Configuring secure ports for connections between replication servers

If database servers in your Enterprise Replication environment are on a network that is not trusted, you can configure secure ports and an encrypted password file to enable secure connections.

About this task

The secure ports that are listed in the sqlhosts files can be used only for communication between database servers. You must configure a separate port for local client/server communications.

Procedure

To configure a secure port for replication:
  1. In the sqlhosts file on each server, create a group entry with two connections for the local server:
    1. Create one connection entry without the s=6 option to configure local communication with utilities, such as the cdr utility and Connection Managers.
    2. Create one connection entry with the s=6 option to configure communication between servers.
    In the following example, the value of the DBSERVERNAME configuration parameter is serv1:
    #dbservername    nettype        hostname      servicename    options
    serv1            ontlitcp       ny.usa.com    ertest1    
    g_serv1          group          -             -              i=143
    serv1_s6         ontlitcp       ny.usa.com    ertest10       g=g_serv1,s=6
    Note: Do not use the cdr autoconfig serv command if you configure secure ports. sqlhosts file entries must be manually added if any entries include the s=6 option.
  2. In the sqlhosts file on each server's host, add entries for each of the other servers in the domain. Use the server names that are associated with the s=6 options.
  3. Create a trusted-host file that includes the host names of the other replication servers in the domain, each on a separate line.
    You can manually create the trusted-host file in $INFORMIXDIR/etc, and then set the REMOTE_SERVER_CFG configuration parameter to the name of the trusted-host file. Alternatively, you can run the admin() or task() function with the cdr add trustedhost argument to set a replication server's REMOTE_SERVER_CFG configuration parameter and add entries to the server's trusted-host file. If the replication server is part of a high-availability cluster, running the admin() or task() function with the cdr add trustedhost argument propagates trusted-host entries to other database servers in a high-availability cluster.
    Note: You cannot use the hosts.equiv trusted-host file when you configure secure ports.
    The following example trusted-host file has entries for three hosts, and specifies both host names and domain names:
    #hostname
    tokyo.japan.com
    tokyo
    
    rome.italy.com
    rome
    
    perth.australia.com
    perth
    A database server on a listed host connects to the local database server instance through the sqlhosts file entry with the s=6 option.
  4. Set the S6_USE_REMOTE_SERVER_CFG configuration parameter to 1 in the onconfig file.
  5. Using a text editor, create and save a password file. The password file includes the host name, alternative server name, user ID, and password for each server and the server group.
    For example, if the user ID for server serv1 is informix, the alias for the database server that uses a secure port is serv1_s6, and the password was informix_pw, use the following password file entries:
    serv1_s6  serv1  informix  informix_pw
    g_serv1  serv1  informix  informix_pw
    
  6. Encrypt the password file by running the onpassword utility.
    For example, if you named the text file in step 5 $INFORMIXDIR/etc/server_passwords, and you wanted the file encrypted with a key called access_key, use the following command:
    onpassword -k access_key -e $INFORMIXDIR/etc/server_passwords 
    

    The encrypted file is saved as: $INFORMIXDIR/etc/passwd_file.

    Important: To prevent unauthorized access to the server passwords, remove the unencrypted password file, $INFORMIXDIR/etc/server_passwords after you create the encrypted file.

What to do next

If you do not configure a password file, you must run the cdr utility on the local computer, for example:
cdr list server --connect=serv1 

Because secure ports can be used only for replication communication, you cannot test the connections until you start replication.