Watsonx – FAQs
May 30, 2023
No Comments
IBM Partner Engagement manager standard | FAQs – Optimize partner onboarding processes
Online Certificate Status Protocol (OCSP) Support in Sterling B2B Integrator
The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used.
An OCSP client sends questions and processes responses. An OCSP responder answers questions and generates responses.
An OCSP client implementation consists of the following:
- Data structures for managing information about OCSP responders
- Functionality for generating OCSP requests
- Functionality for processing OCSP responses
- Functionality for transmitting OCSP requests and receiving OCSP responses
An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.
The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:
Two new database tables have been added to manage OCSP-related information:
- CERT_AUTHORITY
- OCSP_RESPONDER
CERT_AUTHORITY
The CERT_AUTHORITY table maintains information about certificate authorities.
| Column | Type | Description |
| OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
| NAME | VARCHAR (255) | A name for a record. Null allowed. |
| CREATE_DATE | DATETIME | A create date for a record. |
| MODIFIED_DATE | DATETIME | The date a record was last modified. |
| MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
| ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
| HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
| RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authorityās certificate. This column is indexed. |
| KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuerās certificate |
| CERT_OID | VARCHAR(255) | The OBJECT_ID of the authorityās certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
| OCSP_POLICY | VARCHAR(128) | The OCSP policy for the authority. This consists of two comma-separated values. The values describe when to use OCSP and what to check. Possible values are: OCSP_When
OCSP_What
|
| CRL_POLICY | VARCHAR(128) | Currently not used. |
| LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
| CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
| MODIFY | TIMESTAMP | The last modification time for a row in the table. |
| CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
| MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
| CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
| MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
OCSP_RESPONDER
The OCSP_RESPONDER table maintains information about OCSP responders.
| Column | Type | Description |
| OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
| NAME | VARCHAR (255) | A name for a record. Null allowed. |
| CREATE_DATE | DATETIME | A create date for a record. |
| MODIFIED_DATE | DATETIME | The date a record was last modified. |
| MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
| ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
| HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
| RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authorityās certificate. This column is indexed. |
| KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuerās certificate |
| CERT_OID | VARCHAR(255) | The OBJECT_ID of the authorityās certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
| CACHE_TTL | VARCHAR(64) | The time in seconds to allow OCSP responses to life in the internal response cache If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all. |
| TRANS_PROF_OID | VARCHAR(255) | OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder. |
| COMM_BP | VARCHAR(255) | Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended |
| COMM_WAIT | VARCHAR(24) | The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong. |
| LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
| CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
| MODIFY | TIMESTAMP | The last modification time for a row in the table. |
| CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
| MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
| CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
| MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
| SEND_NONCE | VARCHAR(8) | Indicates whether to send a nonce with OCSP requests. Valid values:
|
| REQ_NONCE | VARCHAR(8) | Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true). Valid values:
|
| RESP_CERT_IN_CA_STORE | VARCHAR(8) | Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store. Valid values:
|
| RESP_CERT_OID | VARCHAR(255) | The object ID of the certificate is used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table. |
When configuring the system, you can create as many authorities and responders as you like.
To configure the system to use OCSP:
- Check the certificate for the certificate authority who issues the certificates you want to check in with OCSP into Sterling Integrator to verify it is a CA certificate.
- List the CA certificates in the system and get the object ID for the certificate you just installed.
- If the authorityās OCSP response signing certificate is different than the authorityās certificate issuing certificate, check the authorityās OCSP response signing certificate into Sterling Integrator as a Trusted certificate.
- If you checked in an additional OCSP signing certificate, list the Trusted certificates in the system and get the object ID for the certificate you just installed.
- Go to the bin directory of the Sterling Integrator installation.
- Start the database if necessary.
- Start the bash or sh shell.
- Source the file tmp.sh
- Create an authority using the utility in the class com.sterlingcommerce.security.ocsp.SCICertAuthority.
- Create an OCSP responder using the utility in the class com.sterlingcommerce.security.ocsp.SCIOCSPResponder
- Update the certificates for the authority or individual certificates to enable OCSP. The utility com.sterlingcommerce.security.ocsp.SetAuthorityCertificatesOCSPInfo will configure all trusted and system certificates for an authority. The utility com.sterlingcommerce.security.ocsp.SetSystemCertificateOCSPInfo will configure one system certificate. The utility com.sterlingcommerce.security.ocsp.SetTrustedCertificateOCSPInfo will configure one trusted certificate.
The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.
ManageCertAuthority.sh and ManageCertAuthority.cmd
| Argument | Description |
| -a, -l, -d, -u2 | Operation to perform:
The āl option takes no additional arguments. The ād option takes a single argument: the object ID of the record to delete |
| Name | Name of the authority. Required with -a. |
| Modified_by | User who modified or created the identity. Required with āa. |
| Hash_alg | Hash algorithm for the authority. Only the value āSHA1ā is supported. Required with āa. |
| Certificate_id | Object ID of the CA certificate associated with the authority. Required with āa. |
| OCSP_policy | The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with āa. For the first element of the string, the following are permitted:
For the second element of the string, the following are permitted: OCSP What
Examples:
|
Crl_policy | CRL policy string for the authority. Required with āa. A value is required for this argument, but it is not currently used. āNoneā is acceptable. |
| Object_ID | An object ID to use when creating this record. Optional with -a. Required with -u2. |
ManageOCSPResponder.sh and ManageOCSPResponder.cmd
| Argument | Description |
| -l | Gets a list of the currently configured OCSP Responders. This option takes no additional arguments. |
| -d | Deletes the configured OCSP Responder with the provided object ID for responders configuration data. This option takes object_id as an additional argument. |
| -u2 | Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate. This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database. This option takes object_id as an additional argument. |
| -a | Adds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority. Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id. |
| name | (Required with -a) Name of the authority. |
| modified_by | (Required with -a) User who modified or created the identity. |
| hash_alg | (Required with -a) Hash algorithm for the authority. Only the value āSHA1ā is supported. |
| authority_cert_oid | (Required with -a) Object ID of the CA certificate associated with the authority. |
| response_signing_cert_oid | (Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store. |
| resp_signing_cert_in_ca_store | (Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator. |
| cache_ttl | (Required with -a) The time-to-live in seconds for OCSP responses in the internal cache. |
| trans_prof_oid | (Required with -a) The object ID of a transport configured for communicating with the OCSP responder. |
| comm_bp | (Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended. |
| comm_wait | (Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred. |
| send_nonce | (Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers. |
| require_nonce | (Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response. |
| object_id | (Optional with -a) An object ID to use when creating this record. |
SetSystemCertOCSPInfo.sh SetSystemCerOCSPInfo.cmd
This utility will set the OCSP information in the database for a single system certificate
| Argument | Description |
| -o, -n | How to interpret the second argument: -o object_ID -n name |
| Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
SetSystemCertOCSPInfo.sh and SetTrustedCertOCSPInfo.cmd
This utility will set the OCSP information in the database for a single trusted certificate
| Argument | Description |
| -o, -n | How to interpret the second argument: -o object_ID -n name |
| Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
Use the following example to learn how to run the OCSP configuration scripts. These scripts assume that you have already checked in the CA certificates for the authority, started the database, are in the bin directory of your Sterling B2B Integrator installation and have sourced the file tmp.sh in the bin directory.
After getting the object ID of the CA certificate from the authority, in Sterling B2B Integrator from the Administration menu, selectĀ Trading Partners > Digital Certificates-CA. Select a certificate. The Certificate Summary dialog box appears with the certificate information, including its object ID.
Complete the following steps to run an OCSP Script:
The following steps describe the logic of OCSP checking in Sterling B2B Integrator:
If the certificate status is ok, the OCSP check succeeds. Otherwise, it fails.
- If an existing response whose time-to-live has not expired is found, than that response is used as the OCSP response.
- If no existing response is found in the cache or the time-to-live has expired for a response in the cache, an OCSP request is created.
- If the system creates an OCSP request, it launches the business process configured for the OCSP responder to send the request and get the response. Requests will include a nonce value if the responder was configured to have one sent.
- If the business process completes successfully, the system attempts to parse its primary document as an OCSP response. The business process used to send OCSP requests and receive OCSP responses strips the HTTP headers from the response.
- If the primary document can be parsed as an OCSP response, the system checks the status of the response.
- If the response status indicates that the request generated a valid response, the system attempts to verify the signature on the OCSP response using the certificate configured for the OCSP responder.
- If the signature is verified and the responder was configured to require nonce, the system attempts to get and check the nonce from the response.
- If all other verifications passed, then the system looks for certificate status information for the certificate for which the request was constructed and sent.
- If the status information is found, then the system updates the internal cache for an existing OCSP response for the certificate.
Browse Categories
Share Blog Post
Pragma Edge (4.5/5)
4.5/5
Source: IBM
- Published on September 15, 2022
Pragma Edge Webhooks – FAQ
February 8, 2023
No Comments
IBM Partner Engagement manager standard | FAQs – Optimize partner onboarding processes
Pragma Edge Webhooks – Infographic
February 7, 2023
No Comments
FILE GPS – End To End File Monitoring provides insights for the business to bring situational awareness to the file activities, impacting customer business processes
IBMĀ® Sterling B2B Integrator supports only IBM MQ (formerly IBM Websphere MQ) as a messaging queue.
A messaging queue is required for Sterling B2B Integrator if you are using adapter containers.
IBM MQ version 9.0.0.4 or higher is supported.
Upgrading from previous versions
- From v6.0 onwards, ActiveMQ is no longer bundled and installed with Sterling B2B Integrator. You must install and use IBM MQ as the messaging queue.
- If your current setup has adapter containers, you must install IBM MQ and set the required properties for IBM MQ before you upgrade.
- If you are using the bundled ActiveMQ for any messaging purpose, you must migrate to IBM MQ or configure external ActiveMQ.
- External ActiveMQ is still supported for JMS adapter. If you are already using External ActiveMQ for JMS adapter, you can continue to use it.
- For more information, see Considerations for upgrading from version 5.2.6.x.
For all databases that are supported byĀ Sterling B2B Integrator, use the JDBC driver recommended by the database vendor for your database version.
For Oracle
- (Version 12c) Oracle 12.1.0.2.0 JDBC 4.1 or higher within 12.x.x.x.x. SeeĀ http://www.oracle.com/technetwork/database/features/jdbc/index-091264.htmlĀ for information.
- (Version 11g) SeeĀ http://www.oracle.com/technetwork/database/features/jdbc/index-091264.htmlĀ for information.
- Sterling B2B IntegratorĀ supports JDBC Type-4 drivers on a single node of a database except with Oracle Real Application Clusters (RAC). You can use the JDBC Type-4 drivers to connect with multiple nodes of an Oracle RAC.
For Microsoft SQL Server
- Microsoft SQL Server 2019 - Use SQL Server JDBC Driver 8.4.1.jre8
- Microsoft SQL Server 2016 - Use SQL Server JDBC Driver 6.4.0.jre8
- Microsoft SQL Server 2014 - Use SQL Server JDBC Driver 6.4.0.jre8
- Microsoft SQL Server 2012 - Use SQL Server JDBC Driver 6.4.0.jre8
- Regardless of the Microsoft SQL Server version, if you are using the Lightweight JDBC Adapter, use SQL Server JDBC Driver 6.4.0.jre8.
To obtain the driver, go to the Microsoft Download Center atĀ http://www.microsoft.com/en-us/download/default.aspxĀ and search for the required SQL Server JDBC driver version.
For DB2
For DB2, seeĀ http://www.ibm.com/support/docview.wss?uid=swg21363866Ā for information.
During installation or an upgrade, you must specify the initial port number forĀ Sterling B2B Integrator.
To specify an initial port number, follow these guidelines:
- Sterling B2B IntegratorĀ requires a range of 200 consecutive open ports between 1025 and 65535.ĀNote:Ā Because of RMI, on occasion, a port number outside the range may be assigned.Ā
- The initial port number represents the beginning port number in the range.
- Make sure that port numbers in the port range are not used by any other applications on your system.
For example, if you specify 10100 as the initial port number, then you need to make sure that 10100 through 10199 are not used by any other applications on your system.
During the upgrade, about 50 default ports are pre-assigned for different services. For example, if you do not want xxx32 (10132) to be a default port, you could assign another number within the port range.
After your installation or upgrade, refer to the following file for all of the port assignments.
- For Windows:Ā \<install_dir>\properties\sandbox.cfg
- For Unix/Linux:Ā /<install_dir>/properties/sandbox.cfg
An increased market demand for the enhanced Internet Protocol (IP) has lowered the worldwide supply of Internet Protocol version 4 (IPv4) addresses. The Internet Protocol version 6 (IPv6) expands the IP address space from 32 bits to 128 bits, providing an increased supply of IP addresses.
Sterling B2B IntegratorĀ is enabled for IPv6 support, providing a dual IPv4 and IPv6 stack, tunneling, proxying, and translation between the two IP address versions.
Sterling B2B IntegratorĀ interoperates with various related products, many of which do not yet support IPv6 addresses. Therefore, inĀ Sterling B2B Integrator, a limited set of configurations use IPv6 addresses. The dual stack approach permits interoperability betweenĀ Sterling B2B IntegratorĀ and a mixed set of IPv4 and IPv6 enabled services and adapters wherever feasible.
However, if you choose to implement an IPv6 installation, limitations exist in theĀ Sterling B2B IntegratorĀ system requirements and the selected services and adapters. Consider the limitations before you attempt to installĀ Sterling B2B IntegratorĀ with IPv6 addresses.
Important:Ā You must install with a host name and not an IPv6 address. Otherwise the Lightweight JDBC adapter and Graphical Process Modeler (GPM) do not work.
Ā
IPv6 supported combinations
The following table lists the IPv6 configuration combinations supported byĀ Sterling B2B Integrator
Database | AIXĀ® | Windows | LinuxĀ® (see note) |
|---|---|---|---|
| DB2Ā® | Yes | No | Yes |
| MSSQL | No | No | Yes |
| Oracle | No | No | Yes |
| MySQL | No | No | Yes |
Important:Ā Red Hat Enterprise Linux for IBMĀ® System zĀ® only supports DB2.
Note:Ā IBM Consulting Services can help you implementĀ Sterling B2B IntegratorĀ in an IPv6-compliant environment by using transition technologies. Check the IPv6 compliance of any third-party tools (such as web servers, FTP clients, and MQ servers) that you use withĀ Sterling B2B Integrator.
Ā
IPv6 supported combinations with limitations
The followingĀ Sterling B2B IntegratorĀ components provide IPv6 compliance with some limitations.
Attention:Ā The status of each component will be updated as more of IBM's technology partners offer IPv6 compliance.
Component | IPv6 compliance | Limitations |
|---|---|---|
| HTTP Client/Server adapter | Full | - |
| HTTP GET/POST service | Full | - |
| HTTP Begin/End Session adapter | Full | - |
| FTP Client/Server adapter | Full | - |
| PGP Package/Unpackage service | Full | - |
| Command Line Adapter 2 | Full | - |
| WebSphere MQ Suite | Full | - |
| JMS adapter | Partial | The URI does not accept IPv6 addresses as characters ā[ ]' are not allowed. However, it works with a host name. |
| SFTP Client/Server adapter | Full | - |
| SMTP/POP3/MIME | Full | - |
| FSA | Full | - |
| Lightweight JDBC adapter | Partial | Supports an IPv6 remote host only with a DB2 and AIX combination. However, if yourĀ Sterling B2B IntegratorĀ installation is under an IPv6 address, the Lightweight JDBC adapter can still be used with any other database currently supported by the adapter by using an IPv4 remote host. |
| Web services | Full | - |
| BEA Tuxedo adapter | Full | - |
| Zengin adapter | Full | - |
| ConnectDirect | Full | Supports IPv6 on C:D UNIX 4.0 and C:D Windows 4.4.00 |
| E5 | Full | - |
| TIBCO adapter | Full | - |
| SNMP | Full | - |
| Transora adapter | Full | - |
| OFTP | Full | - |
| SAP Suite adapter | Unsupported | - |
| JGroups | Partial | Do not use IPV6 with JGroups on AIX |
The use of IPv6 addresses in an installation ofĀ Sterling B2B IntegratorĀ requires certain guidelines.
Important:Ā Sterling B2B IntegratorĀ does not support IPv6 installation on Windows.
Consider the following IPv6 address information when you plan the installation:
- If you use an IPv6 address, use a fully qualified address that includes square brackets around the address, and a zero (
0) between colons where there are no other numbers. For example, useĀ[fe80:0:0:0:213:72ff:fe3c:21bf]Ā instead ofĀfe80::213:72ff:fe3c:21bf. - If you are installing with an IPv6 address, comment out the host name mapping to the IPv4 address and retain the mapping to the IPv6 address in the host file in theĀ /etc/sysconfig/networking/profiles/default/hostsĀ directory.
- You must install with a host name, not an IPv6 address, otherwise the Lightweight JDBC adapter and Graphical Process Modeler (GPM) do not work.
- If you are using an Oracle database, do not use an IPv6 address for the host name.
- If you are using an IPv6 address and are going to configureĀ Sterling B2B IntegratorĀ as a dual stack host, after you complete the installation, you need to add the IPv6 address (as theĀ admin_host.3Ā property) to theĀ noapp.properties_platform_ifcresources_ext .inĀ file.
Ā
You can install and run perimeter servers in a UNIX, Linux or Windows Server environment.
Perimeter servers can be co-resident withĀ Sterling B2B IntegratorĀ installations or can be installed on remote servers. To take full advantage of the security features of a perimeter server, it should be installed on a different computer than whereĀ Sterling B2B IntegratorĀ is installed.
Perimeter servers are supported on the same operating system and JDK combinations asĀ Sterling B2B Integrator. The operating system and JDK version that the perimeter server uses do not need to match the operating system and JDK version ofĀ Sterling B2B Integrator.
Refer to the JDK instructions for the operating system on which you are installing the perimeter server.
In addition, each perimeter server requires the following minimum space and memory requirements:
- 100 MB disk space
- 1 GB memory
For more information about perimeter servers, seeĀ Installing and configuring perimeter servers.
The SWIFTNet7 adapter communicates to the SWIFTNet Network through the SWIFTNet MEFG Servers for SWIFTNet version 7. It responds to and accepts InterAct and FileAct messages that are sent by remote SWIFTNet correspondents.
IBM AIX
If you are using the SWIFTNet7 Adapter on the IBM AIX platform, you must patch your IBM XL C/C++ runtime library to July 2009 Runtime for IBM XL C++ for AIX. Additionally, you must upgrade your AIX operating system to Version 6.1 (or higher).
If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.
For OpenSSL, the download is available from OpenSSL (http://www.openssl.org).
For IBM AIX, the download is available from IBM (https://www.ibm.com/support/home/).
Windows
If you are using the SWIFTNet7 Adapter on the Windows platform, you must upgrade your Windows operating system to at least Windows Server 2008 R2 (with all security patches).
If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.
For OpenSSL, the download is available from OpenSSL (http://www.openssl.org).
For Windows, the download is available from MicrosoftĀ® (Windows Server 2008 R2 and Windows Server 2008).
Red Hat Enterprise Linux
To use the SWIFTNet7 Adapter on the Red Hat Enterprise Linux platform, you must be using Red Hat Enterprise Linux Server Release 6.1 or higher x64, 64-bit Kernel, including any patches within 6.x. Supported kernel version: 2.6.18-164.2.1.el5 or higher within version 2.x.
Install the SWIFT Remote API for Linux before installing MEFG. The SWIFT Remote API download is available from SWIFT (http://www.swift.com), and shcould be a version compatable with MEFG and SWIFTNet Link.
If you are using SSL, you must also upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version. For example OpenSSL 1.0.1p or OpenSSL 1.0.2d. We recommend that you continue to monitor and continue to apply the latest security fixes to the OpenSSL library to apply fixes to OpenSSL security defects.
For Red Hat Enterprise Linux, any necessary downloads are available from RedHat (http://www.redhat.com/products/enterprise-linux/).
For OpenSSL, the download is available from RedHat (http://www.redhat.com).
Integration with WebSphere Transformation Extender (WTX) on Red Hat Enterprise Linux for IBM System z requires WebSphere Transformation Extender version 8.4.0.3.14.
Ā
You can choose between different security certificates before you installĀ Sterling B2B Integrator.
Before you begin the installation, you must decide which of the following security certificates to use:
- The default self-signed SSL (Secure Sockets Layer) certificate that is automatically generated by the installation.
- A Certificate Authority-related certificate that you generate before you install the software.
If you install with the default SSL certificate, but you later want to switch to a CA-related certificate, you can change the certificate with theĀ sslCertĀ property in theĀ noapp.properties_platform_ifcresources_ext.inĀ file.
