Configure SSL or TLS between the Connect:Direct bridge agent and the Connect:Direct node

Configure the Connect:Direct® bridge agent and the Connect:Direct node to connect to each other through the SSL protocol by creating a keystore and a truststore, and by setting properties in the Connect:Direct bridge agent properties file.

These steps include instructions for getting your keys signed by a certificate authority. If we do not use a certificate authority, we can generate a self-signed certificate. For more information about generating a self-signed certificate, see Working with SSL or TLS on UNIX and Windows systems.

These steps include instructions for creating a new keystore and truststore for the Connect:Direct bridge agent. If the Connect:Direct bridge agent already has a keystore and truststore that it uses to connect securely to IBM MQ queue managers, we can use the existing keystore and truststore when connecting securely to the Connect:Direct node. For more information, see Configure SSL or TLS encryption for MFT.

Procedure

For the Connect:Direct node, complete the following steps:

1. Generate a key and signed certificate for the Connect:Direct node. We can do this by using the IBM Key Management tool that is provided with IBM MQ. For more information, see Working with SSL or TLS.
2. Send a request to a certificate authority to have the key signed. You receive a certificate in return.
3. Create a text file; for example, /test/ssl/certs/CAcert, that contains the public key of your certification authority.
4. Install the Secure+ Option on the Connect:Direct node. If the node already exists, we can install the Secure+ Option by running the installer again, specifying the location of the existing installation, and choosing to install only the Secure+ Option.
5. Create a new text file; for example, /test/ssl/cd/keyCertFile/node_name.txt.
6. Copy the certificate that you received from your certification authority and the private key, located in /test/ssl/cd/privateKeys/node_name.key, into the text file. The contents of /test/ssl/cd/keyCertFile/node_name.txt must be in the following format:

   -----BEGIN CERTIFICATE-----
   MIICnzCCAgigAwIBAgIBGjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJHQjES
   MBAGA1UECBMJSGFtcHNoaXJlMRAwDgYDVQQHEwdIdXJzbGV5MQwwCgYDVQQKEwNJ
   Qk0xDjAMBgNVBAsTBU1RSVBUMQswCQYDVQQDEwJDQTAeFw0xMTAzMDExNjIwNDZa
   Fw0yMTAyMjYxNjIwNDZaMFAxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hp
   cmUxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTVFGVEUxDzANBgNVBAMTBmJpbmJh
   ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvgP1QIklU9ypSKD1XoODo1yk
   EyMFXBOUpZRrDVxjoSEC0vtWNcJ199e+Vc4UpNybDyBu+NkDlMNofX4QxeQcLAFj
   WnhakqCiQ+JIAD5AurhnrwChe0MV3kjA84GKH/rOSVqtl984mu/lDyS819XcfSSn
   cOOMsK1KbneVSCIV2XECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
   HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNXMIpSc
   csBXUniW4A3UrZnCRsv3MB8GA1UdIwQYMBaAFDXY8rmj4lVz5+FVAoQb++cns+B4
   MA0GCSqGSIb3DQEBBQUAA4GBAFc7klXa4pGKYgwchxKpE3ZF6FNwy4vBXS216/ja
   8h/vl8+iv01OCL8t0ZOKSU95fyZLzOPKnCH7v+ItFSE3CIiEk9Dlz2U6WO9lICwn
   l7PL72TdfaL3kabwHYVf17IVcuL+VZsZ3HjLggP2qHO9ZuJPspeT9+AxFVMLiaAb
   8eHw
   -----END CERTIFICATE-----
   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type: 4,ENCRYPTED
   DEK-Info: DES-EDE3-CBC,64A02DA15B6B6EF9
   
   57kqxLOJ/gRUOIQ6hVK2YN13B4E1jAi1gSme0I5ZpEIG8CHXISKB7/0cke2FTqsV
   lvI99QyCxsDWoMNt5fj51v7aPmVeS60bOm+UlGre8B/Ze18JVj2O4K2Uh72rDCXE
   5e6eFxSdUM207sQDy20euBVELJtM2kOkL1ROdoQQSlU3XQNgJw/t3ZIx5hPXWEQT
   rjRQO64BEhb+PzzxPF8uwzZ9IrUK9BJ/UUnqC6OdBR87IeA4pnJD1Jvb2ML7EN9Z
   5Y+50hTKI8OGvBvWXO4fHyvIX5aslwhBoArXIS1AtNTrptPvoaP1zyIAeZ6OCVo/
   SFo+A2UhmtEJeOJaZG2XZ3H495fAw/EHmjehzIACwukQ9nSIETgu4A1+CV64RJED
   aYBCM8UjaAkbZDH5gn7+eBov0ssXAXWDyJBVhUOjXjvAj/e1h+kcSF1hax5D//AI
   66nRMZzboSxNqkjcVd8wfDwP+bEjDzUaaarJTS7lIFeLLw7eJ8MNAkMGicDkycL0
   EPBU9X5QnHKLKOfYHN/1WgUk8qt3UytFXXfzTXGF3EbsWbBupkT5e5+lYcX8OVZ6
   sHFPNlHluCNy/riUcBy9iviVeodX8IomOchSyO5DKl8bwZNjYtUP+CtYHNFU5BaD
   I+1uUOAeJ+wjQYKT1WaeIGZ3VxuNITJul8y5qDTXXfX7vxM5OoWXa6U5+AYuGUMg
   /itPZmUmNrHjTk7ghT6i1IQOaBowXXKJBlMmq/6BQXN2IhkD9ys2qrvM1hdi5nAf
   egmdiG50loLnBRqWbfR+DykpAhK4SaDi2F52Uxovw3Lhiw8dQP7lzQ==
   -----END RSA PRIVATE KEY-----

7. Start the Secure+ Admin Tool.
   • On Linux or UNIX systems, run the command spadmin.sh.
   • On Windows systems, click Start > Programs > Sterling Commerce Connect:Direct > CD Secure+ Admin Tool
   The CD Secure+ Admin Tool starts.
8. In the CD Secure+ Admin Tool, double-click the .Local line to edit the main SSL or TLS settings.
   1. Select Enable SSL Protocol or Enable TLS Protocol, depending on which protocol you are using.
   2. Select Disable Override.
   3. Select at least one Cipher Suite.
   4. If you want two-way authentication, change the value of Enable Client Authentication to Yes.
   5. In the Trusted Root Certificate field, enter the path to the public certificate file of your certification authority, /test/ssl/certs/CAcert.
   6. In the Key Certificate File field, enter the path to the file that you created, /test/ssl/cd/keyCertFile/node_name.txt.
9. Double-click the .Client line to edit the main SSL or TLS settings.
   1. Select Enable SSL Protocol or Enable TLS Protocol, depending on which protocol you are using.
   2. Select Disable Override.

For the Connect:Direct bridge agent, perform the following steps:

10. Create a truststore. We can do this by creating a dummy key and then deleting the dummy key. We can use the following commands:

    keytool -genkey -alias dummy -keystore /test/ssl/fte/stores/truststore.jks

    keytool -delete -alias dummy -keystore /test/ssl/fte/stores/truststore.jks

11. Import the public certificate of the certification authority into the truststore. We can use the following command:

    keytool -import -trustcacerts -alias myCA 
            -file /test/ssl/certs/CAcert 
            -keystore /test/ssl/fte/stores/truststore.jks

12. Edit the Connect:Direct bridge agent properties file. Include the following lines anywhere in the file:

    cdNodeProtocol=protocol
    cdNodeTruststore=/test/ssl/fte/stores/truststore.jks
    cdNodeTruststorePassword=password

    In the example in this step, protocol is the protocol you are using, either SSL or TLS, and password is the password that you specified when you created the truststore.
13. If you want two-way authentication, create a key and certificate for the Connect:Direct bridge agent.
    1. Create a keystore and key. We can use the following command:

       keytool -genkey -keyalg RSA -alias agent_name 
               -keystore /test/ssl/fte/stores/keystore.jks 
               -storepass password -validity 365

    2. Generate a signing request. We can use the following command:

       keytool -certreq -v -alias agent_name 
               -keystore /test/ssl/fte/stores/keystore.jks -storepass password 
               -file /test/ssl/fte/requests/agent_name.request

    3. Import the certificate you receive from the preceding step into the keystore. The certificate must be in x.509 format. We can use the following command:

       keytool -import -keystore /test/ssl/fte/stores/keystore.jks 
               -storepass password -file certificate_file_path

    4. Edit the Connect:Direct bridge agent properties file. Include the following lines anywhere in the file:

       cdNodeKeystore=/test/ssl/fte/stores/keystore.jks
       cdNodeKeystorePassword=password

       In the example in this step, password is the password that you specified when you created the keystore.