NaCL payload encryption - connect_cdc_sqdata - 4.1

Connect CDC (SQData) Secure communications components

Product type
Product family
Connect > Connect CDC (SQData)
Product name
Connect CDC (SQData)
Connect CDC (SQData) Secure communications components
Topic type
How Do I
First publish date

If Connect CDC SQData has been tasked with the encryption of CDC payload data a second authorized Engine Key List is required. Though similar in purpose and function to the Authorized Key List used by the Controller Daemon, this should not be the same physical file. This is because a particular SQDaemon may service connections to multiple publishers as well as accept "inventory" and "display" requests from non-Engine users. This list should only contain the public key's of the actual Engine Agents subscribing to a specific publisher which will use the Engine's public key to encrypt the CDC payload before it is published.

Sample Authorized Engine Key List - NACL.AUTH.ENGINE.KEYS
YO1rxrBqeaROEaNj176165MGoB4MgxGXN0m8BvpDCBs= sqduser@hostname

While Captures and Publishers are typically initiated by by the same USER_ID as the Capture Controller Daemon, those processes explicitly identify the public / private key pair files in either z/OS JCL DD statements or configuration file references. When performing NaCL Payload Encryption, the Publisher dynamically generates a random Key Pair for a second handshake with the subscribing Engine. A second authorized Key List is also be required by the Capture / Publisher containing the public keys of only those Engines subscribing to that Capture / Publisher and whose payload will be encrypted. Once the Controller Daemon passes the connection request to to the Capture / Publisher a second handshake will be performed with the Engine and the CDC payload will be encrypted before being published and decrypted by the receiving Engine.

Specification that NaCL Payload Encryption is to be utilized is made in the Capture / Publisher configuration file.

sqdconf create <cab_file_name>
[--encryption | --no-encryption]
Keyword and Parameter Descriptions
Keyword Description

This is where the Capture Agent configuration file, including its path is first created. There is only one CAB file per Capture Agent. In our example /home/sqdata/db2cdc/

[--encryption | --no-encryption]

Enables or disables NaCL encryption of the published CDC record payload. On z/OS, Precisely recommends zIIP processors be used to enhance CPU cycle efficiency and reduce CPU cost associated with NaCL software encryption and LogStream I/O on z/OS.

[--auth-keys-list="<name>"] Required for encrypted CDC record payload. File name must be enclosed in quotes and must contain public key(s) of only the subscribing Engines requiring encryption of the CDC record payload. See --encryption option.