Online Certificate Status Protocol (OCSP) Support in Sterling B2B Integrator

The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used.

An OCSP client sends questions and processes responses. An OCSP responder answers questions and generates responses.

An OCSP client implementation consists of the following:

  • Data structures for managing information about OCSP responders
  • Functionality for generating OCSP requests
  • Functionality for processing OCSP responses
  • Functionality for transmitting OCSP requests and receiving OCSP responses

An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.

The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:

  1. The system checks the object that encapsulates the certificate to determine if OCSP checking is enabled. This allows the system to determine with no additional database calls whether to attempt an OCSP check.
  2. If OCSP checking is enabled, the system retrieves the encoded issuer name from a certificate.
  3. The system hashes the encoded issuer name with SHA1.
  4. The system attempts to find an authority configured in the system that has a name whose hash matches that of the certificate. If no authority is found, no check is performed.
  5. If an authority is found, the system checks the OCSP policy for the authority. If the policy permits or requires OCSP checks, see the CERT_AUTHORITY table for more information. The system attempts to find an OCSP responder for the authority.
  6. If an OCSP responder is found for the authority, an OCSP check is attempted. If no OCSP responder is found for the authority, one of the following happens:
    • If the authorization policy is set to always check, an exception is thrown and the check fails.
    • If the authorization policy is to only check when a responder is configured, no check is performed.
Two new database tables have been added to manage OCSP-related information:
  • CERT_AUTHORITY
  • OCSP_RESPONDER
CERT_AUTHORITY

The CERT_AUTHORITY table maintains information about certificate authorities.

ColumnTypeDescription
OBJECT_IDVARCHAR (255)This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAMEVARCHAR (255)A name for a record. Null allowed.
CREATE_DATEDATETIMEA create date for a record.
MODIFIED_DATEDATETIMEThe date a record was last modified.
MODIFIED_BYVARCHAR(255)Information about who modified a record.
ISSUER_NAMEBLOBThe RDN of the authority is taken from its certificate.
HASH_ALGVARCHAR(128)The hash algorithm is used to compute name and key hashes. Only SHA1 is supported.
RDN_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OIDVARCHAR(255)The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed.
OCSP_POLICYVARCHAR(128)

The OCSP policy for the authority. This consists of two comma-separated values. The values describe when to use OCSP and what to check.

Possible values are:

OCSP_When

  • never-never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

OCSP_What

  • none – never check any certificates
  • end-user- Check only end-user certificates
  • both – check both end-user and intermediate certificates. Currently not supported
  • Null is not allowed in this column
CRL_POLICYVARCHAR(128)Currently not used.
LOCK_IDINTEGERUsed by the system to lock rows in the table.
CREATESTIMESTAMPThe timestamp of record creation for a row in the table.
MODIFYTIMESTAMPThe last modification time for a row in the table.
CREATEUSERIDVARCHAR(40)The user ID that created a row in the table.
MODIFYUSERIDVARCHAR(40)The user ID that modified a row in the table.
CREATEPROGIDVARCHAR(40)The name of a program or object that created a row in the table.
MODIFYPROGIDVARCHAR(40)The name of a program or object that modified a record in the table.
OCSP_RESPONDER

The OCSP_RESPONDER table maintains information about OCSP responders.

ColumnTypeDescription
OBJECT_IDVARCHAR (255)This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAMEVARCHAR (255)A name for a record. Null allowed.
CREATE_DATEDATETIMEA create date for a record.
MODIFIED_DATEDATETIMEThe date a record was last modified.
MODIFIED_BYVARCHAR(255)Information about who modified a record.
ISSUER_NAMEBLOBThe RDN of the authority is taken from its certificate.
HASH_ALGVARCHAR(128)The hash algorithm is used to compute name and key hashes. Only SHA1 is supported.
RDN_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OIDVARCHAR(255)The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed.
CACHE_TTLVARCHAR(64)

The time in seconds to allow OCSP responses to life in the internal response cache

If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all.

TRANS_PROF_OIDVARCHAR(255)OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder.
COMM_BPVARCHAR(255)Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended
COMM_WAITVARCHAR(24)The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong.
LOCK_IDINTEGERUsed by the system to lock rows in the table.
CREATESTIMESTAMPThe timestamp of record creation for a row in the table.
MODIFYTIMESTAMPThe last modification time for a row in the table.
CREATEUSERIDVARCHAR(40)The user ID that created a row in the table.
MODIFYUSERIDVARCHAR(40)The user ID that modified a row in the table.
CREATEPROGIDVARCHAR(40)The name of a program or object that created a row in the table.
MODIFYPROGIDVARCHAR(40)

The name of a program or object that modified a record in the table.

SEND_NONCEVARCHAR(8)

Indicates whether to send a nonce with OCSP requests.

Valid values:

  • true
  • false
REQ_NONCEVARCHAR(8)

Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true).

Valid values:

  • true
  • false
RESP_CERT_IN_CA_STOREVARCHAR(8)

Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store.

Valid values:

  • true
  • false - The trusted store is checked.
RESP_CERT_OIDVARCHAR(255)

The object ID of the certificate is used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table.

When configuring the system, you can create as many authorities and responders as you like.

To configure the system to use OCSP:

  1. Check the certificate for the certificate authority who issues the certificates you want to check in with OCSP into Sterling Integrator to verify it is a CA certificate.
  2. List the CA certificates in the system and get the object ID for the certificate you just installed.
  3. If the authority’s OCSP response signing certificate is different than the authority’s certificate issuing certificate, check the authority’s OCSP response signing certificate into Sterling Integrator as a Trusted certificate.
  4. If you checked in an additional OCSP signing certificate, list the Trusted certificates in the system and get the object ID for the certificate you just installed.
  5. Go to the bin directory of the Sterling Integrator installation.
  6. Start the database if necessary.
  7. Start the bash or sh shell.
  8. Source the file tmp.sh
  9. Create an authority using the utility in the class com.sterlingcommerce.security.ocsp.SCICertAuthority.
  10. Create an OCSP responder using the utility in the class com.sterlingcommerce.security.ocsp.SCIOCSPResponder
  11. Update the certificates for the authority or individual certificates to enable OCSP. The utility com.sterlingcommerce.security.ocsp.SetAuthorityCertificatesOCSPInfo will configure all trusted and system certificates for an authority. The utility com.sterlingcommerce.security.ocsp.SetSystemCertificateOCSPInfo will configure one system certificate. The utility com.sterlingcommerce.security.ocsp.SetTrustedCertificateOCSPInfo will configure one trusted certificate.

The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.

ManageCertAuthority.sh and ManageCertAuthority.cmd
ArgumentDescription
-a, -l, -d, -u2

Operation to perform:

  • -a - add
  • -l - list
  • -d - delete
  • -u2 - update existing database record with newly computed key and RDN hashes

The –l option takes no additional arguments. The –d option takes a single argument: the object ID of the record to delete

NameName of the authority. Required with -a.
Modified_by

User who modified or created the identity. Required with –a.

Hash_algHash algorithm for the authority. Only the value “SHA1” is supported. Required with –a.
Certificate_idObject ID of the CA certificate associated with the authority. Required with –a.
OCSP_policy

The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with –a.

For the first element of the string, the following are permitted:

  • never – never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

For the second element of the string, the following are permitted:

OCSP What
  • none – never check any certificates
  • end-user- Check only end user certificates
  • both – check both end-user and intermediate certificates. Currently not supported.
Examples:
  • never,none
  • always,end-user

Crl_policy

CRL policy string for the authority. Required with –a. A value is required for this argument, but it is not currently used. “None” is acceptable.
Object_ID

An object ID to use when creating this record. Optional with -a. Required with -u2.

ManageOCSPResponder.sh and ManageOCSPResponder.cmd
ArgumentDescription
-lGets a list of the currently configured OCSP Responders.

This option takes no additional arguments.

-dDeletes the configured OCSP Responder with the provided object ID for responders configuration data.

This option takes object_id as an additional argument.

-u2

Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate.

This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database.

This option takes object_id as an additional argument.

-aAdds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority.

Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id.

name(Required with -a) Name of the authority.
modified_by

(Required with -a) User who modified or created the identity.

hash_alg(Required with -a) Hash algorithm for the authority. Only the value “SHA1” is supported.
authority_cert_oid(Required with -a) Object ID of the CA certificate associated with the authority.
response_signing_cert_oid(Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store.
resp_signing_cert_in_ca_store(Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator.
cache_ttl(Required with -a) The time-to-live in seconds for OCSP responses in the internal cache.
trans_prof_oid(Required with -a) The object ID of a transport configured for communicating with the OCSP responder.
comm_bp(Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended.
comm_wait(Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred.
send_nonce(Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers.
require_nonce(Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response.
object_id

(Optional with -a) An object ID to use when creating this record.

SetSystemCertOCSPInfo.sh SetSystemCerOCSPInfo.cmd
This utility will set the OCSP information in the database for a single system certificate
ArgumentDescription
-o, -n

How to interpret the second argument:

-o object_ID

-n name

Object_ID/Name

Object ID or name of the authority as determined by argument 1.

SetSystemCertOCSPInfo.sh and SetTrustedCertOCSPInfo.cmd
This utility will set the OCSP information in the database for a single trusted certificate
ArgumentDescription
-o, -n

How to interpret the second argument:

-o object_ID

-n name

Object_ID/Name

Object ID or name of the authority as determined by argument 1.

Use the following example to learn how to run the OCSP configuration scripts. These scripts assume that you have already checked in the CA certificates for the authority, started the database, are in the bin directory of your Sterling B2B Integrator installation and have sourced the file tmp.sh in the bin directory.

After getting the object ID of the CA certificate from the authority, in Sterling B2B Integrator from the Administration menu, select Trading Partners > Digital Certificates-CA. Select a certificate. The Certificate Summary dialog box appears with the certificate information, including its object ID.

Complete the following steps to run an OCSP Script:

  1. Run a command similar to the following to create an authority in the system:
    ./ManageCertAuthority.sh -a VPCA admin SHA1 
"sedna:a1807c:11dc6d53ba4:-7b4b" "always,end-user" "none"
  2. After creating an authority, and creating a profile for communicating with an OCSP responder, run a command similar to the following to create an OCSP responder in the system:
    ./ManageOCSPResponder.sh -a VPCA admin SHA1 
"sedna:a1807c:11dc6d53ba4:-7b4b" "2400" "a1807c:11dc79aacbd:-7570"
 HTTPClientSend 3600
  3. Run a command similar to the following to list all of the authorities in the system:
    ./ManageCertAuthority.sh -l

    Return output for each authority displays:

    CERT_AUTHORITY: 
OBJECT_ID: sedna:1ded0fd:11dc9d22929:-7fbd
NAME: VPCA
CREATE_DATE: 2008-11-23
MODIFIED_DATE: 2008-11-23
MODIFIED_BY: null
ISSUER_NAME: Country=US, StateOrProvince=Dublin, 
OrganizationUnit=GIS Development,
Organization=Sterling, 
CommonName=Test CA
HASH_ALG: SHA1
RDN_HASH: 24E63F8AE9F51497529EA0CC34467A4680737A9F
ENCODED_RDN_HASH: JOY/iun1FJdSnqDMNEZ6RoBzep8=
KEY_HASH: C96F2FF442EBFA07672DCEC49B729D4D24898313
ENCODED_KEY_HASH: yW8v9ELr+gdnLc7Em3KdTSSJgxM=
CERT_OID: sedna:a1807c:11dc6d53ba4:-7b4b
OCSP_WHEN_POLICY: always
OCSP_WHAT_POLICY: end-user
CRL_POLICY: null
  4. Use a command similar to the following to enable OCSP for all trusted and system certificates issued by the authority:
    ./SetAuthorityCertsOCSPInfo.sh -o 
"sedna:1ded0fd:11dc9d22929:-7fbd" yes

The following steps describe the logic of OCSP checking in Sterling B2B Integrator:

If the certificate status is ok, the OCSP check succeeds. Otherwise, it fails.

  1. If an existing response whose time-to-live has not expired is found, than that response is used as the OCSP response.
  2. If no existing response is found in the cache or the time-to-live has expired for a response in the cache, an OCSP request is created.
  3. If the system creates an OCSP request, it launches the business process configured for the OCSP responder to send the request and get the response. Requests will include a nonce value if the responder was configured to have one sent.
  4. If the business process completes successfully, the system attempts to parse its primary document as an OCSP response. The business process used to send OCSP requests and receive OCSP responses strips the HTTP headers from the response.
  5. If the primary document can be parsed as an OCSP response, the system checks the status of the response.
  6. If the response status indicates that the request generated a valid response, the system attempts to verify the signature on the OCSP response using the certificate configured for the OCSP responder.
  7. If the signature is verified and the responder was configured to require nonce, the system attempts to get and check the nonce from the response.
  8. If all other verifications passed, then the system looks for certificate status information for the certificate for which the request was constructed and sent.
  9. If the status information is found, then the system updates the internal cache for an existing OCSP response for the certificate.

Browse Categories

Share Blog Post

Pragma Edge (4.5/5)
4.5/5
Source: IBM

Recent Blog Posts - Read More

IBM® Sterling B2B Integrator supports only IBM MQ (formerly IBM Websphere MQ) as a messaging queue.

A messaging queue is required for Sterling B2B Integrator if you are using adapter containers.

IBM MQ version 9.0.0.4 or higher is supported.

Upgrading from previous versions
  • From v6.0 onwards, ActiveMQ is no longer bundled and installed with Sterling B2B Integrator. You must install and use IBM MQ as the messaging queue.
  • If your current setup has adapter containers, you must install IBM MQ and set the required properties for IBM MQ before you upgrade.
  • If you are using the bundled ActiveMQ for any messaging purpose, you must migrate to IBM MQ or configure external ActiveMQ.
  • External ActiveMQ is still supported for JMS adapter. If you are already using External ActiveMQ for JMS adapter, you can continue to use it.
  • For more information, see Considerations for upgrading from version 5.2.6.x.

For all databases that are supported by Sterling B2B Integrator, use the JDBC driver recommended by the database vendor for your database version.

For Oracle
For Microsoft SQL Server
  • Microsoft SQL Server 2019 - Use SQL Server JDBC Driver 8.4.1.jre8
  • Microsoft SQL Server 2016 - Use SQL Server JDBC Driver 6.4.0.jre8
  • Microsoft SQL Server 2014 - Use SQL Server JDBC Driver 6.4.0.jre8
  • Microsoft SQL Server 2012 - Use SQL Server JDBC Driver 6.4.0.jre8
  • Regardless of the Microsoft SQL Server version, if you are using the Lightweight JDBC Adapter, use SQL Server JDBC Driver 6.4.0.jre8.

To obtain the driver, go to the Microsoft Download Center at http://www.microsoft.com/en-us/download/default.aspx and search for the required SQL Server JDBC driver version.

For DB2

For DB2, see http://www.ibm.com/support/docview.wss?uid=swg21363866 for information.

During installation or an upgrade, you must specify the initial port number for Sterling B2B Integrator.

To specify an initial port number, follow these guidelines:

  • Sterling B2B Integrator requires a range of 200 consecutive open ports between 1025 and 65535.
     
    Note: Because of RMI, on occasion, a port number outside the range may be assigned.
     
  • The initial port number represents the beginning port number in the range.
  • Make sure that port numbers in the port range are not used by any other applications on your system.

For example, if you specify 10100 as the initial port number, then you need to make sure that 10100 through 10199 are not used by any other applications on your system.

During the upgrade, about 50 default ports are pre-assigned for different services. For example, if you do not want xxx32 (10132) to be a default port, you could assign another number within the port range.

After your installation or upgrade, refer to the following file for all of the port assignments.

  • For Windows: \<install_dir>\properties\sandbox.cfg
  • For Unix/Linux: /<install_dir>/properties/sandbox.cfg

An increased market demand for the enhanced Internet Protocol (IP) has lowered the worldwide supply of Internet Protocol version 4 (IPv4) addresses. The Internet Protocol version 6 (IPv6) expands the IP address space from 32 bits to 128 bits, providing an increased supply of IP addresses.

Sterling B2B Integrator is enabled for IPv6 support, providing a dual IPv4 and IPv6 stack, tunneling, proxying, and translation between the two IP address versions.

Sterling B2B Integrator interoperates with various related products, many of which do not yet support IPv6 addresses. Therefore, in Sterling B2B Integrator, a limited set of configurations use IPv6 addresses. The dual stack approach permits interoperability between Sterling B2B Integrator and a mixed set of IPv4 and IPv6 enabled services and adapters wherever feasible.

However, if you choose to implement an IPv6 installation, limitations exist in the Sterling B2B Integrator system requirements and the selected services and adapters. Consider the limitations before you attempt to install Sterling B2B Integrator with IPv6 addresses.

Important: You must install with a host name and not an IPv6 address. Otherwise the Lightweight JDBC adapter and Graphical Process Modeler (GPM) do not work.
 

IPv6 supported combinations

The following table lists the IPv6 configuration combinations supported by Sterling B2B Integrator

Table 1. IPv6 supported combinations
Database
AIX®
Windows
Linux® (see note)
DB2®YesNoYes
MSSQLNoNoYes
OracleNoNoYes
MySQLNoNoYes
Important: Red Hat Enterprise Linux for IBM® System z® only supports DB2.
Note: IBM Consulting Services can help you implement Sterling B2B Integrator in an IPv6-compliant environment by using transition technologies. Check the IPv6 compliance of any third-party tools (such as web servers, FTP clients, and MQ servers) that you use with Sterling B2B Integrator.
 
IPv6 supported combinations with limitations

The following Sterling B2B Integrator components provide IPv6 compliance with some limitations.

Attention: The status of each component will be updated as more of IBM's technology partners offer IPv6 compliance.
Table 2. IPv6 supported combinations with limitations
Component
IPv6 compliance
Limitations
HTTP Client/Server adapterFull-
HTTP GET/POST serviceFull-
HTTP Begin/End Session adapterFull-
FTP Client/Server adapterFull-
PGP Package/Unpackage serviceFull-
Command Line Adapter 2Full-
WebSphere MQ SuiteFull-
JMS adapterPartialThe URI does not accept IPv6 addresses as characters ‘[ ]' are not allowed. However, it works with a host name.
SFTP Client/Server adapterFull-
SMTP/POP3/MIMEFull-
FSAFull-
Lightweight JDBC adapterPartialSupports an IPv6 remote host only with a DB2 and AIX combination. However, if your Sterling B2B Integrator installation is under an IPv6 address, the Lightweight JDBC adapter can still be used with any other database currently supported by the adapter by using an IPv4 remote host.
Web servicesFull-
BEA Tuxedo adapterFull-
Zengin adapterFull-
ConnectDirectFullSupports IPv6 on C:D UNIX 4.0 and C:D Windows 4.4.00
E5Full-
TIBCO adapterFull-
SNMPFull-
Transora adapterFull-
OFTPFull-
SAP Suite adapterUnsupported-
JGroupsPartialDo not use IPV6 with JGroups on AIX

The use of IPv6 addresses in an installation of Sterling B2B Integrator requires certain guidelines.

Important: Sterling B2B Integrator does not support IPv6 installation on Windows.

Consider the following IPv6 address information when you plan the installation:

  • If you use an IPv6 address, use a fully qualified address that includes square brackets around the address, and a zero (0) between colons where there are no other numbers. For example, use [fe80:0:0:0:213:72ff:fe3c:21bf] instead of fe80::213:72ff:fe3c:21bf.
  • If you are installing with an IPv6 address, comment out the host name mapping to the IPv4 address and retain the mapping to the IPv6 address in the host file in the /etc/sysconfig/networking/profiles/default/hosts directory.
  • You must install with a host name, not an IPv6 address, otherwise the Lightweight JDBC adapter and Graphical Process Modeler (GPM) do not work.
  • If you are using an Oracle database, do not use an IPv6 address for the host name.
  • If you are using an IPv6 address and are going to configure Sterling B2B Integrator as a dual stack host, after you complete the installation, you need to add the IPv6 address (as the admin_host.3 property) to the noapp.properties_platform_ifcresources_ext .in file.
 

You can install and run perimeter servers in a UNIX, Linux or Windows Server environment.

Perimeter servers can be co-resident with Sterling B2B Integrator installations or can be installed on remote servers. To take full advantage of the security features of a perimeter server, it should be installed on a different computer than where Sterling B2B Integrator is installed.

Perimeter servers are supported on the same operating system and JDK combinations as Sterling B2B Integrator. The operating system and JDK version that the perimeter server uses do not need to match the operating system and JDK version of Sterling B2B Integrator.

Refer to the JDK instructions for the operating system on which you are installing the perimeter server.

In addition, each perimeter server requires the following minimum space and memory requirements:
  • 100 MB disk space
  • 1 GB memory

For more information about perimeter servers, see Installing and configuring perimeter servers.

The SWIFTNet7 adapter communicates to the SWIFTNet Network through the SWIFTNet MEFG Servers for SWIFTNet version 7. It responds to and accepts InterAct and FileAct messages that are sent by remote SWIFTNet correspondents.

IBM AIX

If you are using the SWIFTNet7 Adapter on the IBM AIX platform, you must patch your IBM XL C/C++ runtime library to July 2009 Runtime for IBM XL C++ for AIX. Additionally, you must upgrade your AIX operating system to Version 6.1 (or higher).

If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.

Windows

If you are using the SWIFTNet7 Adapter on the Windows platform, you must upgrade your Windows operating system to at least Windows Server 2008 R2 (with all security patches).

If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.

Red Hat Enterprise Linux

To use the SWIFTNet7 Adapter on the Red Hat Enterprise Linux platform, you must be using Red Hat Enterprise Linux Server Release 6.1 or higher x64, 64-bit Kernel, including any patches within 6.x. Supported kernel version: 2.6.18-164.2.1.el5 or higher within version 2.x.

Install the SWIFT Remote API for Linux before installing MEFG. The SWIFT Remote API download is available from SWIFT (http://www.swift.com), and shcould be a version compatable with MEFG and SWIFTNet Link.

If you are using SSL, you must also upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version. For example OpenSSL 1.0.1p or OpenSSL 1.0.2d. We recommend that you continue to monitor and continue to apply the latest security fixes to the OpenSSL library to apply fixes to OpenSSL security defects.

Integration with WebSphere Transformation Extender (WTX) on Red Hat Enterprise Linux for IBM System z requires WebSphere Transformation Extender version 8.4.0.3.14.

 

You can choose between different security certificates before you install Sterling B2B Integrator.

Before you begin the installation, you must decide which of the following security certificates to use:
  • The default self-signed SSL (Secure Sockets Layer) certificate that is automatically generated by the installation.
  • A Certificate Authority-related certificate that you generate before you install the software.

If you install with the default SSL certificate, but you later want to switch to a CA-related certificate, you can change the certificate with the sslCert property in the noapp.properties_platform_ifcresources_ext.in file.

We are a forward-thinking technology services provider dedicated to driving innovation and transformation across industries.

  • 12926 Gran Bay Pkwy W., Suite 220,
    Jacksonville, FL 32258
  • info@pragmaedge.com
  • +1 904-999-1008
SOC 2
Nasscom
Linkedin Facebook-f X-twitter Youtube Instagram

What We Do

Industries

Products

Who We Are

Sterling Data Exchange

Thank you for submitting your details.

For more information, Download the PDF.

Get Solution Brief

Pragma Edge Universe | 2025

Thank you for registering for the conference ! Our team will confirm your registration shortly.

Invite and share the event with your colleagues 

Return to home page

IBM Partner Engagement Manager Standard

IBM Partner Engagement Manager Standard is the right solution
addressing the following business challenges

IBM Partner Engagement Manager Standard

IBM Partner Engagement Manager Standard is the right solution
addressing the following business challenges

IBM Partner Engagement Manager Standard

IBM Partner Engagement Manager Standard is the right solution
addressing the following business challenges

Pragma Edge - API Connect