IBM® InfoSphere® Information Server supports
Secure Sockets Layer (SSL) communication between the application server
and client components. If your environment requires confidentiality
at the EJB or HTTP level, you can enable SSL.
SSL provides two benefits:
- Encryption: Data sent over
an SSL connection is encrypted.
- Identification: Communication
is allowed only if the server is
positively verified. Before communications begin, the server sends
the client a certificate. The signature in the certificate is decrypted
by the client to verify the authenticity of the sender.
SSL
is not enabled by default within InfoSphere Information Server.
SSL adds greater security to your system, but also requires more administrative
work and can be error-prone. There is also a performance impact. Therefore,
carefully consider the benefits and drawbacks before enabling SSL.
You might not need SSL if you have a strong firewall in place.
You
can enable SSL for the following types of client-server communication:
- Inbound secure HTTP (HTTPS).
- Inbound RMI/IIOP (EJB
communication).
SSL configuration is optional. If you
do not configure HTTPS, HTTP
is used instead.
To enable SSL, do the following tasks:
- Configure
the application server to communicate by using SSL.
- Configure InfoSphere Information Server components
to use SSL. These components include:
- Agents on the engine
tier computers
- Command-line tools on the engine tier computers,
client tier computers,
and services tier computer
- Rich client programs on the client
tier computers. These programs
include the InfoSphere Information Server console,
the IBM InfoSphere DataStage® and QualityStage® Director,
Designer, and Administrator clients, and the IBM InfoSphere FastTrack client.
Application server HTTPS and SSL
for inbound RMI/IIOP
configuration
Application server HTTPS configuration differs
depending upon how the application server is installed:
- If
you install IBM WebSphere® Application Server by
using the InfoSphere Information Server installation
program, both the HTTP and HTTPS protocols are enabled in WebSphere Application
Server.
- If you preinstall WebSphere Application
Server before
running the InfoSphere Information Server installation
program:
- If you use the built-in WebSphere Application
Server HTTP
server, both the HTTP and HTTPS protocols are enabled in WebSphere Application
Server.
- If you set up a separate front-end HTTP server, manually configure
HTTPS. Do this task before InfoSphere Information Server is
installed. See Configuring the front-end HTTP server for HTTPS.
Application server SSL for RMI/IIOP is disabled
by the InfoSphere Information Server installation
program. Use the WebSphere Application
Server administrative
console to reenable this communication protocol in the application
server. Do this task after InfoSphere Information Server is
installed. See Enabling SSL for inbound RMI/IIOP transport (stand-alone installation).
InfoSphere Information Server component
HTTPS configuration
To configure
InfoSphere Information Server components
to communicate with the application server by using HTTPS, use one
of the following methods:
- Manually edit configuration files
on each computer that contains
the components, and install the HTTPS certificate on the computer.
- Automatically configure the components from within the installation
program during installation. This method is available for most installation
scenarios. However, you must use the completely manual method in the
following scenarios:
- You install WebSphere Application
Server by
using the InfoSphere Information Server installation
program. In this case, you must use the manual method after installation
to configure the services tier for HTTPS. If you install the client
tier or the engine tier in the same installation pass, you must also
manually configure the tiers that you install in the pass for HTTPS.
- You install the client tier only in an installation
pass, either on a computer that has no other tiers installed, or on
a computer that has other tiers installed. In this case, you must
use the manual method after installation to configure the client tier
for HTTPS.
See
Manually configuring InfoSphere Information Server components to use HTTPS.
For
certain product modules, other steps are required:
Connection to the SSL-enabled server
After
SSL is enabled:
- To access Web-based InfoSphere Information Server client
tools such as the InfoSphere Information Server Web
console, IBM InfoSphere Business Glossary,
or IBM InfoSphere Metadata Workbench,
the user must specify an HTTPS URL and port in the browser.
- For
rich client tools, the user must specify the HTTPS-enabled
port when logging in.
When the server certificate
changes (for example, a certificate
expires or a new managed node is added to a WebSphere Application
Server cluster), InfoSphere Information Server clients
do not dynamically retrieve the new server certificates. The InfoSphere Information Server UpdateSignerCerts tool
retrieves server signer certificates. You must run the UpdateSignerCerts tool
manually on all computers that host components that communicate with WebSphere Application
Server by
using SSL. See Running UpdateSignerCerts after enabling SSL or changing SSL at the cell level.