Encrypted HDR connections keep your data secure.
Technologies such as storage encryption and SSL client/server encryption are helping to make our data safer and are becoming standard security requirements; however, encryption between database servers and replication routes often falls between the cracks.
You’ve enabled Encryption At Rest, encrypted your backups and client connections; you know your data is safe on disk and between the database and client applications, but data is being transferred between your primary and secondary unencrypted. Thankfully, since version 11.10, Informix Dynamic Server (IDS) has had the ability to encrypt traffic over HDR and SMX communication channels.
In this article, we will demonstrate how to set up a secure, encrypted HDR connection.
On a busy HDR pair, we would recommend running HDR traffic over a dedicated trusted connection of its own in your sqlhosts file. This would look something like the following:
- ol_informix1410_pri_ha is a DBSERVERALIAS and HA_ALIAS in the onconfig of the primary, and ol_informix1410_sec_ha is a DBSERVERALIAS and HA_ALIAS in the onconfig of the secondary.
- ids_pri_ha/ids_sec_ha are the hostnames of the primary and secondary servers for HA traffic.
- ol_informix1410_ha is the port for HA traffic in /etc/services on both servers.
- s=6 denotes a secure trusted cluster connection. This connection can only be used for cluster communication (i.e. not client traffic).
Create file $INFORMIXDIR/etc/trusted-hosts (you may want to copy this from hosts.equiv or hosts.allow if using these previously, but it must include the hostname used for HA in the sqlhosts file above). The file must have informix:informix and 640 ownership and permissions. This file should be added to the onconfig parameter REMOTE_SERVER_CFG:
S6_USE_REMOTE_SERVER_CFG 1 ensures this parameter is used for secure cluster connections. You will need to do the above for both primary and secondary servers (obviously including the opposite server as a trusted connection).
The above locks things down at the connection level. To encrypt HDR traffic, the following onconfig parameters will need to be set:
- ENCRYPT_HDR enables (1) or disables (0) HDR encryption
- ENCRYPT_CIPHERS specifies the ciphers and modes to use for encryption
- ENCRYPT_MAC controls the level of message authentication code (MAC) generation
- ENCRYPT_MACFILE specifies a list of the full path names of MAC key files
- ENCRYPT_SWITCH specifies the number of minutes between automatic re-negotiations of ciphers (first parameter) and keys (second parameter)
IDS ships with a MAC key generator that can be used to create the MAC file:
Again, these changes must be completed on both the primary and secondary server. All parameters must match on both servers, although the MAC file can be in a different location (but the contents must be the same).
Restarting the database server pair should show the following messages in the online log:
onstat -g dri should also slow
ENCRYPT_HDR 1, and
onstat -g glo report a running crypto VP:
You will need to have the IBM Global Security Kit (gskit) installed; version 184.108.40.206 was released with IDS 14.10.XC3. Encryption will have some minor CPU overhead, this can be tuned with ENCRYPT_MAC. The above example only secures an HDR pair, other methods of replication can be encrypted with the ENCRYPT_SMX and ENCRYPT_CDR onconfig parameters. While we have used the identifiers _pri and _sec in the host and Informix server names above to aid clarification, in a real world scenario this may not be good practice should the server roles be swapped or otherwise changed.
Encrypting cluster communications enhances security at the often overlooked inter-database communication level. When combined with EAR, encrypted backups and suitable client/server encryption, this can help secure your data from unwanted prying.
Suggestions above are provided “as is” without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.
If you have any questions regarding encrypted HDR or would like to find out more, simply contact us.