Adding a Remote Node Record for the External Authentication Server

To verify certificates using External Authentication Server, create a remote node record for the External Authentication (EA) Server in the Connect:Direct® Secure Plus parameter file. Before you begin, complete the .EASERVER Node Security Feature Definition Worksheet.

To add a remote node record for the External Authentication Server:

  1. Select Edit from the Secure+ Admin Tool Main Screen and press Enter
  2. On the Edit menu, type 1 to select Create/Update Record and press Enter.
  3. On the Secure Plus: Create/Update Panel:
    1. Type .EASERVER in the Node Name field.
    2. Type R beside the Type field.
    3. Select EA Parameters and press Enter.
    4. Type * beside the Override field because it is not relevant to External Authentication.
    5. Type N beside the External Auth field.
  4. On the EA Parameters screen:
    1. Type information from the worksheet for the .EASERVER record in the following fields:
      Field Description
      External Auth Server Def Name of the certificate validation definition configured on the External Authentication Server that defines how to validate certificates. This field is case sensitive.
      External Auth Server Address IP address of server for External Authentication Server
      External Auth Server Port Port number to connect to the External Authentication Server.
      Note: After you create the .EASERVER remote node record, the External Auth Server Def, External Auth Server Address, and External Auth Server Port fields are populated in the EA Parameters panel of all IBM Connect:Direct Secure Plus parameter file records, but the only field that can be modified from a record other than the .EASERVER record is the Enable External Auth field.
    2. Select SSL/TLS Parameters in the panel selection bar and press Enter.
  5. To enable client authentication, Type Y beside the Enable Client Auth field.
  6. To specify the certificate label:
    1. Select the Certificate Label field and press Enter.
      Note: Leave this field blank to use the default certificate defined in the keystore.
    2. Press F8 to move to the editable portion of the label field.
    3. This field is case-sensitive, therefore, type the label of the certificate exactly as you defined it when you generated it using one of the security applications described in Configuration Worksheets, or type an asterisk (*) to specify the same label as the local node, and press Enter. Leave this field blank to use the default certificate defined in the key store.
    Note: The Certificate Pathname field is automatically set to '*' (Default to Local) in the Remote Node record. You are not allowed to update this field for a remote node.
  7. To enable ciphers:
    Note: If System SSL is in FIPS mode, only certain ciphers are valid. See the IBM Connect:Direct for z/OS Release Notes for a list of valid FIPS-mode ciphers.
    1. Select Security Options and press Enter.
    2. Type Y by the cipher you want to enable.
    3. Continue typing Y or N next to the ciphers you want to enable or disable.
    4. Press OK when you have enabled all necessary ciphers.
  8. Select OK and press Enter to save and close this remote node record.
  9. Read all warning and error messages. You can configure the environment without resolving warning messages, but you must resolve errors before you save the parameter file.
  10. Press Cancel to display current settings for the EA node.
  11. Save the parameter file using the procedure in IBM Connect:Direct Secure Plus Operation Enablement and Validation.