Plan the Connect:Direct Secure Plus Configuration

Before you configure the Connect:Direct® environment for secure operations, first plan how you will use Connect:Direct Secure Plus. Configure the Connect:Direct Secure Plus environment, based on company needs or preferences.

General Planning for Connect:Direct Secure Plus

Since all remote nodes are automatically enabled with the protocol defined in the local node record, determine which protocol will be used by most trading partners. Then configure the local node with this protocol. If a trading partner is not using the protocol defined in the local node record, you must configure the remote node record for that trading partner with the protocol.

Connect:Direct Secure Plus uses two files to initiate a TLS session: a trusted root certificate file and a key certificate file.

Note: Connect:Direct Secure Plus does not support server gated crypto (SGC) certificates.
  • The trusted root certificate file verifies the identity of trusted sources who issue certificates. To use Connect:Direct Secure Plus communication with a trading partner, exchange trusted root file with the trading partner. The trading partner must identify the trusted root file used to validate trusted sources in a certificate when it configures its Connect:Direct Secure Plus parameters file.
  • A key certificate file is required at all sending locations and describes the identity of the secure node. This file includes information about the certificate being exchanged and the private key that defines the server.

    When a trading partner attempts to establish communications with a Connect:Direct node, the node sends the public key certificate to the trading partner to verify its identity. The location of the key certificate file is configured in the Connect:Direct Secure Plus parameters file. The private key in the key certificate file is never sent (disclosed) by Connect:Direct.

The following list summarizes the tasks to configure Connect:Direct Secure Plus:

  • Populate the parameters file at your site by importing the Connect:Direct network map. This task creates a local node record and remote node records.
  • Enable the TLS protocol in the local node record. Enabling the local node record configures remote nodes to default to the settings in the local node record. To enable TLS, activate the following options:
    • Identify the trusted root certificate file that authenticates the trusted authorities.
    • Identify the key certificate file.

      If you identify the trusted root file and the key certificate file to use for secure communications in the local node record, the trusted root file must define the identity of all CAs for all trading partners, and the root certificate associated with the key certificate file must include certificate and private key information for all certificates.

    • Identify a cipher suite to use to encrypt data in both the sending and receiving node. After secure communication is established, Connect:Direct Secure Plus determines what cipher has been defined at both the sending and the receiving node and uses this cipher to encrypt data before sending it. If more than one cipher is enabled, the preferences defined in the server parameters file determine the cipher suite used for the SSL protocol and the preferences defined in the client parameters file determine the cipher suite used for the TLS protocol.
  • If you want to enable a second level of security, activate client authentication.
  • If you want to enable common name checking, you must enable this feature in the remote node record.
  • For remote nodes that are using the protocol defined in the local node record, configure the remote nodes to implement any of the following additional security features:
    • Activate client authentication.
    • Configure the remote node record of trading partners with the same cipher suites enabled by the trading partner because trading partners must use the same cipher suite to enable data encryption.
  • If a trading partner uses a protocol that is different from the protocol defined in the local node record, define the protocol in the remote node record. The remote node record must identify the same protocol as that used by the trading partner. Otherwise, Connect:Direct Secure Plus fails.
  • If a trading partner does not use Connect:Direct Secure Plus, disable it in that remote node record.