Configure SSL or TLS between the Connect:Direct bridge agent and the Connect:Direct node
Configure the Connect:Direct® bridge agent and the Connect:Direct node to connect to each other through the SSL protocol by creating a keystore and a truststore, and by setting properties in the Connect:Direct bridge agent properties file.
These steps include instructions for getting your keys signed by a certificate authority. If we do not use a certificate authority, we can generate a self-signed certificate. For more information about generating a self-signed certificate, see Working with SSL or TLS on UNIX and Windows systems.
These steps include instructions for creating a new keystore and truststore for the Connect:Direct bridge agent. If the Connect:Direct bridge agent already has a keystore and truststore that it uses to connect securely to IBM MQ queue managers, we can use the existing keystore and truststore when connecting securely to the Connect:Direct node. For more information, see Configure SSL or TLS encryption for MFT.
Procedure
For the Connect:Direct node, complete the following steps:
- Generate a key and signed certificate for the Connect:Direct node. We can do this by using the IBM Key Management tool that is provided with IBM MQ. For more information, see Working with SSL or TLS.
- Send a request to a certificate authority to have the key signed. You receive a certificate in return.
- Create a text file; for example, /test/ssl/certs/CAcert, that contains the public key of your certification authority.
- Install the Secure+ Option on the Connect:Direct node. If the node already exists, we can install the Secure+ Option by running the installer again, specifying the location of the existing installation, and choosing to install only the Secure+ Option.
- Create a new text file; for example, /test/ssl/cd/keyCertFile/node_name.txt.
- Copy the certificate that you received from your certification
authority and the private key, located in /test/ssl/cd/privateKeys/node_name.key,
into the text file. The contents of /test/ssl/cd/keyCertFile/node_name.txt must
be in the following format:
-----BEGIN CERTIFICATE----- MIICnzCCAgigAwIBAgIBGjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJHQjES MBAGA1UECBMJSGFtcHNoaXJlMRAwDgYDVQQHEwdIdXJzbGV5MQwwCgYDVQQKEwNJ Qk0xDjAMBgNVBAsTBU1RSVBUMQswCQYDVQQDEwJDQTAeFw0xMTAzMDExNjIwNDZa Fw0yMTAyMjYxNjIwNDZaMFAxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hp cmUxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTVFGVEUxDzANBgNVBAMTBmJpbmJh ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvgP1QIklU9ypSKD1XoODo1yk EyMFXBOUpZRrDVxjoSEC0vtWNcJ199e+Vc4UpNybDyBu+NkDlMNofX4QxeQcLAFj WnhakqCiQ+JIAD5AurhnrwChe0MV3kjA84GKH/rOSVqtl984mu/lDyS819XcfSSn cOOMsK1KbneVSCIV2XECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNXMIpSc csBXUniW4A3UrZnCRsv3MB8GA1UdIwQYMBaAFDXY8rmj4lVz5+FVAoQb++cns+B4 MA0GCSqGSIb3DQEBBQUAA4GBAFc7klXa4pGKYgwchxKpE3ZF6FNwy4vBXS216/ja 8h/vl8+iv01OCL8t0ZOKSU95fyZLzOPKnCH7v+ItFSE3CIiEk9Dlz2U6WO9lICwn l7PL72TdfaL3kabwHYVf17IVcuL+VZsZ3HjLggP2qHO9ZuJPspeT9+AxFVMLiaAb 8eHw -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,64A02DA15B6B6EF9 57kqxLOJ/gRUOIQ6hVK2YN13B4E1jAi1gSme0I5ZpEIG8CHXISKB7/0cke2FTqsV lvI99QyCxsDWoMNt5fj51v7aPmVeS60bOm+UlGre8B/Ze18JVj2O4K2Uh72rDCXE 5e6eFxSdUM207sQDy20euBVELJtM2kOkL1ROdoQQSlU3XQNgJw/t3ZIx5hPXWEQT rjRQO64BEhb+PzzxPF8uwzZ9IrUK9BJ/UUnqC6OdBR87IeA4pnJD1Jvb2ML7EN9Z 5Y+50hTKI8OGvBvWXO4fHyvIX5aslwhBoArXIS1AtNTrptPvoaP1zyIAeZ6OCVo/ SFo+A2UhmtEJeOJaZG2XZ3H495fAw/EHmjehzIACwukQ9nSIETgu4A1+CV64RJED aYBCM8UjaAkbZDH5gn7+eBov0ssXAXWDyJBVhUOjXjvAj/e1h+kcSF1hax5D//AI 66nRMZzboSxNqkjcVd8wfDwP+bEjDzUaaarJTS7lIFeLLw7eJ8MNAkMGicDkycL0 EPBU9X5QnHKLKOfYHN/1WgUk8qt3UytFXXfzTXGF3EbsWbBupkT5e5+lYcX8OVZ6 sHFPNlHluCNy/riUcBy9iviVeodX8IomOchSyO5DKl8bwZNjYtUP+CtYHNFU5BaD I+1uUOAeJ+wjQYKT1WaeIGZ3VxuNITJul8y5qDTXXfX7vxM5OoWXa6U5+AYuGUMg /itPZmUmNrHjTk7ghT6i1IQOaBowXXKJBlMmq/6BQXN2IhkD9ys2qrvM1hdi5nAf egmdiG50loLnBRqWbfR+DykpAhK4SaDi2F52Uxovw3Lhiw8dQP7lzQ== -----END RSA PRIVATE KEY-----
- Start the Secure+ Admin Tool.
- On Linux or UNIX systems, run the command spadmin.sh.
- On Windows systems, click Start > Programs > Sterling Commerce Connect:Direct > CD Secure+ Admin Tool
- In the CD Secure+ Admin Tool, double-click the .Local line
to edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
- Select at least one Cipher Suite.
- If you want two-way authentication, change the value of Enable Client Authentication to Yes.
- In the Trusted Root Certificate field, enter the path to the public certificate file of your certification authority, /test/ssl/certs/CAcert.
- In the Key Certificate File field, enter the path to the file that you created, /test/ssl/cd/keyCertFile/node_name.txt.
- Double-click the .Client line to
edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
For the Connect:Direct bridge agent, perform the following steps:
- Create a truststore. We can do this by creating a dummy
key and then deleting the dummy key. We can use the following
commands:
keytool -genkey -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
keytool -delete -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
- Import the public certificate of the certification authority
into the truststore. We can use the following command:
keytool -import -trustcacerts -alias myCA -file /test/ssl/certs/CAcert -keystore /test/ssl/fte/stores/truststore.jks
-
Edit the Connect:Direct bridge agent properties
file.
Include the following lines anywhere in the
file:
cdNodeProtocol=protocol cdNodeTruststore=/test/ssl/fte/stores/truststore.jks cdNodeTruststorePassword=password
In the example in this step, protocol is the protocol you are using, either SSL or TLS, and password is the password that you specified when you created the truststore. -
If you want two-way authentication, create a key and certificate for the Connect:Direct bridge agent.
-
Create a keystore and key.
We can use the following
command:
keytool -genkey -keyalg RSA -alias agent_name -keystore /test/ssl/fte/stores/keystore.jks -storepass password -validity 365
-
Generate a signing request.
We can use the following
command:
keytool -certreq -v -alias agent_name -keystore /test/ssl/fte/stores/keystore.jks -storepass password -file /test/ssl/fte/requests/agent_name.request
-
Import the certificate you receive from the preceding step into the keystore. The certificate
must be in x.509 format.
We can use the following
command:
keytool -import -keystore /test/ssl/fte/stores/keystore.jks -storepass password -file certificate_file_path
-
Edit the Connect:Direct bridge agent properties
file.
Include the following lines anywhere in the
file:
cdNodeKeystore=/test/ssl/fte/stores/keystore.jks cdNodeKeystorePassword=password
In the example in this step, password is the password that you specified when you created the keystore.
-
Create a keystore and key.
We can use the following
command: