Connect CDC (SQData) provides for encryption by the Publisher using the same NaCl Public / Private Key used for authentication and authorization. While Captures and Publishers are typically initiated by the same USER_ID as the Capture Controller Daemon, those jobs explicitly identify the public / private key pair files in JCL DD statements. Precisely recommends that a second NACL Key pair is generated for the Capture / Publisher. A second authorized Key List will also be required by the Capture / Publisher containing the public keys for only those Engines subscribing to that Capture / Publisher and whose payload will be encrypted. Once the Controller Daemon passes the connection request to the Capture / Publisher a second handshake will be performed with the Engine and the CDC payload will be encrypted before being published and decrypted by the receiving Engine.
sqdconf create <cab_file_name>
[--encryption | --no-encryption]
[--auth-keys-list="<name>"]
Keyword | Description |
---|---|
<cab_file_name> |
This is where the Capture Agent configuration file, including its path is first created. There is only one CAB file per Capture Agent. In our example /home/sqdata/db2cdc/db2cdc.cab |
[--encryption | --no-encryption] |
Enables or disables NaCL encryption of the published CDC record payload. Precisely recommends zIIP processors be used to enhance CPU cycle efficiency and reduce CPU cost associated with NaCL software encryption. |
[--auth-keys-list="<name>"] |
Required for NaCL software encrypted CDC record payload. File name must be enclosed in quotes and must contain public key(s) of only the subscribing Engines requiring encryption of the CDC record payload. See --encryption option. |
Example 1
Turn on encryption
//*-----------------------------------------------
//* Turn on Encryption for DB2 Capture
//*-----------------------------------------------
//MODCONF EXEC PGM=SQDCONF
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SQDPARMS DD *
modify /home/sqdata/db2cdc/db2cdc.cab
--encryption
--auth-keys-list="NACL.AUTH.KEYS"
//*
Turn off encryption
//*-----------------------------------------------
//* Turn on Encryption for DB2 Capture
//*-----------------------------------------------
//MODCONF EXEC PGM=SQDCONF
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SQDPARMS DD *
modify /home/sqdata/db2cdc/db2cdc.cab
--no-encryption
//*
Finally, stop and restart the DB2 Capture Agent.
- Stop the DB2 capture agent.
-
Restart the agent and include the following --ziip option, as follows:
--apply --start --ziip
/home/sqdata/db2cdc/db2cdc.cab