Security in MACH11 environment:
Encrypting server to server communication in MACH11 cluster:
MACH11 cluster uses Server Multiplexer Group (SMX) communication protocol for communication between servers in MACH11 cluster.
Encryption for SMX communication can be enabled using onconfig parameter ENCRYPT_SMX. Here are the supported values for ENCRYPT_SMX.
| 0 | Off. Do not encrypt. Default option |
| 1 | On. Encrypt where possible. Encrypt where possible. Encrypt SMX transactions when the database server being connected to also supports encryption. |
| 2 | On. Always encrypt. Only connections to encrypted database servers are allowed. |
Encrypting HDR communication:
HDR uses half duplex protocol apart from SMX protocol for communication between primary and HDR secondary server. Encryption for this half duplex communication protocol can be enabled using onconfig parameter ENCRYPT_HDR. Its supported values are 0 – disable encryption (default), 1 – Enable encryption.
Optionally you can also set the following encryption onconfig parameters to control encryption:
- ENCRYPT_CIPHERS, which specifies the ciphers and modes to use for encryption
- ENCRYPT_MAC, which controls the level of message authentication code (MAC) generation
- ENCRYPT_MACFILE, which specifies a list of the full path names of MAC key files
- ENCRYPT_SWITCH, which specifies the number of minutes between automatic renegotiations of ciphers and keys
Connection manager password file:
Connection manager can be run in a non-trusted host environment as well. For this you need to create a password file and encrypt the password file using onpassword utility. Here is how it works:
Ø Create a plain text password file in the CM host machine.
Format for plain text password file : Server_name Alternate_alais user_name password
Server_name : MACH11 server name
Alternate_alais: Server name to be used if ‘Server_name’ can’t be used for CM connection
User_name : Usually informix on UNIX, and user name that belongs to informix admin group on windows platform
Password : password for the user
Here is the plain text password file for our example:
myprim myprim_a informix pass4prim
hdr hdr_a informix pass4hdr
sds1 sds1_a informix pass4sds
rss1 rss1_a informix pass4rss
Ø Now encrypt the password file like this:
Runas informix onpassword –k 123 –e plaintext_passfile
123 is the access key to encrypt the password file
Previous command encrypts the password file and writes it to $INFORMIXDIR/etc/passwd_file
Ø That’s it! Now CM uses encrypted passwd_file to get passwords for informix user to connect to nodes in MACH11 cluster.
Ø You can decrypt the password file using this command :
Runas informix onpassword –k 123 –d /work/CM/plaintext_passfile
123 is the access key used to encrypt the password file.
Ø Note : Encrypted password file cannot be copied from one platform to another !
Password protection for adding new RSS node to MACH11 cluster:
Adding a new RSS node can be controlled with password protection. Here is how it works:
For adding new RSS node to MACH11 cluster, first you need to register the RSS node name at primary server using the onmode command ‘onmode –d add RSS ’. At this time you can optionally specify password for the new RSS server being registered.
Example : runas informix onmode –d add RSS rss1 pass4rss
Now at RSS server environment, after physical restore of the database server, while changing the server type to RSS server using the onmode command ‘onmode –d RSS ’ you must specify the password created for this node at primary server.
Example : runas informix onmode –d RSS myprim pass4rss