Implement model authentication and encryption - Connect_CDC - aws_mainframe_modernization_service - connect_cdc_mimix_share - Latest

AWS Mainframe Modernization - Data Replication for IBM i

Product type
Software
Portfolio
Integrate
Product family
Connect
Product
AWS Mainframe Modernization > AWS Mainframe Modernization Service
Version
Latest
Language
English
Product name
AWS Mainframe Modernization
Title
AWS Mainframe Modernization - Data Replication for IBM i
Copyright
2024
First publish date
2003
Last updated
2024-02-01
Published on
2024-02-01T23:02:31.099696

Connect CDC uses secure socket layer (SSL) Java classes for encrypted communications between the Listener and the various component of Connect CDC components (i.e Moncon, Director, and Console). The protocols used are compliant with Transport Layer Security (TLS) 1.2 and mutual TLS (mTLS) is used for mutual authentication. Each customer can generate their public/private key pair along with a self-signed certificate. The steps to generate a self-signed certificate and enable TLS are described below.

Generate Self-Signed certificate

A utility file named configuretls.cmd is provided in kernel folder of the connect cdc installation to facilitate the creation of the self-signed certificate and configure connect to run in secured mode. An example of running this utility and its output is shown below.
C:\PreciselyConnect\ConnectCDCV58>kernel\configuretls.cmd
Creating certificate file C:\Users\Administrator\.cdc\certs\connect-cdc-keystore.p12...
Exporting certificate C:\Users\Administrator\.cdc\certs\connect-cdc.crt from Keystore file: C:\Users\Administrator\.cdc\certs\connect-cdc-keystore.p12
Importing certificate C:\Users\Administrator\.cdc\certs\connect-cdc.crt into Trustore file: C:\Users\Administrator\.cdc\certs\connect-cdc-trustore.p12 with alias connect-cdc
Certificate generation complete.
Enabling TLS configuration...
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/wrapper.conf
Updating file: C:\PreciselyConnect\ConnectCDCV58\director/omnient.ini
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startmoncon.cmd
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startconsole.cmd
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startlistener.cmd

This utility will by default create a keytsore and trustore PKCS12 file in the folder $HOME/.cdc/certs folder a long a .crt file that stores the certificate. Also a certs.json file is created that contains the keytstore and trustore passwords. Following the certificate creation, the list of config files shown in the example are also updated to configure connect cdc to run in secured mode.

Configure TLS manually

To manually configure TLS for connect cdc:
  1. Use keytool to generate a self-signed certificate. For example,
    keytool -genkeypair -alias connect-agent -keyalg RSA -keysize ${KEY_SIZE} -storetype ${STORE_TYPE} -keystore ${KEYSTORE_FILE} -validity <num_days> -storepass "${TRUSTSTORE_PASSWORD}" 
    ${KEYPWD_OPTION} -dname "CN=CommonName, OU=OrganizationalUnit, O=Organization, L=Locality,ST=StateOrProvinceName,C=CountryName"
  2. Export the certificate. For example,
    keytool -export -alias connect-cdc -file connect-cdc.crt -keystore ${KEYSTORE_FILE} -storepass 
    "${TRUSTSTORE_PASSWORD}" -storetype ${STORE_TYPE}
  3. Import the certificate to a truststore to trust it. For example,
    keytool -import -alias connect-cdc-trust -file connect-cdc.crt -keystore ${TRUSTORE_FILE} -storepass 
    "${TRUSTSTORE_PASSWORD}" ${KEYPWD_OPTION} -storetype ${STORE_TYPE} -noprompt
    Note: The keystore and truststore files can be same or different files.
  4. Configure kernel/wrapper.conf file and add these properties:
    wrapper.java.additional.4=-Dwrapper-debug=false 
    wrapper.java.additional.5=-Dconfiguration.file=../conf/cdc_connect.properties
  5. Adjust director/omnient.ini and add this property:
    SelfSignedCertificate=C:\Users\Administrator\.cdc\certs\cert.json
  6. Adjust the following files and add:
    kernel/startmoncon.cmd
    kernel/startconsole.cmd
    kernel/startlistener.cmd
    Add these properties:
    -Dconnect.cdc.tls.config_file="C:\Users\Administrator\.cdc\certs\cert.json" -Dssle
  7. Create certs.json file with the following content:
    {
      "connectTLS": {
        "certificateInfo": {
            "keyStoreType": "PKCS12",
            "keyStorePassword": "g/+sbUmgwitP7EOa",
            "keyCertificateAlias": "connect-cdc",
            "keyStoreFile": "C:/Users/gfostine/.cdc/certs/connect-cdc-keystore.p12",
            "trustStoreType": "PKCS12",
            "trustStorePassword": "858jnCbq5b1v8BPE",
            "trustStoreFile": "C:/Users/gfostine/.cdc/certs/connect-cdc-trustore.p12"
        }
      }
    	}

To set the security and encryption option for the model in Connect CDC Director, from the context menu of the model, go to Model Properties and click the XML/Encryption tab.

Similarly, to set the option for the host that differs from the model in general, go to the Host Properties tab from the context menu of the host. The tab provides the same options with the addition of the model default option.

The Host Properties must specify encryption, if encryption was used to start the Connect CDC Listener during installation. If they do not match, connections are refused, that is, encrypted model connections to a non-encrypted Listener fail and vice versa.

Note: Encryption automatically includes authentication.

The monitoring and control tools use whatever the model properties option is for security. For example, if the model has authentication and not encryption specified, then Connect CDC MonCon has the same security options enabled.

Encryption was set up in the Connect CDC Listener during installation. After installation is complete, re-install to change the security options.

If problems occur with SSL, check the following:

  • Installation should have placed certification file omnicert in the /kernel and /director directories. This file needs to reside in both to enable successful authentication.

  • The classpath set in omnient.ini must point to the correct location of these files: omni.jar, jsse.jar, jnet.jar, and jcert.jar.