How To
Summary
This document covers the steps required to enable encrypted communications on connections to Oracle XMETA, DSODB, QSSRDDB and IADB databases used by Information Server. It does not cover the database connections that are defined when using products like DataStage, IMAM, etc. The encryption referred in this document is Oracle's Native Network Encryption.
Steps
- Introduction and Conventions
The procedure documented here is to support Native Network Encryption enabled Oracle 12c/18c as Repository Tier for Information Server 11.7.1. This includes the changes need to be made in Information Server to support encrypted connections to XMETA, DSODB, QSSRDDB and IADB databases hosted on Oracle.
In this document,
- IS install path refers to the location where IBM Information Server is installed on your machine. By default, /opt/IBM/InformationServer on UNIX or C:\IBM\InformationServer on Windows
- WAS install path refers to the location where IBM WebSphere Application Server is installed on your machine. By default, /opt/IBM/WebSphere on UNIX or C:\IBM\WebSphere on Windows
- Services tier refers to the machine where the IBM Information Server services tier is installed
- Engine tier refers to the machine(s) where the IBM Information Server engine tier is installed
The command examples in this document are for Unix environments and will be adjusted appropriately to run in a Windows environment. - Supported Platforms
For details on supported Operating systems and Database Servers see below link.
InfoSphere Information Server V11.7.1 detailed system requirements - Before You Begin
Before you begin this process, you should back up your complete Information Server installation. Instructions for backup and restore can be found at
Backing up and restoring IBM InfoSphere Information Server - Configure WebSphere JDBC Data Sources
Configure WebSphere JDBC data sources to connect to Encryption enabled Oracle as below.
- Open the WebSphere Application Server administrative console
- Go to Resources > JDBC > Data sources
- Select ASB JDBC DataSource in the data source list
- In the Additional Properties section, select Custom properties
- Click New
- Enter encryptionLevel in the Name field and enter required in the Value field
- Click OK and then Save to save the configurations
- Click New again
- Enter dataIntegrityLevel in the Name field and enter required in the Value field
- Click OK and then Save to save the configurations
Perform the same configuration for ASB JDBC Staging XA DataSource, ASB JDBC XA DataSource, IADB DataSource and any other data source that connects to the Oracle instance. - Configure Native Network Encryption in Oracle
Enable Native Network Encryption in Oracle by adding below two parameters to sqlnet.ora file.
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.ENCRYPTION_SERVER = required - Configure the Information Server Services Tier
- Update the database.properties files
- Append ;encryptionLevel=required;dataIntegrityLevel=required to the URL in below files
{IS install path}/ASBServer/conf/database.properties
{IS install path}/ASBServer/apps/lib/iis/classes/database.properties
{IS install path}/ASBServer/conf/imam_staging_repository.properties
- Run below command to propagate the changes to WebSphere Application Server:
{IS install path}/ASBServer/bin/AppServerAdmin.sh -db -user {xmeta user Id} -password {xmeta user password} - Update com.ibm.iis.xmeta.repo.conn.POJO_STAGING property
Run below command on the services tier to update com.ibm.iis.xmeta.repo.conn.POJO_STAGING property:
{IS install path}/ASBServer/bin/xmetaAdmin.sh setProperty -file {IS install path}/ASBServer/conf/imam_staging_repository.properties -dbfile {IS install path}/ASBServer/conf/database.properties com.ibm.iis.xmeta.repo.conn.POJO_STAGING
- Update the database.properties files
- Configure DSODB
These steps are for configuring Native Network Encryption support for the DSODB Oracle database connections.- Enable Native Network Encryption on Oracle to Support Encrypted Connections
If the DSODB database is co-located with the repository database, then the Oracle instance was already configured to support Native Network Encryption connections in the previous steps.
If the DSODB data is not co-located with the repository database, then perform the same steps on the DSODB database instance that were performed on the XMETA repository database instance. - Configure the Information Server Engine Tier
- Update the Registered Database Server
Run the following command on the services tier to list the registered databases:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -listDatabases
For each database in the list that has been configured to use Encrypted connections, do the following steps.
Run the following command to display the registered database properties, where {database name} is the name of the database that was returned from the -listDatabases command:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayDatabase -dbName {database name}
Make sure that the database details are correct. If they need any update, do it by following below.
If the database server port needs to be updated to the security port, then run the following command to update the port, where {database version} and {database server host} are found in the output of the -displayDatabase command and {database server security port} is the security port that was configured previously:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateDatabaseServer -databaseType SQLSERVER -databaseVersion {database version} -serverHost {database server host} -serverPort {database server security port}
- Update the Registered DSODB Repository
Run the following command on the services tier to list the registered repositories:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -listRepositories
Locate the repository name of the registered DSODB repository (e.g. dsodb) in the command output.
Run the following command to display the registered DSODB repository properties, where {repository name} is the name of the registered DSODB repository that was returned from the -listRepositories command:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayRepository -reposName {repository name}
Update the connectionURL by appending ;encryptionLevel=required;dataIntegrityLevel=required to the existing connectionURL. Run the following command to update the connectionURL:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateRepositoryConnection -reposName {repository name} -connectionURL "{url}"
- Update the DSODBConnect.cfg File
Generate new connection file by running the following command:
{IS install path}/ASBNode/bin/RegistrationCommand.sh -user {admin user} -password {password} -gcf -repository {dsodb repository name} -cf {IS install path}/Server/DSODB/DSODBConnect.tmpl -results {IS install path}/Server/DSODB/DSODBConnect.cfg
- Update the Registered Database Server
- Enable Native Network Encryption on Oracle to Support Encrypted Connections
- Configure QSSRDDB
These steps are for configuring Native Network Encryption support for the QSSRDDB Oracle database connections.- Update the Registered QSSRDDB Repository
Run the following command on the services tier to list the registered repositories:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -listRepositories
If the output lists a QSSRDDB repository, then continue with the next steps.
Run the following command to display the registered QSSRDDB repository properties:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -displayRepository -reposName QSSRDDB
Update the connectionURL by appending ;encryptionLevel=required;dataIntegrityLevel=required to the existing connectionURL. Run the following command to update the connectionURL:
{IS install path}/ASBServer/bin/RepositoryAdmin.sh -updateRepositoryConnection -reposName QSSRDDB -connectionURL "{url}"
- Update the Registered QSSRDDB Repository
- Stop Services
Stop all the Information Server services on each Engine and Services Tier. Follow the steps found at:
- Linux/Unix
Shutting down services (Linux, UNIX)
- Windows
Shutting down services (Windows) - Start Services
Start all the Information Server services on each Engine and Services Tier. Follow the steps found at:
- Linux/Unix
Starting services (Linux, UNIX)
- Wind1ows
Starting services (Windows)
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008XJEAA2","label":"Xmeta Repository Database-\u003EOracle"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.7.1","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
26 April 2023
UID
ibm16208600