Connect CDC SQData

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Print Topic
Send Mail Feedback
Share This Topic
Save Permalink URL

Navigation: Release Notes > Support Lifecycle > V4.0 Release > V4.0.26 > TLS Support

TLS Support on Linux

Linux clients connecting to z/OS Daemons running under IBM's (AT-TLS) and servicing z/OS Change Data Captures now support the TLS handshake. TLS connections to Change Data Capture components running on AIX and Linux are not supported at this time.

The only external prerequisite to enabling TLS on Linux is the GnuTLS secure communications library which implements TLS, DTLS and SSL protocols and technologies including the C language API used by Connect CDC SQData on Linux. On RPM-based Linux distributions, YUM (Yellowdog Updater Modified) can be used to install GnuTLS. For more information regarding YUM or other Package Managers see your Linux Systems Administrator.

Linux clients making TLS connections to z/OS, will by default perform the "typical TLS handshake" where the client uses the server's certificate for authentication and then proceeds with the rest of the handshake process. Specific changes to connection parameters are described below.

The following steps are all that are required on the client side to implement TLS on Linux for the "typical" client side handshake performed by an Engine:

1.Request the new Port number that was assigned to the z/OS Daemon.

2.Stop all running Connect CDC SQData Linux Engines, the local Daemon need not be stopped.

3.Update Engine source DATASTORE URL to use the "cdcs:// URL syntax type to specify that a secure TLS connection is requested (changed from "cdc://" to "cdcs://").

4.Update Engine source DATASTORE URL to use the TLS z/OS Daemon port. Note, the port number is typically implemented using a Parser parameter so script changes may not be required.

5.Parse the Apply Jobs to create a new <engine>.prc file in the applicable directory.

6.Start the Connect CDC SQData Linux clients.

Notes:

1.If the SQDMON utility is used to connect to a remote z/OS Daemon running under IBM's (AT-TLS), for example to request an "inventory" or "display" the status of a publisher a new --tls parameter must be specified:

Syntax:
sqdmon inventory //<host_name> [-s port_num | --service=port_num] [--identity=<path_to_nacl_id/nacl_id>] [--tls]

2.If the SQDUTIL is used to connect to a remote Publisher running under IBM's (AT-TLS), to copy/move CDC records to a file, the "cdcs://" URL syntax type must be specified:

Syntax:
sqdutil copy | move cdcs://<host_name>:<port_num>/<agent_name> <target_url> | DD:<dd_name>

3.If the GnuTLS library is not installed in a standard location that is included in the "default library path" we will be unable to locate the library. The best option in that case is to add the following Environment variable that contains the full path and file name libgnutls.so:

SQDATA_GNUTLS_LIBRARY=<path to>/libgnutls.so

4.Although uncommon, if yours is a Mutual Auth aka Mutual Authentication implementation, which performs authentication of the client by the server, then two additional environmental variables must be used to identify the client certificate and key. The server will then use the client side certificate to authenticate the client before proceeding with the rest of the handshake.

SQDATA_TLS_CERT=</directory/file_name>
SQDATA_TLS_KEY=</directory/file_name>

The Linux client will by default use the system installed Certificate Authority (CA). If a local CA file is used, it must be specified using a third Environmental variable:

SQDATA_TLS_CA=</directory/file_name>

Please enable JavaScript to view this site.

Connect CDC SQData