Add a DMZ node

Use the procedures in this topic to:

  1. Generate Secure Relay certificates
  2. Generate a DMZ node package
  3. Export and install the node package to a computer in the DMZ

Before adding the first or subsequent DMZ nodes, determine whether you want nodes to be organized in zones. Zones are a way to have messages sent to partners via specific DMZ nodes. Review Add DMZ zones and then return to this procedure.

In addition to adding a no

License support

Your Interchange license must enable DMZ node configuration.

AIX installation restriction

When the Secure Relay master agent (embedded in the Interchange system) is installed on AIX, the router agent must also be installed on AIX.

JRE version

The Secure Relay router node requires JRE 8 (or later) on the machine where the node is installed.

AIX Java version limitation:

For AIX platforms, to enable the use of GCM ciphers for transfers, you use a version of Java 1.8 newer than 8 SR1 8.0.1.0 (Build level "20150302"). With older versions, transfers will fail with an "engineUpdate not supported for AES/GCM" error message.

JCE policy file requirement

Ensure that the latest unlimited strength JCE policy files are installed in the lib/security directory of the JVM on your DMZ machine.

B2Bi supports the following JVM implementation for DMZ nodes:

  • Windows/Solaris/Linux – Sun
  • AIX – IBM
  • HP-UX – HP

You can obtain unlimited strength JCE policy files from the following web sites:

Remove previously installed nodes

In cases where you have already installed DMZ nodes, in order to replace the nodes or to use new certificates that you generate for the nodes, you must delete the nodes, add new nodes and re-export the new DMZ nodes to all DMZ machines.

Step 1: Generate the certificates

Before you create node, you must generate the set of keys, certificates and internal password used for mutual authentication between the master agent and router agents. To do this:

  1. Go to the System management page.
  2. Select the DMZ nodes tab.
  3. Click Generate DMZ certificates to open the Generate DMZ certificates page.
  4. Enter a Certificates password. This password protects the p12 files that contain the private keys used by DMZ node components for mutual authentication.
  5. Enter an Encryption password. This password is used to generate an encryption key that protects the Certificates password.
  6. The Encryption password must be:
      • At least eight characters long
      • Contain upper and lower case characters
      • Contain at least one numeric character
      • Contain at least one of the special characters: @ # $ %.
  7. Click Generate.

The generated certificate and password files are stored in <B2Bi_shared_directory>\common\conf\certs. These files are used by Interchange to create the DMZ node export archives in the next procedure.

Step 2: Add a node

  1. On the DMZ nodes tab, click Add a node to open the Configure Secure Relay router page.
  2. Complete the fields on the Configure Secure Relay router page:
    • Host – Enter the IP address or fully-qualified domain name of the computer in the DMZ where the node is to be deployed.
    • DMZ computers often have two network interfaces with separate IP addresses, one for internal connections and one for external connections. Since this value is used by Interchange in the protected network to connect to the DMZ node, you must specify the internal host interface. You cannot use 0.0.0.0.
    • For external connections, see the "External host interface" field below.
    • Port – Enter the port number on the internal host interface where the DMZ node listens for administrative connections from Interchange. The firewall must not allow external connections to this port.
    • External host interface – For proxied outbound active FTP, enter the external IP address to be returned by the client in response to server requests for active data connections.
    • Control port – Enter the port number used by scripts in the Secure Relay xsr/bin directory on the DMZ computer, to query or stop the router. (Listens only on localhost in the DMZ.)
    • Zone – If you intend to associate the node with a DMZ zone, select the zone. If the zone you want does not display, cancel adding the node and add the zone on the DMZ zones tab. This field displays only if one or more zones have been added on the DMZ zones tab. Selecting a zone is optional. For information about zones see Add DMZ zones.
    • Data port (min) / Data port (max) – Enter the port range for data connections in the respective minimum and maximum fields. Only as many ports as there are Interchange nodes are actually used. A range of at least 9 is suggested. The range of ports must be reserved for use by the Secure Relay router agent. The firewall must not allow external connections to these ports. For these fields, count the control node as well as all processing nodes.
    • You can specify a smaller port range than 9, but the higher range may avoid future issues. For example, if a user runs two processing nodes and later decides to add two more, Secure Relay can handle the increase automatically. However, if a narrower range had been specified, adding more nodes may require redeploying DMZ nodes to account for the ports used by the added processing nodes. In this case the deployed DMZ nodes would not support the additional ports.
    • Number of data connections – Specify the number of connections each Interchange node is to make to its assigned data port on the DMZ node. Normally, this should be 1 since information from multiple conversations is multiplexed over a single connection. In some cases performance may improve if you increase this to match the number of CPUs in the DMZ computer.
  3. Click Add.
  4. B2Bi generates the node archive package.
  5. The DMZ nodes tab on the System management page lists the node you just added. The node has a status of Connecting. There are several tasks yet to perform to get the node running. To view more about the new node, click the host name to open a details page.
  6. Example of "DMZ nodes" tab in the System management page.

Step 3: Export the node

After adding a node, export the node file to a directory.

  1. On the DMZ nodes tab, click Export... to save the node archive to a directory. The file is named dmzNode.xsr.<internal host interface>_<internal port>.zip.
  2. Give the file to your DMZ or network administrator. In most cases, only the administrator is authorized to work with computers in the DMZ.
  3. The DMZ node certificate archive is included in the exported zip file, along with instructions for your administrator. On Windows, the DMZ node can be run as a service. See Run node as Windows service.
  4. Once the administrator has completed the configuration and started the node, go back to the System management page. If the node is working, the node’s status should have changed to Running.
  5. Later, if the Secure Relay node in the DMZ is stopped, the DMZ nodes tab on the System management page displays a status of Connecting -- Start DMZ node. You need to restart the node to return to a status of running.

Related topics

Related Links