Setting up IBM AD ZooKeeper to run in Mixed Mode
Before you begin:
- Make sure that a Java™ Runtime Environment is installed on your machine and that the JAVA_HOME variable is defined in the Environment variables. For more information, see the Java Runtime Environment section.
- You can use any keytool utility that is provided with JDK on both Linux™ and Windows™ to
generate self-signed certificates. In this scenario, OpenSSL tool from Cygwin is used
to generate a self-signed key certificate for IBM AD Build Client.Note: In case that you don't want to use a self-signed certificate, make sure that a certificate authority (CA) issues a signed certificate.
By manually enabling the IBM AD ZooKeeper instance to run in mixed mode, the server will respond
on both types of requests:
- Requests that come on non-authenticated channel.
- Requests that come on encrypted channel.
The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, an application must be designed and coded to use TLS/SSL protection.
For more information, see the Communication using the Netty framework section of ZooKeeper Administrator's Guide.
The IBM AD ZooKeeper server needs to be configured to work on separate ports. The default ports are:
- 2181 - non-authenticated mode.
- 2281 - authenticated mode (TLS enabled).
By default, the IBM AD ZooKeeper server is installed by IBM Application Discovery application and
runs in non-authenticated mode. To configure IBM AD ZooKeeper as a server with TLS support, you need
to perform the following two major steps:
Generate a self-signed key certificate for IBM AD ZooKeeper
Important: Each server must have a keystore containing a key certificate (private key +
public certificate). As mentioned before, the key certificate can be self-signed or signed by a
certificate authority (CA).
- At your convenience, use any tool to generate the certificates in a dedicated location. For example, C:\certificates.
- Use the Java™
keytool
utility with the following input to generate private and public key (key pair).keytool -genkeypair -alias "<machine name/IP>" -keyalg RSA -keysize 2048 -dname "cn=<machine name/IP>" -keypass password -keystore keystore.jks -storepass password
Note: The alias (-alias) and the distinguished name (-dname) must match the hostname of the machine that it is associated or the hostname verification fails.The generated key is in the specified keystore. - Export the
certificate.
keytool -exportcert -alias "<machine name/IP>" -keystore "keystore.jks" -file "adzk.cer" -storepass "password"
- Create the SSL truststore JKS containing the certificates of all ZooKeeper
instances.
keytool -importcert -alias "<machine name/IP>" -file adzk.cer -keystore truststore.jks -storepass password
Note: Choose Yes when you are asked about trusting this certificate. - Check the folder where the certificates were created. Both keystore and truststore files should be there.
Activate the IBM AD ZooKeeper Server to use the generated certificates
- Access IBM® Application Discovery Configuration Service from , go to the Dashboard tab, click the menu button of Configuration Server, and select Stop Service.
- Go to the <IBM ADDI Installation Folder>\IBM Application Discovery Configuration
Service\conf folder, open the zoo.cfg file by using a text editor,
uncomment and enter the desired values for the following parameters.
Example:
secureClientPort=2281 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=c:\\certificates\\keystore.jks ssl.keyStore.password=password ssl.trustStore.location=c:\\certificates\\truststore.jks ssl.trustStore.password=password
Where:secureClientPort
- expects the port on which the secure channel communicates.serverCnxnFactory
- for a successful authentication with TLS do not modify the value of this parameter.ssl.keyStore.location
- expects the location on disk where the keystore was stored.ssl.keyStore.password
- expects the keystore's password.ssl.trustStore.location
- expects the location on disk where the truststore was stored.ssl.trustStore.password
- expects the truststore's password.
- Once IBM AD Configuration Server is configured to run in mixed mode, make sure to block the 2181 port on the Firewall for the incoming traffic. For more information, see Block the incoming traffic for the non-authenticated port of IBM AD Zookeeper.