If database servers in your Enterprise Replication environment
are on a network that is not trusted, you can configure secure ports
and an encrypted password file to enable secure connections.
About this task
The secure ports that are listed in the sqlhosts files
can be used only for communication between database servers. You must
configure a separate port for local client/server communications.
Procedure
To configure a secure port for replication:
- In the sqlhosts file on each server,
create a group entry with two connections for the local server:
-
Create one connection entry without the s=6 option to configure local
communication with utilities, such as the cdr utility and Connection Managers.
- Create one connection entry with the s=6 option
to configure communication between servers.
In the following example, the value of the DBSERVERNAME configuration parameter is
serv1:
#dbservername nettype hostname servicename options
serv1 ontlitcp ny.usa.com ertest1
g_serv1 group - - i=143
serv1_s6 ontlitcp ny.usa.com ertest10 g=g_serv1,s=6
Note: Do not
use the cdr autoconfig serv command if you configure
secure ports. sqlhosts file entries must be manually
added if any entries include the s=6 option.
- In the sqlhosts file on each server's
host, add entries for each of the other servers in the domain. Use
the server names that are associated with the s=6 options.
- Create a trusted-host file that includes the host names
of the other replication servers in the domain, each on a separate
line.
You can manually create the trusted-host file in
$ONEDB_HOME/etc,
and then set the REMOTE_SERVER_CFG configuration parameter to the
name of the trusted-host file.
Alternatively, you
can run the admin() or task() function
with the cdr add trustedhost argument to set a
replication server's REMOTE_SERVER_CFG configuration parameter and
add entries to the server's trusted-host file. If the replication
server is part of a high-availability cluster, running the admin() or task() function
with the cdr add trustedhost argument propagates
trusted-host entries to other database servers in a high-availability
cluster. Note: You cannot use the hosts.equiv trusted-host
file when you configure secure ports.
The following
example trusted-host file has entries for three hosts, and specifies
both host names and domain names:
#hostname
tokyo.japan.com
tokyo
rome.italy.com
rome
perth.australia.com
perth
A database server on a listed host connects to the
local database server instance through the
sqlhosts file
entry with the s=6 option.
- Set the S6_USE_REMOTE_SERVER_CFG configuration parameter
to
1 in the onconfig file.
-
Using a text editor, create and save a password file. The password file includes the host name,
alternative server name, user ID, and password for each server and the server group.
For example, if the user ID for server
serv1 is
informix, the alias
for the database server that uses a secure port is
serv1_s6, and the password was
informix_pw, use the following password file
entries:
serv1_s6 serv1 informix informix_pw
g_serv1 serv1 informix informix_pw
- Encrypt the password file by running the onpassword utility.
For example, if you named the text file in step 5
$ONEDB_HOME/etc/server_passwords,
and you wanted the file encrypted with a key called
access_key,
use the following command:
onpassword -k access_key -e $ONEDB_HOME/etc/server_passwords
The encrypted file is saved as: $ONEDB_HOME/etc/passwd_file.
Important: To prevent unauthorized access to the server passwords,
remove the unencrypted password file, $ONEDB_HOME/etc/server_passwords after
you create the encrypted file.
What to do next
If you do not configure a password file, you must run the
cdr utility on the
local computer, for example:
cdr list server --connect=serv1
Because
secure ports can be used only for replication communication, you cannot
test the connections until you start replication.