Capture / Publisher Agents may not require any security related activities to be performed. In part that is because connections to the Capture / Publisher are made through the Controller Daemon which has responsibility for authentication of the process requesting the connection. For systems that are remote from each other encryption of the CDC Data may be required.
Precisely highly recommends the use of VPN or SSH Tunnel connections between such systems both to simplify their administration and because the CPU intensive encryption task can be performed by dedicated network hardware.
If as in this example the Change Data Capture components are running on zOS, Transport Layer Security (TLS) is transparently supported between zOS and Engines on Linux.
In the event that encryption is required and a VPN or SSH Tunnel and TLS cannot be used, the Publisher can be configured to perform NaCl Payload Encryption. That will require a second authorized Key List containing the public keys for only those Engines subscribing to that Capture / Publisher and whose payload will be encrypted. Once the Controller Daemon passes the connection request to the Capture / Publisher a second handshake will be performed with the Engine and the CDC payload will be encrypted before being published and decrypted by the receiving Engine.