Enabling encryption channel between IBM AD Build Client and IBM AD ZooKeeper
Before you begin:
- Make sure that a Java™ Runtime Environment is installed on your machine and that the JAVA_HOME variable is defined in the Environment variables. For more information, see the Java Runtime Environment section.
- You can use any keytool utility that is provided with JDK on both Linux™ and Windows™ to
generate self-signed certificates. In this scenario, OpenSSL tool from Cygwin is used
to generate a self-signed key certificate for IBM AD Build Client.Note: In case that you don't want to use a self-signed certificate, make sure that a certificate authority (CA) issues a signed certificate.
For earlier versions, the communication between IBM AD Build Client and IBM AD ZooKeeper is unencrypted socket session. Beginning with version IBM AD V6.0.0 interim fix 1, you can configure IBM AD Build Client to enable Transport Layer Security (TLS) connection.
The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, typically, an application must be designed and coded to use TLS/SSL protection.
By default, the IBM AD Build Client runs in non-authenticated mode. To configure IBM AD Build
Client with TLS support, you need to perform the following two major steps:
Generate a self-signed key certificate for IBM AD Build Client
Important: Each server must have a keystore containing a key certificate (private key +
public certificate). As mentioned before, the key certificate can be self-signed or signed by a
certificate authority (CA).
- Use the OpenSSL tool from Cygwin to generate the certificates in a dedicated location. For example, C:\certificates.
- To generate the key.pem and cliCert.pem, run the
following
command.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cliCert.pemNote: A password will be requested when you run the above command to encrypt the client's private key. This password will be required when you will edit thezoo.iniconfiguration file. - To import the certificate, run the following
command.
keytool -importcert -alias zoo_c_client -file cliCert.pem -keystore truststore.jks -storepass password -deststoretype jks - Check the folder where the certificates were created. Both key.pem and cliCert.pem files should be there.
Activate IBM AD Build Client to use the generated certificates
- Make sure that IBM AD ZooKeeper is configured as a server with TLS support. For more information, see the Securing Apache ZooKeeper SSL connections section.
- On the machine where IBM AD Build Client is installed, go to
<IBM ADDI Installation Folder>/IBM Application Discovery Build
Client/Bin/Release and make sure that the zoo.ini is present. If the
zoo.ini file is not present in the /Release folder, go to
<IBM ADDI Installation Folder>/IBM Application Discovery Build
Client/Bin/Release/Samples and copy the zoo.ini file in the
/Release folder. Open the zoo.ini file by using a text
editor and enter the desired values for the parameters that are detailed below.
Example:
[SSL/TLS] ;SSL/TLS initialization parameters for Zookeeper ;Allowed values to enable secure communication: y or Y (case insensitive). Anything else means disable secure communication. zoo_enable_secure_communication=y zoo_secure_port=2281 ;Settings for IBM Build Client & Configuration: ;Fully qualified file name for the 'zookeeper' server certificate, E.g.: 'C:\Securitycerts\certZoo\9.20.128.30\zoo.cer' zoo_server_certificate=C:\Certificates\certZoo\zoo.cer ;Fully qualified file name for the 'zookeeper' client certificate, in .pem format, E.g.: 'C:\Securitycerts\tmp\cliCert.pem' zoo_client_certificate=C:\Certificates\clientCertZoo\cliCert.pem ;Fully qualified file name for the 'zookeeper' client private key, in .pem format, E.g.: 'C:\Securitycerts\tmp\key.pem' zoo_client_privateKey=C:\Certificates\clientCertZoo\key.pem ;Pass phrase asked when generating the private key: zoo_client_privateKeyPwd=password ;Settings for java compilers: zoo_java_client_keystore=C:\Certificates\certZoo\keystore.jks zoo_java_client_keystorePwd=password zoo_java_client_truststore=C:\Certificates\certZoo\truststore.jks zoo_java_client_truststorePwd=password ;end of [SSL/TLS] sectionDetailed information about IBM Build Client & Configuration settingszoo_enable_secure_communication- set toYto enable TLS connection.zoo_secure_port- expects the port number that matches to the one that has been assigned for IBM AD ZooKeeper. Example: 2281.zoo_server_certificate- expects the fully qualified file name of the certificate.Important: Make sure that the IBM AD Build Client's certificate matches to the one that has been generated for IBM AD ZooKeeper.zoo_client_certificate- expects the fully qualified file name of cliCert.pem.zoo_client_privateKey- expects the fully qualified file name of key.pem.zoo_client_privateKeyPwd- expects the password that was selected when the certificate was generated.
Detailed information about Java compilers settingsImportant:Make sure that the keystore.jks and trustore.jks files are physically present on the machine where IBM® AD Build Client is installed and configured. You may use the keystore.jks and trustore.jks files that were generated for IBM AD ZooKeeper if both IBM AD Build Client and IBM AD ZooKeeper are installed on the same machine. For more information, see Generate a self-signed key certificate for IBM AD ZooKeeper.
zoo_java_client_keystore- expects the fully qualified file name of the keystore.zoo_java_client_keystorePwd- expects the keystore's password.zoo_java_client_truststore- expects the fully qualified file name of the truststore.zoo_java_client_truststorePwd- expects the truststore's password.
- Start IBM AD Build Client.Note: If you select the Open Project option the list of projects from the server machine should be available.