Changes to Secure+ with Connect:Direct Unix 4.2

Body

Several important changes took place with Connect:Direct Unix and the Secure+ components in version 4.2.00.  One of the main new concepts is that the certificates that used to be stored in the keycert.txt and trusted.txt files are now being stored in a keystore file.  This means that the new procedure is to create the keystore, import your keycert file (private and public), and then import any certificate and certificate chains that will be needed for the remote trading partners.  

While the spadmin tool may be quite similar, you may need to know the new procedures.  Certificate management is accessed under the menu item called "Key Management", then select "Configure Keystore" (or hit [CTRL] K).  Select the location of the CMS KeyStore file and enter the password.  You'll need to check in your system certificate in the "Key Certificate" tab, then any and all public certificates in the "Trusted Certificates" tab.
Note: Do not check your own public certificate into the "Trusted Certificates" since you already have it with the "Key Certificate".

Using the spcli to configure this has changed slightly too.  Some of the certificates and key information may already be available if this was an upgrade procedure or if a standard install was performed.  Best to do a "Display All" once you've opened the parmfile to see what you already have.  Here is an example of the individual steps to configure the node.  The first time through, just ignore the first two errors "SPCG031E", and "SPCG035E".  These should only occur the very first time because the files do not yet exist.  I have listed all the commands to set one up from scratch, so you may not need to perform every step.

The values possible for the individual commands are available in the Connect:Direct documentation.


[myserver /opt/cdunix.4200/ndm/bin]$ ./spcli.sh
SPCG031E rc=8 The specified Secure+ Parameters File Directory "/opt/cdunix.4200//ndm/secure+/nodes"
              does not contain a Secure+ control file.
SPCG035E rc=8 Unable to open default parmfile in "/opt/cdunix.4200//ndm/secure+/nodes" directory.
   **************************************************************
   *               Secure+ Command Line Interface               *
   *   IBM(R) Sterling Connect:Direct(R) Secure Plus v4.2.0.1   *
   *------------------------------------------------------------*
   * Licensed Materials - Property of IBM                       *
   * (C) Copyright IBM Corp. 1999, 2014 All Rights Reserved.    *
   * US Government Users Restricted Rights - Use, duplication   *
   * or disclosure restricted by GSA ADP Schedule Contract      *
   * with IBM Corp.                                             *
   **************************************************************

SPCLI> init parmfile
localnode=cdunix.4200
path=/opt/cdunix.4200/ndm/secure+/nodes
passphrase=1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA;
SPCG000I rc=0 Parmfile initialized successfully.

SPCLI> display info;

Current File: /opt/cdunix.4200/ndm/secure+/nodes
Number of Records: 6
Number of Updates: 0
Last 3 Updates:


SPCG120I rc=0 Parmfile information displayed successfully.

SPCLI> sync netmap
path=/opt/cdunix.4200/ndm/cfg/myserver.4200/netmap.cfg
name=*;
SPCG300I rc=0 Synchronize with Netmap successful.

SPCLI> Create KeyStore
        File=/opt/cdunix.4200/ndm/secure+/certificates/cdkeystore.kdb
        Passphrase=password;
SPCG688I rc=0 Create CMS KeyStore command successful.

SPCLI> Import KeyCert
        File=/opt/cdunix.4200/ndm/secure+/certificates/keycert.txt
        Passphrase=password
        Label="Primary Key Certificate"
        ImportMode=Add;
SPCG772I rc=0 Import Info, label: Primary Key Certificate - Certificate imported successfully.
SPCG690I rc=0 Import KeyStore command successful: Imported(1), Errors(0), Warnings(0)

SPCLI> Import TrustedCert
        File=/opt/cdunix.4200/ndm/secure+/certificates/trusted2.txt
        ImportMode=Add;
SPCG772I rc=0 Import Info, label: ts02 - Certificate imported successfully.
SPCG690I rc=0 Import KeyStore command successful: Imported(1), Errors(0), Warnings(0)

SPCLI> Update LocalNode
        Protocol=disable
     KeyCertLabel="Primary Key Certificate" SecurityMode=Disable Override=y AuthTimeout=120 EncryptData=n ClientAuth=n SeaEnable=n SeaCertValDef=null
     CipherSuites=(TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5);
SPCG360I rc=0 Update local node command successful.

SPCLI> display localnode;

  Name=.Local
  BaseName=cdunix.4200
  Type=L
  Protocol=Disable
  Override=Y
  SecurityMode=Disable
  AuthTimeout=120
  SeaEnable=N
  SeaCertValDef=
  KeyCertLabel=Primary Key Certificate
  EncryptData=N
  ClientAuth=N
  CipherSuites=(TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5)

  2015/05/12 13:36:19 cdadmin

SPCG400I rc=0 Display local node command successful.

SPCLI> Update RemoteNode name=myserver.4200 Protocol=TLS KeyCertLabel="Primary Key Certificate" SecurityMode=Disable clientauth=n encryptdata=y seaenable=n override=n
           CipherSuites=(TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5);
SPCG470I rc=0 Update remote node "myserver.4200" command successful.

SPCLI> display all;

  Name=.Local
  BaseName=cdunix.4200
  Type=L
  Protocol=Disable
  Override=Y
  SecurityMode=Disable
  AuthTimeout=120
  SeaEnable=N
  SeaCertValDef=
  KeyCertLabel=Primary Key Certificate
  EncryptData=N
  ClientAuth=N
  CipherSuites=(TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5)

  2015/05/12 13:36:19 cdadmin


  Name=cdunix.4200
  BaseName=cdunix.4200
  Type=R
  Protocol=DefaultToLN
  Override=DefaultToLN
  SecurityMode=DefaultToLN
  AuthTimeout=120
  SeaEnable=DefaultToLN
  SeaCertValDef=
  KeyCertLabel=
  EncryptData=DefaultToLN
  ClientAuth=DefaultToLN
  CertCommonName=
  CipherSuites=()



  Name=.Client
  BaseName=.Client
  Type=R
  Protocol=DefaultToLN
  Override=Y
  SecurityMode=DefaultToLN
  AuthTimeout=120
  KeyCertLabel=
  ClientAuth=N
  CertCommonName=
  CipherSuites=()



  Name=.SEAServer
  BaseName=.SEAServer
  Type=R
  Protocol=DefaultToLN
  Override=N
  SecurityMode=DefaultToLN
  AuthTimeout=120
  SeaHost=
  SeaPort=61366
  KeyCertLabel=
  CertCommonName=
  CipherSuites=()



  Name=.Password
  SpeEnable=Y



  Name=.Keystore
  File=/opt/cdunix.4200/ndm/secure+/certificates/cdkeystore.kdb


  Name=myserver.4200
  BaseName=myserver.4200
  Type=R
  Protocol=TLS
  Override=N
  SecurityMode=Disable
  AuthTimeout=120
  SeaEnable=N
  SeaCertValDef=
  KeyCertLabel=Primary Key Certificate
  EncryptData=Y
  ClientAuth=N
  CertCommonName=
  CipherSuites=(TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5)

  2015/05/12 13:36:44 cdadmin


SPCG151I rc=0 Display all command successful.

SPCLI> validate parmfile;
SPCG775I rc=0 Node: myserver.4200 - info: No validation errors found.

Status: 0 Error(s), 0 Warning(s).

SPCLI> q;
[myserver /opt/cdunix.4200/ndm/bin]$