Migrating STS nodes to SSL/TLS in C:D for z/OS

Body

Beginning with IBM Sterling Connect:Direct for z/OS V5.2 the Station-to-Station (STS) encyprtion protocol has been removed. In fact this is true for all of the latest releases of the Connect:Direct family regardless of the platform. If you are migrating to V5.2 you will need to migrate any remote node trading partners regardless what release level they are at.

The procedure to migrate your STS trading partner  to SSL/TLS in C:D for z/OS is:

The first step of migrating from STS to SSL or TLS is to provide your trading partner with your signed site certificate. This is the certificate that is located in the keyring or GSKKYMAN key database and referenced by the label that is in the Secure+ PARMFILE local node Certificate Label Name. You will also need to get your trading partner’s signed certificate to put into your keyring or GSKKYMAN key database.

When you and your trading partner are ready to test:

1.   Log onto your Connect:Direct IUI.

2.   From the Primary Menu select ADMIN.

3.   From the Adminstrative Options Menu enter SA on the command line.

4.   From the Secure+ Admin Tool: Main Screen

5.   Enter FO (File Open) on the command line to open your Secure+ PARMFILE.

6.   From the Main Screen, select one or your remote nodes that is defined for STS.

7.   If not already at the STS Parameter panel navigate to it by placing the cursor on STS Parameters and press enter.

8.   Disable the STS protocol by placing a 2 in the Enable STS field.

9.   Navigate to the SSL/TLS Parameters by placing the cursor on the SSL/TLS Parameters and pressing enter.

10. Enable SSL or TLS by entering a 1 in the field. It is recommended that you enable the TLS protocol if you are concerned about the POODLE vulnerability that your non-mainframe trading partners might incur.

11. Place the cursor on Certificate Label, press enter, press PF8. Enter a asterisk (*), press enter, press PF3.

12. Place the cursor on Cipher Suites, press enter. Either sequence the cipher suites as you wish or place a 1 next DEFAULT_TO_LOCAL_NODE, and press PF3. When you select the DEFAULT_TO_LOCAL_NODE the entry on the SSL/TLS Parameters panel for Cipher Suites will be FF.

13. You cannot update or Certificate Pathname from this panel. It will be an asterisk (*) meaning that it is to default to the local node for this value.

14. Place the cursor on the OK and press enter.

15. If you have additional remotes to change at this time repeat the above steps until you have updated the desired number.

16. If you update multiple nodes you will have to perform a SAVE AS. Place the cursor on File and press to get the drop down menu. Select option 7, press enter and follow the screens. This will build JCL that will rebuild your PARMFILE and ACCESS files, this will require you to bring down your C:D started task, run the job created by the SAVE AS option, and then bring it back up.

If you are doing one node at a time then you can perform Option 6 SAVE ACTIVE. This will create JCL that will execute a DMBATCH that will update the PARMFILE. But you can only do one or two nodes at a time. If you decide to do the SAVE ACTIVE instead of the SAVE AS to avoid the bouncing of your started task you must close and open the PARMFILE between each update of the PARMFILE by enter a FC (File Close) on the command line and then a FO (File Open).

This procedure is for migrating from STS to SSL/TLS in IBM Sterling Connect:Direct for z/OS. 

More than likely you will not be able to migrate all of your remote trading partners at the same time. Some of them may not have a signed certificate which you will have to wait for them to get.

Additionally you will need to check your process to ensure that you do not have SECURE=(ENC=Y,SIG=Y) coded. With the removal of the Station-to-Station (STS) encryption protocol when this parameter is coded in your process you will get CSPA024E - STS parameters used for SSL/TLS connection. You should still be able to code SECURE=(ENC=Y) or SECURE=(ENCRYPT.DATA=Y) in your processes if you are wanting to control encryption or not on a process by process basis.