Authentication process - connect_cdc_sqdata - 4.1

Connect CDC (SQData) Secure communications components

Product type
Product family
Connect > Connect CDC (SQData)
Product name
Connect CDC (SQData)
Connect CDC (SQData) Secure communications components
Topic type
How Do I
First publish date

When Connect CDC SQData components, such as an Engine needs to connect to a remote Capture, it must first connect to the Capture Controller Daemon running on the remote machine and servicing the Capture. While the authentication process is the same regardless of the type of Agent, the most common example involves an Engine client that is started and is ready to begin receiving CDC records from a Capture / Publisher Agent.

Once an Engine has been started, it initiates a connection to the remote Controller Daemon using a URL specified explicitly for the Engine. The initial connection request automatically includes the Engine's public key which is normally shared by the Engine's own local Engine Controller Daemon . This initiates a series of back and forth communications between the Daemon and the Engine to authenticate the Engine. After authenticating the Engine, the Capture Controller Daemon then looks for the Engine's public key in it’s Authorized Key List. Assuming that the Engines public key is found, it then looks for the Engine's user_id in the Access Control List to confirm that the Engine) has access rights compatible with the request to connect to a Capture Agent (in this case "Read").

Again, assuming that the Engine had sufficient rights, the Capture Control Daemon next looks for the requested Capture/Publisher Agent in the Daemon's Agent Configurations file. Finding the Capture/Publisher Agent, the socket established with the Engine is transferred to the Capture/Publisher completing the connection request. The Engine then continues communication directly with the Capture/Publisher, requesting CDC records which are passed via TCP/IP from the Capture/Publisher to the remote Engine.

The following example illustrates this process using a DB2 capture agent running on z/OS system and a Engine running on a Linux server and writing to Kafka. A minimum of two Public / Private Key pairs are required, one for the Capture Controller Daemon running on z/OS and one for the Engine running on Linux. The example includes the prerequisite key generation steps but does not include every detail of the installation and configuration of either the Capture or the Engine agents, focusing instead on those activities related to the initial connection and the subsequent initiation of CDC record processing by the Engine.


  1. Installation specific variations on this process will be found in the source specific Capture Reference manuals.
  2. The procedures for starting both the DB2 Capture and the Engine are not included in this example. Both are subject to the security protocols unique to their respective platforms. In the case of the Apply Engine, an identical authentication process involving the public / private key pair of the initiating user and the Engine Controller Daemon will take place, sometimes requiring an additional key pair for the user.