Claudemir Braghirolli – Technical Support Engineer

25 November 2014

Demonstrando as diferenças do Secure+

entre o Connect:Direct Windows 4.7.0 e
Connect:Direct Windows 4.6.0

This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When
speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly
in the replay. By speaking during this presentation, you assume liability for your comments.
© 2009, 2014 IBM Corporation
IBM Presentation Template Full Version

Agenda

■Objetivo

■Novidades do Secure+ no Connect:Direct Windows 4.7.0

–Repositório para certificados e chaves privadas
–Protocolos
–Security Modes

■ Demonstração: Gerenciamento do Repositório de Certicados - IBM Key Manager

(IKEYMAN)
–Como adicionar certificados trusted de uma CA
–Como gerar um CSR e uma chave privada
–Como receber um certificado assinado por uma CA

■Demonstração: Configuração do Secure+

–Configuração do Secure+ entre nodes Connect:Direct Windows 4.7.0
–Configuração do Secure+ entre nodes Connect:Direct for Windows 4.7.0 e
Connect:Direct for Windows 4.6.0

2 © 2009, 2014 IBM Corporation

Objetivo

■ O objetivo desta sessão é fazer uma demonstração das diferenças de configuração do

Secure+ entre o Connect:Direct for Windows 4.7.0 e o Connect:Direct for Windows 4.6.0.
Nessa demonstração serão usados como nós remotos outro IBM Sterling Connect:Direct
v4.7.0 e um IBM Sterling Connect:Direct v4.6.0.

3 © 2009, 2014 IBM Corporation

Novidades do Secure+ no Connect:Direct Windows 4.7.0

■ Repositório para certificados e chaves privadas

– Durante a instalação do IBM Sterling Connect:Direct v4.7.0, um repositório será criado.
O diretório e nome do kdb podem ter sido especificados como na tela abaixo:
– Diretório e nome de arquivo padrão:
• C:\Program Files (x86)\Sterling Commerce\Connect Direct
v4.7.0\Server\Secure+\Certificates\cdkeystore.kdb

4 © 2009, 2014 IBM Corporation

Novidades do Secure+ no Connect:Direct Windows 4.7.0

■ Protocolos
– Protocolos adicionados:
• TLS v1.1
• TLS v1.2
– Protocolos retirados:
• STS
• Explicação: https://www-
01.ibm.com/support/knowledgecenter/SSFGBN_5.2.0/com.ibm.help.cdzos.releaseno
tes.doc/zOS_Whats_New.html?lang=en

5 © 2009, 2014 IBM Corporation

Novidades do Secure+ no Connect:Direct Windows 4.7.0

■ Security modes
– Security mode mantido:
• FIPS 140-2
– Security modes adicionados:
• SP800-131A Transition
• SP800-131A
• Suite B 128 bit
• Suite B 192 bit

■ Informações adicionais sobre os Security Modes:

■ http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
■ http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

6 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Determinar o repositório (.kdb) em uso pelo Secure+
– Abrir a interface CD Secure+ Admin Tool
– Vá ao menu Key Management -> Configure Key Store...

7 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Abrir o IBM Key Manager (IKEYMAN)
– All Programs -> IBM Sterling Connect:Direct V4.7.0 -> IBM Key Manager

8 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Abrir o repositório usado pelo Secure+ no IBM Key Manager
– "Key database type" deve ser CMS
– "File Name" e “Location” conforme determinado anteriormente

9 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Como importar um certificado Trusted (confiável) de uma CA
– Normalmente, é recebido do administrador do nó remoto
– É preciso se importar todas cadeias de certificados de CA que tenham assinado os
certificados usados pelos nós remotos.
• Selecionar "Signer Certificates“ no campo Key database content
• Clicar no botão “Add...”
• Selecionar o certificado, que deverá estar no formato Base64
• Atribuir um label

10 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Como gerar um CSR (Certificate Signing Request) e chave privada
– O CSR deve ser enviado para uma CA (Entidade Certificadora)
• Selecionar “Personal Cetificate Requests” no campo Key database content
• Clicar no botão “New...”
• Preencher as informações para geração do CSR e chave privada e ao final clicar em
OK.

11 © 2009, 2014 IBM Corporation

Gerenciamento do Repositório de Certicados - IBM Key Manager
(IKEYMAN)
■ Como armazenar um certificado assinado por uma CA
– O certificado será enviado por uma CA (Entidade Certificadora) para a sua Empresa.
• Selecionar “Personal Cetificates” no campo Key database content
• Clicar no botão “Receive...”
• Selecionar o certificado, que deverá estar no formato Base64

12 © 2009, 2014 IBM Corporation

Configuração do Secure+ - Seleção de Protocolos

■ Nota: Atualmente o protocolo SSL é considerado obsoleto. Veja o link abaixo:

– http://www-01.ibm.com/support/docview.wss?uid=swg21689867

13 © 2009, 2014 IBM Corporation

Configuração do Secure+ - Seleção de Security Modes

14 © 2009, 2014 IBM Corporation

Configuração do Secure+ - Seleção de certificados v4.7.0

Key: IBMJCE RSA Public Key (RSA no campo Filter By Certificate)

15 © 2009, 2014 IBM Corporation

Configuração do Secure+ - Seleção de certificados v4.7.0

Key: algorithm = EC (ECDSA no campo Filter By Certificate)

16 © 2009, 2014 IBM Corporation
Configuração do Secure+ - Seleção de cifras - v4.7.0

17 © 2009, 2014 IBM Corporation

Demonstração: Configuração do Secure+ entre dois nodes
Connect:Direct v4.7.0

18 © 2009, 2014 IBM Corporation

Demonstração: Configuração do Secure+ entre um node
Connect:Direct v4.7.0 e um node Connect:Direct v4.6.0

19 © 2009, 2014 IBM Corporation

Contatos

■ Claudemir Braghirolli – claubrag@br.ibm.com

■ Roberto Feres Ribeiro – rribei@br.ibm.com

20 © 2009, 2014 IBM Corporation

Links relacionados
■ Documentação do Sterling Connect:Direct for Windows
http://www-01.ibm.com/support/docview.wss?uid=swg27023708

■ Technotes
http://www-01.ibm.com/support/docview.wss?uid=swg21685229
http://www-01.ibm.com/support/docview.wss?uid=swg21686953
http://www-01.ibm.com/support/docview.wss?uid=swg21689867

21 © 2009, 2014 IBM Corporation

Additional Resources
■ Learn about upcoming Support Technical Exchange webcasts, and access previously
recorded presentations at:
https://www-
304.ibm.com/connections/communities/service/html/communityview?communityUuid=d5861
4c7-a87a-4bea-a0d3-572710d530db

■ IBM Electronic Support Introduction

http://www.ibm.com/support/electronicsupport/about.html

■ Sign up to receive weekly technical My Notifications emails:

http://www.ibm.com/software/support/einfo.html

■ developerWorks Forums, Communities and Technical Topics

http://www.ibm.com/developerworks/

■ Quick Reference Guide for Using Service Request Tool

http://www.ibm.com/support/docview.wss?uid=swg21207945

■ IBM Support Assistant

http://www.ibm.com/software/support/isa/

■ Access product show-me demos and tutorials by visiting IBM Education Assistant:
22 © 2009, 2014 IBM Corporation
http://www.ibm.com/software/info/education/assistant
Questions and Answers

Questions and Answers

This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When
speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly
in the replay. By speaking during this presentation, you assume liability for your comments.

23 © 2009, 2014 IBM Corporation

THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR
INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE
COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS
PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S
CURRENT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM
WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING
OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY
OTHER DOCUMENTATION, NOTHING CONTAINED IN THIS PRESENTATION IS
INTENDED TO NOR SHALL HAVE THE EFFECT OF CREATING ANY WARRANTIES OR
REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING
THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE
USE OF IBM PRODUCT OR SOFTWARE.

Copyright and Trademark Information

IBM, The IBM Logo and IBM.COM are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks and others are
available on the web under “Copyright and Trademark Information” located at
www.ibm.com/legal/copytrade.shtml.

24 © 2009, 2014 IBM Corporation