Configuring the Sterling Connect:Direct Server for a Secure Connection

You can configure a secure connection between a managed Sterling Connect:Direct® server and IBM® Sterling Control Center Monitor engine.

Before you begin

  • Configure the managed Sterling Connect:Direct server to support secure client connections. Use the Sterling Connect:Direct Secure Plus Administration tool, SPAdmin, to configure each managed server.
  • To configure IBM Sterling Connect:Direct Secure Plus objects on a Sterling Connect:Direct server, you must have a secure connection between the server and the IBM Sterling Control Center Monitor engine. Otherwise, the server must allow Sterling Connect:Direct Secure Plus configuration over a non-secure connection in its initialization parameters.
  • Obtain the certificate authority (CA) or public self-signed certificate for the Sterling Connect:Direct server.
  • Import the certificate authority (CA) or public self-signed certificate of theSterling Connect:Direct server into the truststore on the IBM Sterling Control Center Monitor engine.
  • If client authentication is required by the monitored server, the following steps are required:
    1. Obtain the keystore in JKS format for the engine.
    2. Export the certificate.
    3. Put the certificate in the trusted certificates files on the monitored server.
  • Create and configure the keystore and truststore files in IBM Sterling Control Center Monitor.

In a high availability environment, every event processor's keystore certificate must be trusted by your other event processors in the cluster. In every event processor's truststore, you must include the certificate. You can use the same keystore and truststore files for every event processor in your high availability environment. You might receive a browser security warning when you access the web console on an event processor where the common name does not match the host name that you are connecting to.

About this task

To configure the Sterling Connect:Direct server for a secure connection with IBM Sterling Control Center Monitor engine, set the following parameters for the Sterling Connect:Direct server:

Procedure

  • The name of the configuration record used for client connections is .Client.
  • The Sterling Connect:Direct server merges the contents of the .Client. record, if it exists, with the contents of the .Local record to create a merged .Client. record, similar to the way records representing remote nodes are merged with the .Local record.
  • If the value for Node or Copy Statement Override for the merged .Client. record is Disable Override, then client connections must abide by the value specified for Sterling Connect:Direct Secure Plus Protocol in the merged .Client. record.
  • If the value for Sterling Connect:Direct Secure Plus Protocol for the merged .Client. record is:
    1. Disable Sterling Connect:Direct Secure Plus - only non-secure client connections are permitted.
    2. Enable TLS Protocol - only TLS client connections are permitted.
    3. Enable SSL Protocol - only SSL client connections are permitted.
    4. Enable STS Protocol - no client connections are permitted (as no clients support the STS protocol).
    5. Enable Override - client connections can be secure, TLS/SSL, or non-secure.

What to do next

When you add the Sterling Connect:Direct server in IBM Sterling Control Center Monitor, set the Connection to the protocol, SSL or TLS, that is defined in Sterling Connect:Direct Secure Plus.