Certificate-based Authentication

Certificate-Based authentication is an authentication method that IBM® Sterling Control Center Director can use to authenticate itself to a Connect:Direct® server. Certificate-Based Authentication eliminates the need for IBM Sterling Control Center Director to store passwords for authentication to Connect:Direct.

When Certificate-Based Authentication is enabled, IBM Sterling Control Center Director sends a TLS certificate to the Connect:Direct server over a secure connection to authenticate itself to the Connect:Direct Server and vice versa. To configure IBM Sterling Control Center Director to monitor a Connect:Direct server with Certificate-Based Authentication, see Servers view in Web Console.
Note: If you'd like to generate KeyStore/certificate(s) see, Setting up KeyStores.

Setting up Connect:Direct for Certificate-based Authentication

  • For a new certificate, import the certificate into Connect:Direct KeyStore:
    • Open spadmin window> Go to Keytore Configuration>Personal Certificates>Import the pem file.

    • Go to Signer Certificates> Import CA certificate (ca.crt)
  • The certificate presented by the IBM Sterling Control Center Director must be trusted by the Connect:Direct server and the one presented by Connect:Direct must be trusted by Control Center Director.
  • Connect:Direct User Authorities must include a user whose username is the Common Name of IBM Sterling Control Center Director's end-entity certificate. The user must be assigned the permissions required to monitor Connect:Direct. Set client.cert_auth to Y in the Functional Authority Entry for that user.
    Note: The Connect:Direct user Authority controls user access to the Connect:Direct server and controls Connect:Direct commands and statements that users can execute.
  • Enable Client Authentication in the Secure+ Client record.

    For more information, see: