IBM Support

Instructions for Enabling Encrypted Communications to Oracle Databases in Information Server v11.7.1

How To


Summary

This document covers the steps required to enable encrypted communications on connections to Oracle XMETA, DSODB, QSSRDDB and IADB databases used by Information Server. It does not cover the database connections that are defined when using products like DataStage, IMAM, etc. The encryption referred in this document is Oracle's Native Network Encryption.

Steps

  1. Introduction and Conventions 
    The procedure documented here is to support Native Network Encryption enabled Oracle 12c/18c as Repository Tier for Information Server 11.7.1. This includes the changes need to be made in Information Server to support encrypted connections to XMETA, DSODB, QSSRDDB and IADB databases hosted on Oracle.

    In this document,
    - IS install path refers to the location where IBM Information Server is installed on your machine. By default, /opt/IBM/InformationServer on UNIX or C:\IBM\InformationServer on Windows
    - WAS install path refers to the location where IBM WebSphere Application Server is installed on your machine. By default, /opt/IBM/WebSphere on UNIX or C:\IBM\WebSphere on Windows
    Services tier refers to the machine where the IBM Information Server services tier is installed
    Engine tier refers to the machine(s) where the IBM Information Server engine tier is installed

    The command examples in this document are for Unix environments and will be adjusted appropriately to run in a Windows environment.
  2. Supported Platforms
    For details on supported Operating systems and Database Servers see below link.
    InfoSphere Information Server V11.7.1 detailed system requirements
  3. Before You Begin
    Before you begin this process, you should back up your complete Information Server installation. Instructions for backup and restore can be found at
    Backing up and restoring IBM InfoSphere Information Server
  4. Configure WebSphere JDBC Data Sources
    Configure WebSphere JDBC data sources to connect to Encryption enabled Oracle as below.
    - Open the WebSphere Application Server administrative console
    - Go to Resources > JDBC > Data sources
    - Select ASB JDBC DataSource in the data source list
    - In the Additional Properties section, select Custom properties
    - Click New
    - Enter encryptionLevel in the Name field and enter required in the Value field
    - Click OK and then Save to save the configurations
    - Click New again
    - Enter dataIntegrityLevel in the Name field and enter required in the Value field
    - Click OK and then Save to save the configurations
    Perform the same configuration for ASB JDBC Staging XA DataSourceASB JDBC XA DataSourceIADB DataSource and any other data source that connects to the Oracle instance.
  5. Configure Native Network Encryption in Oracle
    Enable Native Network Encryption in Oracle by adding below two parameters to sqlnet.ora file.
    SQLNET.CRYPTO_CHECKSUM_SERVER = required
    SQLNET.ENCRYPTION_SERVER = required
  6. Configure the Information Server Services Tier
    1. Update the database.properties files
      - Append ;encryptionLevel=required;dataIntegrityLevel=required to the URL in below files
        {IS install path}/ASBServer/conf/database.properties
        {IS install path}/ASBServer/apps/lib/iis/classes/database.properties
        {IS install path}/ASBServer/conf/imam_staging_repository.properties

      - Run below command to propagate the changes to WebSphere Application Server:
        {IS install path}/ASBServer/bin/AppServerAdmin.sh -db -user {xmeta user Id} -password {xmeta user password} 
    2. Update com.ibm.iis.xmeta.repo.conn.POJO_STAGING property
      Run below command on the services tier to update com.ibm.iis.xmeta.repo.conn.POJO_STAGING property:

      {IS install path}/ASBServer/bin/xmetaAdmin.sh setProperty -file {IS install path}/ASBServer/conf/imam_staging_repository.properties -dbfile {IS install path}/ASBServer/conf/database.properties com.ibm.iis.xmeta.repo.conn.POJO_STAGING
  7. Configure DSODB
    These steps are for configuring Native Network Encryption support for the DSODB Oracle database connections.
    1. Enable Native Network Encryption on Oracle to Support Encrypted Connections
      If the DSODB database is co-located with the repository database, then the Oracle instance was already configured to support Native Network Encryption connections in the previous steps.
      If the DSODB data is not co-located with the repository database, then perform the same steps on the DSODB database instance that were performed on the XMETA repository database instance.
    2. Configure the Information Server Engine Tier
      1. Update the Registered Database Server
        Run the following command on the services tier to list the registered databases:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -listDatabases

        For each database in the list that has been configured to use Encrypted connections, do the following steps.
        Run the following command to display the registered database properties, where         {database name} is the name of the database that was returned from the -listDatabases command:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayDatabase -dbName {database name}

        Make sure that the database details are correct. If they need any update, do it by following below.
        If the database server port needs to be updated to the security port, then run the following command to update the port, where         {database version} and {database server host} are found in the output of the -displayDatabase command and {database server security port} is the security port that was configured previously:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateDatabaseServer -databaseType SQLSERVER -databaseVersion {database version} -serverHost {database server host} -serverPort {database server security port}
         
      2. Update the Registered DSODB Repository
        Run the following command on the services tier to list the registered repositories:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -listRepositories

        Locate the repository name of the registered DSODB repository (e.g. dsodb) in the command output.
        Run the following command to display the registered DSODB repository properties, where {repository name} is the name of the registered DSODB repository that was returned from the -listRepositories command:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayRepository -reposName {repository name}

        Update the connectionURL by appending ;encryptionLevel=required;dataIntegrityLevel=required to the existing connectionURL. Run the following command to update the connectionURL:

        {IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateRepositoryConnection -reposName {repository name} -connectionURL "{url}"
         
      3. Update the DSODBConnect.cfg File
        Generate new connection file by running the following command:

        {IS install path}/ASBNode/bin/RegistrationCommand.sh -user {admin user} -password {password} -gcf -repository {dsodb repository name} -cf {IS install path}/Server/DSODB/DSODBConnect.tmpl -results {IS install path}/Server/DSODB/DSODBConnect.cfg
  8. Configure QSSRDDB
    These steps are for configuring Native Network Encryption support for the QSSRDDB Oracle database connections.
    1. Update the Registered QSSRDDB Repository
      Run the following command on the services tier to list the registered repositories:

      {IS install path}/ASBServer/bin/RepositoryAdmin.sh -listRepositories

      If the output lists a QSSRDDB repository, then continue with the next steps.
      Run the following command to display the registered QSSRDDB repository properties:

      {IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayRepository -reposName QSSRDDB

      Update the connectionURL by appending ;encryptionLevel=required;dataIntegrityLevel=required to the existing connectionURL. Run the following command to update the connectionURL:

      {IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateRepositoryConnection -reposName QSSRDDB -connectionURL "{url}"
  9. Stop Services
    Stop all the Information Server services on each Engine and Services Tier. Follow the steps found at:
    - Linux/Unix
    Shutting down services (Linux, UNIX)
    - Windows
    Shutting down services (Windows)
  10. Start Services
    Start all the Information Server services on each Engine and Services Tier. Follow the steps found at:
    - Linux/Unix
    Starting services (Linux, UNIX)
    - Wind1ows
    Starting services (Windows)

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008XJEAA2","label":"Xmeta Repository Database-\u003EOracle"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.7.1","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
26 April 2023

UID

ibm16208600

Page Feedback