key Store through the Key Management menu on the Secure+ Admin Tool.
  • Import existing Certificates.
  • Configure the Connect:Direct Secure Plus .Local node record.
    • Define the security options for the local node. Because TLS provide the strongest authentication with easy-to-maintain keys, configure the local node for one of these protocols. Determine which protocol is used by most trading partners and configure the local node with this protocol.
    • Determine which protocol is used by most trading partners and configure the local node with this protocol.
    • Enable Override to allow customized remote node settings or Copy Statement settings.
  • Customize a remote node for the following configurations:
    • To disable the protocol for remote nodes that do not use Connect:Direct Secure Plus
    • To configure remote nodes that use a protocol that is not defined in the local node
      • When you configure the local node, all remote nodes are automatically configured to the protocol defined in the local node. If a trading partner uses a different protocol, you must turn on the protocol in the remote node record. For example, if you activate the TLS protocol in the .Local node record and a trading partner uses the SSL protocol, configure the SSL protocol in the remote node record for the trading partner.
    • To use a unique certificate file to authenticate a trading partner
    • To use a different self-signed or CA-signed certificate for client or server authentication
    • To identify a unique cipher suite used by a trading partner
    • To activate common name validation
    • To activate client authentication
    • To enable a Security Mode such as FIPS 140-2.
    • To activate external authentication
  • If you want to use External Authentication Server to validate certificates:
    • Update the .SEAServer record with the External Authentication Server host name and port
    • Enable TLS
    • Enable external authentication
    • Specify the certificate validation definition to use
  • If you want to prevent non-secure API connections from communicating with a Connect:Direct Secure Plus enabled server:
    • The .Client record is created by default when Secure+ is installed.
    • Enable TLS
    • Disable override

Certificates and keys protection in the PKCS12 Keystore

PKCS12 encryption details are as follows:
MAC: sha256, Iteration 10000

MAC length: 32, salt length: 20

PKCS7 Data

Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Attention: PKCS12 uses lowercase label names.