Secure Plus Tools
Secure Plus consists of five components:
- Connect:Direct® Secure Plus Administration Tool (Secure+ Admin Tool)
- Parameters file (Secure+ parameters file)
- Access file (Secure+ access file)
- Strong Password Encryption Parameters file
- Connect:Direct Secure Plus Command Line Interface (Secure+ CLI).
The following sections describe these components and their function within Connect:Direct Secure Plus.
Secure+ Admin Tool
The Secure+ Admin Tool is a graphical user interface (GUI) that enables you to configure and maintain the Sterling Connect:Direct Secure Plus environment. The Secure+ Admin Tool is the interface for creating and maintaining the Secure+ parameters file; operating system utilities and editing tools cannot be used to create or update this file.
Secure+ Parameters File
The Connect:Direct Secure Plus parameters file (Secure+ parameters file) contains information that determines the protocol and encryption method used during encryption-enabled Connect:Direct Secure Plus operations. To configure Connect:Direct Secure Plus, each site must have a Secure+ parameters file that contains one local node record and at least one remote node record for each trading partner who uses Connect:Direct Secure Plus to perform a secure connection. The local node record defines the most commonly used security and protocol settings for the node at the site. The local node record can also be used as a default for one or more remote node records. Each remote node record defines the specific security and protocol settings used by a trading partner. You should create a remote node record in the Secure+ parameters file for each Connect:Direct node that you communicate with even if the remote node does not use Connect:Direct Secure Plus.
When you create the Secure+ parameters file, a record named .SEAServer is automatically added to the file, which enables Connect:Direct to interface with Sterling External Authentication Server during TLS session. External authentication is configured in this record and enabled/disabled in the local and remote node records.
With v6.1, Connect:Direct Secure Plus support to cache certificate validation responses from External Authentication Server when it interfaces External Authentication Server during a TLS session. This minimizes the overhead associated with requesting certificate validation from External Authentication Server, thus eliminating the need for Connect:Direct Secure Plus to query External Authentication Server each time. External Authentication Server response caching feature is disabled by default. To enable it see, Update the Sterling External Authentication Server Record and Configure External Authentication in the .SEAServer Record.
For additional security, the Secure+ parameters file is stored in an encrypted format. The information used for encrypting and decrypting the Secure+ parameters file (and private keys) is stored in the Secure+ access file.
Secure+ Access File
The Connect:Direct Secure Plus access file (Secure+ access file) is generated automatically when you create the Secure+ parameters file for the first time. You type a passphrase when you first initialize Connect:Direct Secure Plus. This passphrase is used to generate the keys necessary to encrypt and decrypt the entries in the Secure+ parameters file. The passphrase itself is not retained.
Your Connect:Direct Secure Plus administrator must secure the Secure+ access file (<cdinstall>/ndm/secure+/nodes/.cdspacf).The administrator must have full create and update permissions to update this file. The Connect:Direct server must have read authority. To maintain a secure Secure+ access file, the general user community should not have access permission. This file can be secured with any available file access restriction tool. Availability of the Secure+ access file to unauthorized personnel can compromise the security of data exchange.
Strong Password Encryption Parameters File
Strong Password Encryption protects Connect:Direct passwords which may be specified in a Connect:Direct Process by encrypting the Process when it is submitted and stored in the Connect:Direct work area. Strong Password Encryption uses the AES 256 encryption algorithm. Strong Password Encryption parameters are stored in the parameters file (<cdinstall>/ndm/secure+/nodes/.Password). This feature is enabled by default. For more information on using this feature, refer to Configure Strong Password Encryption.
Connect:Direct Secure Plus Command Line Interface
The Java-based Connect:Direct Secure Plus Command Line Interface (Secure+ CLI) is provided to enable you to create customized scripts that automate implementing Connect:Direct Secure Plus. Sample UNIX scripts are provided as models for your customized scripts. You can save these scripts with another name, modify them to reflect your environment, and distribute them throughout your enterprise. For more information about using the Secure+ CLI, commands and parameter descriptions, and the scripts, see Automate Setup with the Secure+ CLI.