Enabling encryption channel between IBM AD Analyze Client and IBM AD ZooKeeper

Before you begin:

  • Make sure that a Java™ Runtime Environment is installed on your machine and that the JAVA_HOME variable is defined in the Environment variables. For more information, see the Java Runtime Environment section.
  • You can use any keytool utility that is provided with JDK on both Linux™ and Windows™ to generate self-signed certificates. In this scenario, OpenSSL tool from Cygwin is used to generate a self-signed key certificate for IBM AD Analyze Client.
    Note: In case that you don't want to use a self-signed certificate, make sure that a certificate authority (CA) issues a signed certificate.

For earlier versions, the communication between IBM AD Analyze Client and IBM AD ZooKeeper is unencrypted socket session. Beginning with version IBM AD V6.0.0 interim fix 1, you can configure IBM AD Analyze Client to enable Transport Layer Security (TLS) connection.

The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, typically, an application must be designed and coded to use TLS/SSL protection.

By default, the IBM AD Analyze Client runs in non-authenticated mode. To configure IBM AD Analyze Client with TLS support, you need to perform the following steps:
  1. Make sure that IBM AD ZooKeeper is set up in mixed mode. For more information, see the Securing Apache ZooKeeper SSL connections section.
  2. Edit the eclipse.ini configuration file and add the following lines, in the -vmargs section. Avoid blank lines in the -vmargs section. Example:
    ​-Dzookeeper.client.secure=true
    ​-Dzookeeper.ssl.keyStore.location=C:\Certificates\keystore.jks
    -Dzookeeper.ssl.keyStore.password=password
    -Dzookeeper.ssl.trustStore.location=C:\Certificates\trustore.jks
    -Dzookeeper.ssl.trustStore.password=password
    
    Important:

    Make sure that the keystore.jks and trustore.jks files are physically present on the machine where IBM® AD Analyze Client is installed and configured. You may use the keystore.jks and trustore.jks files that were generated for IBM AD ZooKeeper if both IBM AD Analyze Client and IBM AD ZooKeeper are installed on the same machine. For more information, see Generate a self-signed key certificate for IBM AD ZooKeeper.

    Where:
    • ​-Dzookeeper.client.secure - set to true to enable TLS connection.
    • ​-Dzookeeper.ssl.keyStore.location - expects the location on disk where the keystore was stored.
    • -Dzookeeper.ssl.keyStore.password - expects the keystore's password.
    • -Dzookeeper.ssl.trustStore.location - expects the location on disk where the truststore was stored.
    • -Dzookeeper.ssl.trustStore.password - expects the truststore's password.
  3. Start IBM AD Analyze Client.
  4. Go to IBM AD Analyze Client and select Window > Preferences > Application Discovery > Environment settings and enter the following information:
    • Host - type the hostname or the IP address of the machine where IBM AD ZooKeeper is installed.
    • Port- type the 2281 port number that is used by IBM AD ZooKeeper to communicate on TLS.
    • Unique id - type the unique id assigned by IBM AD Configuration Server to the current environment.
    • Name - type the name of current environment, as defined in IBM AD Configuration Server.
  5. Click Apply and Close and restart IBM AD Analyze Client.
  6. When IBM AD Analyze Client starts, the list of the mainframe projects is empty. To have the list of mainframe projects available, it is necessary to use the Get project list contextual-menu option by right-clicking in the Explore projects view.