Node Configuration Overview

Edit online

Before you begin using Connect:Direct® Secure Plus, you must configure nodes for secure operations.

When you import the network map records into the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus parameters are disabled and you will need to configure the .Local node record.

To configure the nodes for Connect:Direct Secure Plus, complete the following procedures:
  • Configure or create a new PKCS12 Key Store through the Key Management menu on the Secure+ Admin Tool.
  • Import existing Certificates.
  • Configure the Connect:Direct Secure Plus .Local node record.
    • Define the security options for the local node. Because TLS provide the strongest authentication with easy-to-maintain keys, configure the local node for one of these protocols. Determine which protocol is used by most trading partners and configure the local node with this protocol.
    • Determine which protocol is used by most trading partners and configure the local node with this protocol.
    • Enable Override to allow customized remote node settings or Copy Statement settings.
  • Customize a remote node for the following configurations:
    • To disable the protocol for remote nodes that do not use Connect:Direct Secure Plus
    • To configure remote nodes that use a protocol that is not defined in the local node
      • When you configure the local node, all remote nodes are automatically configured to the protocol defined in the local node. If a trading partner uses a different protocol, you must turn on the protocol in the remote node record. For example, if you activate the TLS protocol in the .Local node record and a trading partner uses the SSL protocol, configure the SSL protocol in the remote node record for the trading partner.
    • To use a unique certificate file to authenticate a trading partner
    • To use a different self-signed or CA-signed certificate for client or server authentication
    • To identify a unique cipher suite used by a trading partner
    • To activate common name validation
    • To activate client authentication
    • To enable a Security Mode such as FIPS 140-2.
    • To activate external authentication
  • If you want to use External Authentication Server to validate certificates:
    • Update the .SEAServer record with the External Authentication Server host name and port
    • Enable TLS
    • Enable external authentication
    • Specify the certificate validation definition to use
  • If you want to prevent non-secure API connections from communicating with a Connect:Direct Secure Plus enabled server:
    • The .Client record is created by default when Secure+ is installed.
    • Enable TLS
    • Disable override

Certificates and keys protection in the PKCS12 Keystore

PKCS12 encryption details are as follows:
MAC: sha256, Iteration 10000

MAC length: 32, salt length: 20

PKCS7 Data

Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Attention: PKCS12 uses lowercase label names.

Import Existing Certificates

Edit online

About this task

Before performing your .Local node configuration, you need to import existing certificates.

To import existing certificates:

Procedure

  1. Import existing certificates, either keycerts or trusted root files from trading partners into the Key Store. On the Secure+ Admin Tool main window, from the Key Management menu, select Configure Key Store. The Key Store Manager window appears.
  2. Verify the PKCS12 Key Store path. If incorrect, click browseto locate the Key Store path. The Browse PKCS12 KeyStore File window appears.
  3. The default Key Store name is: cdkeystore.p12 To locate the default Key Store path, navigate to the Key Store file. 
    Windows path: <cdinstalldir>\Server\Secure+\Certificates\cdkeystore.p12
Unix path:  <cdinstalldir>/ndm/secure+/certificates/cdkeystore.p12
  4. Click Import. On the Import PEM KeyStore File window, navigate to and select the certificate file you want to use and click OK.
  5. If a key certificate file is being imported, the password must be entered. The KeyStore Password window appears. Type your password and click OK.
  6. The PEM Certificate Viewer displays to allow a review of the certificate file. Verify the certificate is valid and click the Import button. Import Results window displays with status of imported certificate. Click Close.
  7. The certificate is imported and given a Label based on the certificate Common Name, (CN=). Note the serial number to identify the correct certificate after import.
    Note: A common name is used for Label and identification which means that multiple certificates can have the same common name and therefore, can be overwritten depending on the setting of the Default Mode. Additionally, the Default Mode of Import is Add or Replace Certificates.
  8. Click OK to create the new PKCS12 KeyStore file. Key Store Manager will display contents of the new keystore.

Create PKCS12 Key Store

Edit online

About this task

Before performing your .Local node configuration, you may need to create a new PKCS12 Key Store file.

To create a new PKCS12 Key Store file:

Procedure

  1. On the Key Store Manager window, click New. The Create new PKCS12 KeyStore File dialog box appears.
  2. Enter the Directory location (you can also Browse to the location desired), the KeyStore file name, and the password for the new KeyStore file. You can also choose to Populate with standard certificate authorities. This will import all standard public CA Root certificates into the new KeyStore file.
  3. Click OK to create the new PKCS12 KeyStore file. Key Store Manager will display contents of the new keystore.
  4. Click Import. On the Import PEM KeyStore File window, navigate to and select the certificate file you want to use and click OK.
  5. If a key certificate file is being imported, the password must be entered. The KeyStore Password window appears. Type your password and click OK.
  6. The PEM Certificate Viewer displays to allow a review of the certificate file. Verify the certificate is valid and click the Import button. Import Results window displays with status of imported certificate. Click Close.
  7. The certificate is imported and given a Label based on the certificate Common Name, (CN=). Note the serial number to identify the correct certificate after import.
    Note: A common name is used for Label and identification therefore multiple certificates can have the same common name and therefore, can be overwritten depending on the setting of the Default Mode. Additionally, the Default Mode of Import is Add or Replace Certificates.

Configuring the Connect:Direct Secure Plus .Local Node Record

Edit online

About this task

Before you can configure the .Local node record, you must either import your existing certificates or create and configure a PKCS12 Key Store. For additional information, see Import Existing Certificates or Create PKCS12 Key Store in the documentation library.

It is recommended that you configure the .Local node record with the protocol used by most of your trading partners. Because remote node records can use the attributes defined in the .Local node record, defining the .Local node record with the most commonly used protocol saves time. After you define the protocol in the .Local node record, all remote nodes default to that protocol. Also, identify the trusted root file to be used to authenticate trading partners.

To configure the local node, refer to the Local Node Security Feature Definition Worksheet that you completed for the .Local node record security settings and complete the following procedure:
Note: In Connect:Direct for UNIX 6.3, when Integrated File Agent is installed, if Secure+ .Local record has not already been assigned a key certificate, an automatically generated self-signed certificate is assigned to Secure+'s .Local record.

Procedure

  1. From the Secure+ Admin Tool Main Window, double-click the .Local record. The Edit Record dialog box displays the Security Options tab, the node name, and the type of node.
  2. Set the Security Options for the local or remote node entry you are configuring and if necessary, modify the time-out value in Authentication Timeout.
    Refer to the following table for an explanation of the Security Options boxes:
    Note: The support of deprecated protocols like TLS1.0, TLS1.1, and SSL3.0 has been removed and these protocols can no longer be configured. In case TLS1.0 or TLS 1.1 was configured before an upgrade to IBM Sterling Connect:Direct for UNIX 6.3, these will still be honored and will be preserved until removed explicitly. Once removed, they cannot be reconfigured.

    In the case of SSL3.0, the support has been completely removed. Even if SSL3.0 was configured before an upgrade to Connect:Direct for UNIX 6.3, it will not be used after the upgrade. If any other supported protocol is configured, it will be used in such a case, otherwise, TLS1.2 will be used in the background.

    Field Name Field Definition Valid Values
    Node Name Specifies the node record name.

    .Local

    This is not an editable field.
    Base Record Specifies the name of the base record. If an alias record is selected, the base record name is displayed in this box. Name of the local Connect:Direct node.
    Type Specifies the current record type.

    Local for a local record and Remote for a remote record.

    This is not an editable field.
    Disable Secure+ Disables Connect:Direct Secure Plus.

    Default value is Disable Secure+.

    Note: If this option is selected, override is enabled, and no remote node definition exists for the remote node in the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus is bypassed.
    Enable TLS 1.0 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    TLS 1.0 support has been removed and user will not be able to set the security protocol to TLS1.0. However, if it was being used before upgrade to 6.3, it will still be honoured after upgrade.

    		 The default value is Disable Secure+.
    Enable TLS 1.1 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    TLS 1.1 support has been removed and user will not be able to set the security protocol to TLS1.1. However, if it was being used before upgrade to 6.3, it will still be honoured after upgrade.

    		 The default value is Disable Secure+.
    Enable TLS 1.2 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Enable TLS 1.3 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Disable Disables the ability to override values in the .Local node record with values in the remote node record. The default value is Disable.
    FIPS 140-2 Enables FIPS 140-2 security. The default value is Disable.
    SP800-131A Transition Enables NIST SP800-131a security in transition mode. The default value is Disable.
    SP800-131A Enables NIST SP800-131a security mode. The default value is Disable.
    Suite B 128 bit Enables Suite B 128 bit security. The default value is Disable.
    Suite B 192 bit Enables Suite B 192 bit security. The default value is Disable.
    Node or Copy Statement Override
    There are several types of overrides. For both PNODE and SNODE, this parameter indicates whether Remote Node record parameters will override the .Local Node record parameters or not. If it is set to No, or if set to Yes and there is no correlating Remote Node record for a given session, then:
    • For PNODE, this parameter indicates whether process overrides, which may optionally be specified in Process, Submit, and Copy statements, will be allowed.
    • For SNODE, this parameter indicates whether:
      • The Secure+ protocol specified by the PNODE will be allowed to override that specified by the SNODE.
      • To allow unsecured incoming sessions to proceed.
    		 The default value is No.
    Authentication Timeout

    Specifies maximum time, in seconds, that the system waits to receive the Connect:Direct Secure Plus blocks exchanged during the Connect:Direct Secure Plus authentication process.

    If you specify a value of 0, Connect:Direct waits indefinitely to receive the next message.

    Specify a time to prevent malicious entry from taking as much time as necessary to attack the authentication process.

    A numeric value equal to or greater than 0, ranging from 0 to 3600.

    The default is 120 seconds.
  3. Click the TLS Options tab. The TLS Options dialog box is displayed.
  4. Select an existing Key Certificate from the key store. To select a Key Certificate from the keystore, click Browse next to Key Certificate Label. The PKCS12 KeyStore Certificate Viewer appears.
    Note: You must add or import the key certificate into your key store prior to configuring your node. For additional information, see Import Existing Certificates or Create PKCS12 Key Store in the documentation library.
  5. In the Key Certificates area, select the key certificate you want to use and click OK box.
  6. Select cipher suites from the below list:

Name

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_CCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_ECDSA_WITH_NULL_SHA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_NULL_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_DES_CBC_SHA

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

TLS_RSA_WITH_NULL_MD5
The following are marked as deprecated and security warnings are issued when enabled.

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_NULL_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_NULL_MD5
TLS_ECDHE_RSA_WITH_NULL_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA

  1. Click the External Authentication tab. The External Authentication dialog box is displayed.
  2. Choose one of the following options:
    • To enable external authentication on the remote node, click Yes in the Enable External Authentication box.
    • To disable external authentication on the remote node, click No.
  3. Type the Certificate Validation Definition character string defined in External Authentication Server.
  4. Click OK to close the Edit Record dialog box and update the parameters file.

Customize Remote Node Records

Edit online

After you configure the .Local node record, Connect:Direct Secure Plus enables the protocol and parameters that you configured for the local node for all remote node records. If all trading partners use the protocol and configuration defined in the .Local node record, you are now ready to begin using Connect:Direct Secure Plus.

However, even when a trading partner uses the same protocol as the one defined in the .Local node record, you may need to customize remote node records for the following configurations:

  • Using a unique certificate file to authenticate a trading partner—During a TLS session, a certificate enables the PNODE to authenticate the SNODE. You identified a certificate in the .Local node record. If you want to use a unique certificate to authenticate a trading partner, you must identify this information in the remote node record.
  • Using a self-signed certificate file to authenticate a trading partner—During a TLS session, a certificate enables the PNODE to authenticate the SNODE. If you want to use a self-signed certificate to authenticate a trading partner, you must identify this information in the remote node record.
  • —Client authentication requires that the SNODE validate the PNODE. If you want to enable client authentication, activate this feature in the remote node record.
  • Activating common name authentication—If you want another layer of security, you can activate the ability to validate the certificate common name by specifying the common name expected to be in the identity certificate received, either by the PNODE from the SNODE, or, when client authentication is enabled, by the SNODE from the PNODE.
  • Identifying the cipher suite used by a trading partner—When configuring the TLS protocol, you enable cipher suites that are used to encrypt the transmitted data. When communicating with a trading partner, you and the trading partner must use the same cipher suite to encrypt data. If the trading partner does not enable a cipher suite that is enabled in your configuration, communication fails. If necessary, enable cipher suites in the remote node record.

Configuring a Remote Node Record

Edit online

About this task

Before you can configure the .Remote node record, you must either import your existing certificates or create and configure a PKCS12 Key Store. For additional information, see Import Existing Certificates or Create PKCS12 Key Store in the documentation library.

Configure the Remote node record with the protocol used by most of your trading partners. Because remote node records can use the attributes defined in the Remote node record, defining the Remote node record with the most commonly used protocol saves time. After you define the protocol in the Remote node record, all remote nodes default to that protocol. Also, identify the trusted root file to be used to authenticate trading partners.

To configure the local node, refer to the Local Node Security Feature Definition Worksheet that you completed for the Remote node record security settings and complete the following procedure:

Procedure

  1. From the Secure+ Admin Tool Main Window, double-click the .Remote record. The Edit Record dialog box displays the Security Options tab, the node name, and the type of node.
  2. Set the Security Options for the local or remote node entry you are configuring and if necessary, modify the time-out value in Authentication Timeout.
    Refer to the following table for an explanation of the Security Options boxes:
    Note: The support of deprecated protocols like TLS1.0, TLS1.1, and SSL3.0 has been removed and these protocols can no longer be configured. In case TLS1.0 or TLS 1.1 was configured before an upgrade to IBM Sterling Connect:Direct for UNIX 6.3, these will still be honored and will be preserved until removed explicitly. Once removed, they cannot be reconfigured.

    In the case of SSL3.0, the support has been completely removed. Even if SSL3.0 was configured before an upgrade to Connect:Direct for UNIX 6.3, it will not be used after the upgrade. If any other supported protocol is configured, it will be used in such a case, otherwise, TLS1.2 will be used in the background.

    Field Name Field Definition Valid Values
    Node Name Specifies the node record name.

    .Remote

    This is not an editable field.
    Base Record Specifies the name of the base record. If an alias record is selected, the base record name is displayed in this box. Name of the local Connect:Direct node.
    Type Specifies the current record type.

    Local for a local record and Remote for a remote record.

    This is not an editable field.
    Disable Secure+ Disables Connect:Direct Secure Plus.

    Default value is Disable Secure+.

    Note: If this option is selected, override is enabled, and no remote node definition exists for the remote node in the Connect:Direct Secure Plus parameters file, Connect:Direct Secure Plus is bypassed.
    Enable TLS 1.0 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    TLS 1.0 support has been removed and user will not be able to set the security protocol to TLS1.0. However, if it was being used before upgrade to 6.3, it will still be honoured after upgrade.

    		 The default value is Disable Secure+.
    Enable TLS 1.1 Protocol Enables TLS protocol to ensure that data is securely transmitted.

    TLS 1.1 support has been removed and user will not be able to set the security protocol to TLS1.1. However, if it was being used before upgrade to 6.3, it will still be honoured after upgrade.

    		 The default value is Disable Secure+.
    Enable TLS 1.2 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Enable TLS 1.3 Protocol Enables TLS protocol to ensure that data is securely transmitted. The default value is Disable Secure+.
    Disable Disables the ability to override values in the .Remote node record with values in the remote node record. The default value is Disable.
    FIPS 140-2 Enables FIPS 140-2 security. The default value is Disable.
    SP800-131A Transition Enables NIST SP800-131a security in transition mode. The default value is Disable.
    SP800-131A Enables NIST SP800-131a security mode. The default value is Disable.
    Suite B 128 bit Enables Suite B 128 bit security. The default value is Disable.
    Suite B 192 bit Enables Suite B 192 bit security. The default value is Disable.
    Node or Copy Statement Override

    For PNODE, this parameter indicates whether process overrides, which may optionally be specified in Process, Submit, and Copy statements, will be allowed. For SNODE, this parameter indicates whether the Secure+ protocol specified by the PNODE will be allowed to override that specified by the SNODE.

    		 The default value is No.
    Authentication Timeout

    Specifies maximum time, in seconds, that the system waits to receive the Connect:Direct Secure Plus blocks exchanged during the Connect:Direct Secure Plus authentication process.

    If you specify a value of 0, Connect:Direct waits indefinitely to receive the next message.

    Specify a time to prevent malicious entry from taking as much time as necessary to attack the authentication process.

    A numeric value equal to or greater than 0, ranging from 0 to 3600.

    The default is 120 seconds.
  3. Click the TLS Options tab. The TLS Options dialog box is displayed.
  4. Select an existing Key Certificate from the key store. To select a Key Certificate from the keystore, click Browse next to Key Certificate Label. The PKCS12 KeyStore Certificate Viewer appears.
    Note: You must add or import the key certificate into your key store prior to configuring your node. For additional information, see Import Existing Certificates or Create PKCS12 Key Store in the documentation library.
  5. In the Key Certificates area, select the key certificate you want to use and click OK box.
  6. Click the External Authentication tab. The External Authentication dialog box is displayed.
  7. Choose one of the following options:
    • To enable external authentication on the remote node, click Yes in the Enable External Authentication box.
    • To disable external authentication on the remote node, click No.
  8. Type the Certificate Validation Definition character string defined in External Authentication Server.
  9. Click OK to close the Edit Record dialog box and update the parameters file.

Validating the Configuration

Edit online

Perform this procedure to ensure that the nodes have been properly configured. The validation process checks each node to ensure that all necessary options have been defined and keys have been exchanged. Perform the following steps to validate the Secure+ parameters file:

Procedure

  1. From the Secure+ Admin Tool Main Menu, click Validate Secure+ from the File menu. The Secure+ Admin Tool - Validation Results window is displayed.
  2. If the Secure+ parameters file is not correctly configured, warning and error messages are displayed.
  3. Go back to the Secure+ parameters file and make changes to correct each error reported.
  4. Read each warning message. If necessary, change the Secure+ parameters file to correct each warning.

    Warning messages do not always mean that the Secure+ parameters file is configured incorrectly. Some warning messages are informational only.

  5. Click Close to close the Validation Results window.

Configure External Authentication in the .SEAServer Record

Edit online

About this task

At installation, a record named .SEAServer is created in the parameters file, which enables Connect:Direct Secure Plus to interface with External Authentication Server during TLS sessions to validate certificates. External Authentication Server properties are configured in this record and enabled/disabled in the local and remote node records.

Complete the following procedure to configure the server properties that will allow Connect:Direct for UNIX to interface with External Authentication Server:
Note: The values specified for this procedure must match the values specified in External Authentication Server.

Procedure

  1. Double-click the record called .SEAServer.
  2. Type the Host Name for External Authentication Server.
  3. Type the Port Number where External Authentication Server is listening. The default is 61366.
  4. To enable caching SEAS certificate validation response, select Enable Caching.
    When enabled, Connect:Direct Secure Plus can reuse previously fetched certificate validity responses from External Authentication Server that is, cache the responses to ease the certificate validation process when Connect:Direct interfaces with External Authentication Server during a TLS sessions.
  5. Type the Cache Validity per certificate in hours. Default is 24 hours. Range: 1-720 hours.
  6. Cache grace validity time per certificate when SEAS is unavailable in hours
    Type the number of hours when the local cache entry of certificate expires and External Authentication Server is unavailable such that Connect:Direct Secure Plus can accept it from its cache. Default is 0 hours which means cache grace validity time does not apply. Range: 0-720 hours.
    Note: Cache grace validity time per certificate when SEAS is unavailable in hours should always be greater than or equal to Cache Validity per certificate in hours.
  7. Click OK to update the record.

Configure Strong Password Encryption

Edit online

This feature uses strong encryption to encrypt all Connect:Direct Process data stored on disk in the Connect:Direct work area while a Process is on the TCQ. This feature is enabled by default.

Disabling Strong Password Encryption

Edit online

Complete the procedure below to disable Strong Password Encryption:

Procedure

  1. From the Secure+ Admin Tool Main Menu screen, select Password Encryption from the Edit menu. The Secure+ Admin Tool - Password Encryption window is displayed.
  2. Click the No option for Enable Strong Password Encryption.
  3. Click OK to disable Strong Password Encryption. The following message is displayed:
    The IBM Connect:Direct Server must be restarted for the changes to Strong Password Encryption to become effective.
  4. Restart the IBM Connect:Direct Server.

Enabling Strong Password Encryption

Edit online

Complete the procedure below to enable Strong Password Encryption:

Procedure

  1. From the Secure+ Admin Tool Main Menu screen, select Password Encryption from the Edit menu. The Secure+ Admin Tool - Password Encryption window is displayed.
  2. Click the Yes option for Enable Strong Password Encryption.
  3. Click OK to enable Strong Password Encryption. The following message is displayed:
    The IBM Connect:Direct Server must be restarted for the changes to Strong Password Encryption to become effective.
  4. Restart the IBM Connect:Direct Server.

Resetting Passwords

Edit online

If the Strong Password Encryption key stored in the .Password file is out of sync with the Strong Password Encryption key used to encrypt the passwords, you must reset all Strong Password Encryption passwords.

About this task

The .Password file can get out of sync if one of the following occurs:

  • You restore the .Password file from a backup—The .Password file is updated each time the IBM Connect:Direct server is started, so the backup will probably not contain the current parameters.
  • The .Password file is deleted—The .Password file is recreated as needed, so the Strong Password Encryption key used to encrypt the passwords no longer exists.
  • The .password file is corrupt—The Strong Password Encryption Key used to encrypt the passwords is not accessible.

Complete the procedure below to reset the passwords:

Procedure

  1. Stop the IBM Connect:Direct server.
  2. Delete the <cdinstall>/ndm/secure+/nodes/.Password file.
  3. Start the IBM Connect:Direct server.
  4. Manually delete all Processes in the TCQ. Refer to the IBM Connect:Direct for UNIX User Guide for command syntax and parameter descriptions for the delete Process and flush Process commands.

Decryption Failure

Edit online

If the process KQV file fails decryption at startup or during runtime, the server places the Process in the HOLD/Error queue to raise the visibility of the error.