Abstract
Encrypted HDR connections keep your data secure.
Technologies such as storage encryption and SSL client/server encryption are helping to make our data safer and are becoming standard security requirements; however, encryption between database servers and replication routes often falls between the cracks.
You’ve enabled Encryption At Rest, encrypted your backups and client connections; you know your data is safe on disk and between the database and client applications, but data is being transferred between your primary and secondary unencrypted. Thankfully, since version 11.10, Informix Dynamic Server (IDS) has had the ability to encrypt traffic over HDR and SMX communication channels.
In this article, we will demonstrate how to set up a secure, encrypted HDR connection.
Content
On a busy HDR pair, we would recommend running HDR traffic over a dedicated trusted connection of its own in your sqlhosts file. This would look something like the following:
ol_informix1410_pri_shm onipcshm * ol_informix1410_pri_shmol_informix1410_pri onsoctcp *ids_pri ol_informix1410ol_informix1410_pri_ha onsoctcp ids_pri_ha ol_informix1410_ha s=6ol_informix1410_sec_ha onsoctcp ids_sec_ha ol_informix1410_ha s=6Where:
- ol_informix1410_pri_ha is a DBSERVERALIAS and HA_ALIAS in the onconfig of the primary, and ol_informix1410_sec_ha is a DBSERVERALIAS and HA_ALIAS in the onconfig of the secondary.
- ids_pri_ha/ids_sec_ha are the hostnames of the primary and secondary servers for HA traffic.
- ol_informix1410_ha is the port for HA traffic in /etc/services on both servers.
- s=6 denotes a secure trusted cluster connection. This connection can only be used for cluster communication (i.e. not client traffic).
Create file $INFORMIXDIR/etc/trusted-hosts (you may want to copy this from hosts.equiv or hosts.allow if using these previously, but it must include the hostname used for HA in the sqlhosts file above). The file must have informix:informix and 640 ownership and permissions. This file should be added to the onconfig parameter REMOTE_SERVER_CFG:
REMOTE_SERVER_CFG trusted-hostsS6_USE_REMOTE_SERVER_CFG 1S6_USE_REMOTE_SERVER_CFG 1 ensures this parameter is used for secure cluster connections. You will need to do the above for both primary and secondary servers (obviously including the opposite server as a trusted connection).
The above locks things down at the connection level. To encrypt HDR traffic, the following onconfig parameters will need to be set:
ENCRYPT_HDR 1ENCRYPT_CIPHERS allENCRYPT_MAC mediumENCRYPT_MACFILE <path to mac.dat file>ENCRYPT_SWITCH 30,30Where:
- ENCRYPT_HDR enables (1) or disables (0) HDR encryption
- ENCRYPT_CIPHERS specifies the ciphers and modes to use for encryption
- ENCRYPT_MAC controls the level of message authentication code (MAC) generation
- ENCRYPT_MACFILE specifies a list of the full path names of MAC key files
- ENCRYPT_SWITCH specifies the number of minutes between automatic re-negotiations of ciphers (first parameter) and keys (second parameter)
IDS ships with a MAC key generator that can be used to create the MAC file:
GenMacKey -o $INFORMIXDIR/etc/mac.datAgain, these changes must be completed on both the primary and secondary server. All parameters must match on both servers, although the MAC file can be in a different location (but the contents must be the same).
Restarting the database server pair should show the following messages in the online log:
06:20:07 DR: ENCRYPT_HDR is 1 (HDR encryption Enabled)06:20:07 Trusted host cache successfully built:/opt/IBM/IDS_1410_FC3DE/etc/trusted-hosts.
onstat -g dri should also slow ENCRYPT_HDR 1, and onstat -g glo report a running crypto VP:
Individual virtual processors: vp pid class usercpu syscpu total Thread Eff 1 1622 cpu 6.60 8.68 15.28 26.48 57% 2 1623 adm 0.00 0.66 0.66 0.00 0% 3 1624 lio 0.00 0.11 0.11 0.11 100% 4 1625 pio 0.00 0.10 0.10 0.10 100% 5 1626 aio 0.00 0.25 0.25 2.96 8% 6 1627 msc 0.02 0.06 0.08 0.21 38% 7 1628 fifo 0.04 0.06 0.10 0.10 100% 8 1629 crypto 0.05 0.12 0.17 0.17 100% 9 1630 soc 0.27 0.68 0.95 NA NA 10 1631 soc 0.16 0.79 0.95 NA NACaveats
You will need to have the IBM Global Security Kit (gskit) installed; version 8.0.55.9 was released with IDS 14.10.XC3. Encryption will have some minor CPU overhead, this can be tuned with ENCRYPT_MAC. The above example only secures an HDR pair, other methods of replication can be encrypted with the ENCRYPT_SMX and ENCRYPT_CDR onconfig parameters. While we have used the identifiers _pri and _sec in the host and Informix server names above to aid clarification, in a real world scenario this may not be good practice should the server roles be swapped or otherwise changed.
Conclusion
Encrypting cluster communications enhances security at the often overlooked inter-database communication level. When combined with EAR, encrypted backups and suitable client/server encryption, this can help secure your data from unwanted prying.
Disclaimer
Suggestions above are provided “as is” without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.
