Configuring the Local Node Record for the SSL or TLS Protocol
About this task
All Connect:Direct® Secure Plus protocols are disabled when you import the network map. This procedure updates the local node record for the SSL (or TLS) protocol and enables the Override parameter. Remember that all options set for the local node are inherited by all remote node records.
To update the local node record for the SSL (or TLS) protocol:
Procedure
-
From the IBM Connect:Direct Secure Plus
Admin Main screen, type U next to the local node record
and press Enter to display the Secure+
Create/Update Panel and the current values for the selected
node.
Note: When you import the network map, the system enables Overrride in the local node record automatically, as shown in the following illustration.
File Edit Help _____________________________________________________________________________ CD.ZOS.NODE Secure+ Admin Tool: Main Screen Row 1 of 7 Option ===> __________________________________________________ Scroll CSR Table Line Commands are: U Update node H View History D Delete node I Insert node V View node Node Filter : *_______________ Secure+ External Client LC Node Name Type Protocol Override Encryption Auth Auth -- ---------------- ---- -------- -------- ---------- -------- -------- __ .CLIENT R * N * * * __ .EASERVER R TLSV10 N * N * __ .PASSWORD R Disabled * * * * __ CD.UNIX.NODE R TLSV10 * * * * __ CD.UNIX.NODE2 R TLSV12 * * * * __ CD.ZOS.NODE L Disabled Y N N N __ CD.ZOS.NODE2 R * * * * * ********************************* BOTTOM OF DATA ****************************
- Select SSL/TLS Parameters in the panel selection line and press Enter to display the SSL/TLS Parameters panel.
-
To select the protocol you want to enable, type Y beside the Secure+
Protocol you want to enable, or N beside the protocol you want to
disable.
Note: If System SSL is in FIPS mode, TLS is the only supported protocol. See Planning for System SSL in FIPS Mode.Note: You can enable multiple protocols support and the highest supported protocol will be used.
- Type Y in the Enable Override field.
- On the EA Parameters screen, type N next to the Enable External Auth field.
-
On the Security Options screen, do one of the following depending on the Encrypt option you
want to implement. (Although Encrypt.Data field has been deprecated, it will be editable to user.
Also, it will be valid for lower versions):
- To encrypt both the control block information and the files being transferred, type Y beside the Encrypt field.
- To encrypt only the control block information used to establish the session, type N beside the Encrypt field.
- To default to the local node record, type D beside the Encrypt field.
-
To select Manual or Extended panel for cipher selection, user need to type
Manual/Extended in Cipher Selection Method field.
- Manual panel will allow user to select ten ciphers from the available list.
- Extended panel will allow user to select more than 10 ciphers and up to 99 ciphers from available cipher list.
-
If necessary, update the certificate label:
-
Select the Certificate Label field and press
Enter.
Note: If System SSL is in FIPS Mode, the Certificate Label has FIPS requirements. See Planning for System SSL in FIPS Mode.Note: To use the Default Certificate defined in the certificate file, leave the Certificate Label field blank.
- Press F8 to move to the editable portion of the panel containing the label field.
- This field is case sensitive; type the certificate label exactly as you defined it when you generated it and press Enter. To use the default certificate defined in key store, leave the Certificate Label field blank.
-
Select the Certificate Label field and press
Enter.
-
If necessary, update the location where the certificate information is stored:
-
Select the Certificate Pathname field and press
Enter to display the Certificate Pathname panel.
Note: If System SSL is in FIPS Mode, the Certificate Pathname has FIPS requirements. See Planning for System SSL in FIPS Mode.
- Press F8 to scroll to the Certificate Path Name field.
-
Type the UNIX path name of the key database (.kdb) or the
security system key ring name that contains all the certificates referred to in the parameter file.
Note: This value is case sensitive. Ensure that you type it exactly as it appears in the certificate file. Refer to the information you recorded in Local Node Security Feature Definition Worksheet.
-
If you are using a key database:
- Press F8 to scroll to the password field.
- Type the password used when the key database was created and press
Enter.Note: This value is case sensitive. Ensure that you type it exactly as it appears in the certificate file. Refer to the information you recorded in Local Node Security Feature Definition Worksheet .Note: If you are using a key ring, leave the password field blank.
-
Select the Certificate Pathname field and press
Enter to display the Certificate Pathname panel.
-
Select Cipher Suites by placing the cursor on the text and press
Enter.
Extended or Manual cipher suite selection panel will open according to Cipher selection method field.
-
Manual Panel:
- To select ciphers, order the list in All Available Cipher-Suites by placing them 1 through n (maximum of 10).
- As ciphers are selected they move to the Enabled Cipher-Suites on
the right side. This list is the default cipher list.
This is a scrollable panel so use the F8 key to more forward and F7 to move back.
Option ---> Cipher Filtering:Protocol Cipher Sorting:Strongest Update the order field below to enable and order Cipher Suites O All Available Cipher Suites Enabled Cipher Suites == ==================================== ==================================== More: + 1 TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 2 TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 3 TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384 4 TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_RSA_WIT_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WIT_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WIT_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WIT_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA
-
Extended panel:
- Node Name:
- Displays the node name being updated.
- (L/R):
- Indicates whether the node is Local (L) or Remote (R).
- Panel Name:
- "Secure + Extended Cipher Suite" is the name for panel DGA@P141.
- Selection and Filtration Display:
- Displays the number of selected ciphers, the number passing filtration, and the total number available.
- Selection:
- These options are used to select the ciphers by protocol. A selected cipher is pink and
has a number in the ‘O’ column. There are 3 fields available, and for each field the valid
values are 1-99 and ALL:
- ANY:
- Allows the selection of cipher suites for any protocol, either a maximum number, or all that are available.
- TLS12:
- Allows the selection of cipher suites that are supported by TLS12, either a maximum number, or all that are available. This field will be enabled if either the Cipher Filtering field is set to None (N) or if the TLS12 protocol is enabled on panel DMADP126 (Secure+ Create/Update Panel). Otherwise it will be disabled.
- TLS13:
- Allows the selection of cipher suites that are supported by TLS13, either a maximum number, or all that are available. This field will be enabled if either the Cipher Filtering field is set to None (N) or if the TLS13 protocol is enabled on panel DMADP126 (Secure+ Create/Update Panel). Otherwise it will be disabled.
Note: If all of the above Selection fields are blank, then the cipher suites are selected manually by numbering them 1-n (maximum of 99).Note: If any of the above Selection fields are not blank, then all the cipher suites for that field are automatically selected and numbered from 1 to n according to the settings in the Cipher Filtering and Sorting fields as described below.- Cipher Filtering and Sorting:
- These options provide the ability to sort and filter the cipher suite list.
- Cipher Filtering:
- Allows filtering the cipher list by the protocols selected in panel DMADP126 (Secure+ Create/Update Panel). Valid values are P and N. When P is specified then only cipher suites supported by the protocols selected in DMADP126 will be listed. When N is specified, DMADP126 does not influence the cipher suite selection list.
- Cipher Sorting:
- Allows the user to sort the available ciphers. If all Selection fields are blank,
only unselected cipher suites are sorted. If any Selection field is non-blank then all
cipher suites are sorted. The following options are available:
- SA:
- Strength Ascending (refer Understanding of Cipher Suite strength on page 796 on cipher strength)
- SD:
- Strength Descending (refer to Understanding of Cipher Suite strength on page 796 on cipher strength)
- #A
- Numeric(4-byte number for cipher) cipher name Ascending.
- #D:
- Numeric(4-byte number for cipher) cipher name Descending.
- NA:
- Alphabetic cipher name Ascending
- ND:
- Alphabetic cipher name Descending
- RSA:
- Y forces display of all RSA algorithm supported cipher suites, regardless of any other setting.
- ECDSA:
- Y forces display of all ECDSA algorithm supported cipher suites, regardless of any other setting.
This is a scrollable panel. Use the F8 key to more forward and F7 to move back.
CD.ZOS.USER1 (R) Secure+ Extended Cipher Suite 0 Select 35 Filter 35 Total Option ===> Selection: Sorting & Filtering Any (nn ALL) Cipher Filtering N (Protocol or None) TLS12 (nn ALL) Cipher Sorting SD (#A #D NA ND SA SD) TLS13 (nn ALL) RSA N (Y or N) ECDSA N (Y or N) Cipher Suite TLS FI Key O # Name 13 12 PS Size == ==== ===================================================== == == == ==== 1 1302 TLS_AES_256_GCM_SHA384 X 256 2 1301 TLS_AES_128_GCM_SHA256 X 128 C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 X X 256 C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 X X 256 C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA X X 256 C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 X X 128 C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 X X 256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA X X 128 C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA X 128 C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA X X 168 C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA X C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 X X 256 C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 X X 256 C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA X X 256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 X X 128 C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 X X 128 C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA X X 128 C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA X 128 C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA X X 168 C010 TLS_ECDHE_RSA_WITH_NULL_SHA X 009D TLS_RSA_WITH_AES_256_GCM_SHA384 X X 256 003D TLS_RSA_WITH_AES_256_CBC_SHA256 X X 256 0035 TLS_RSA_WITH_AES_256_CBC_SHA X X 256 009C TLS_RSA_WITH_AES_128_GCM_SHA256 X X 128 003C TLS_RSA_WITH_AES_128_CBC_SHA256 X X 128 002F TLS_RSA_WITH_AES_128_CBC_SHA X X 128 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA X X 168 0009 TLS_RSA_WITH_DES_CBC_SHA 56 003B TLS_RSA_WITH_NULL_SHA256 X 0006 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 *DEPRECATED* 40 0005 TLS_RSA_WITH_RC4_128_SHA *DEPRECATED* X 128 0004 TLS_RSA_WITH_RC4_128_MD5 *DEPRECATED* 128 0003 TLS_RSA_EXPORT_WITH_RC4_40_MD5 *DEPRECATED* 40 0002 TLS_RSA_WITH_NULL_SHA *DEPRECATED* X 0001 TLS_RSA_WITH_NULL_MD5 *DEPRECATED*
Note: DEFAULT_TO_LOCAL_NODE does not apply to the Local node record.Note: Select Ciphers carefully since deprecated ciphers may not be available on all systems. Check with your Security Administrator before selecting these ciphers.Note: The Extended Cipher Suite list will show additional information such as which ciphers support which protocols, support FIPS and the key sizes of the ciphers. For more information, see Cipher Selection Rules.
-
Manual Panel:
- Select EA Parameters and press Enter.
- Verify that External Authentication (External Auth) is disabled (set to 2). The remaining external authentication fields are unavailable because they are valid only for the .EASERVER remote node record.
- Read all warning and error messages. You can continue configuring the environment without resolving warning messages, but you may be unable to perform secure communications. You must resolve all errors before you can save the parameter file.
- After you configure the local node record, you can save and submit the parameter file using the procedures in IBM Connect:Direct Secure Plus Operation Enablement and Validation, but if you have not added a remote node record, connections are not secure.