Configuring secure ports for connections between replication servers
If database servers in your Enterprise Replication environment are on a network that is not trusted, you can configure secure ports and an encrypted password file to enable secure connections.
About this task
Procedure
To configure a secure port for replication:
- In the sqlhosts file on each server,
create a group entry with two connections for the local server:
- Create one connection entry without the s=6 option to configure local communication with utilities, such as the cdr utility and Connection Managers.
- Create one connection entry with the s=6 option to configure communication between servers.
In the following example, the value of the DBSERVERNAME configuration parameter is serv1:#dbservername nettype hostname servicename options serv1 ontlitcp ny.usa.com ertest1 g_serv1 group - - i=143 serv1_s6 ontlitcp ny.usa.com ertest10 g=g_serv1,s=6Note: Do not use the cdr autoconfig serv command if you configure secure ports. sqlhosts file entries must be manually added if any entries include the s=6 option. - In the sqlhosts file on each server's host, add entries for each of the other servers in the domain. Use the server names that are associated with the s=6 options.
- Create a trusted-host file that includes the host names
of the other replication servers in the domain, each on a separate
line. You can manually create the trusted-host file in $INFORMIXDIR/etc, and then set the REMOTE_SERVER_CFG configuration parameter to the name of the trusted-host file. Alternatively, you can run the admin() or task() function with the cdr add trustedhost argument to set a replication server's REMOTE_SERVER_CFG configuration parameter and add entries to the server's trusted-host file. If the replication server is part of a high-availability cluster, running the admin() or task() function with the cdr add trustedhost argument propagates trusted-host entries to other database servers in a high-availability cluster.Note: You cannot use the hosts.equiv trusted-host file when you configure secure ports.The following example trusted-host file has entries for three hosts, and specifies both host names and domain names:
A database server on a listed host connects to the local database server instance through the sqlhosts file entry with the s=6 option.#hostname tokyo.japan.com tokyo rome.italy.com rome perth.australia.com perth - Set the S6_USE_REMOTE_SERVER_CFG configuration parameter
to
1in the onconfig file. -
Using a text editor, create and save a password file. The password file includes the host name,
alternative server name, user ID, and password for each server and the server group.
For example, if the user ID for server serv1 is
informix, the alias for the database server that uses a secure port is serv1_s6, and the password wasinformix_pw, use the following password file entries:serv1_s6 serv1 informix informix_pw g_serv1 serv1 informix informix_pw - Encrypt the password file by running the onpassword utility.
For example, if you named the text file in step 5 $INFORMIXDIR/etc/server_passwords, and you wanted the file encrypted with a key called access_key, use the following command:
onpassword -k access_key -e $INFORMIXDIR/etc/server_passwordsThe encrypted file is saved as:
$INFORMIXDIR/etc/passwd_file.Important: To prevent unauthorized access to the server passwords, remove the unencrypted password file, $INFORMIXDIR/etc/server_passwords after you create the encrypted file.
What to do next
If you do not configure a password file, you must run the cdr utility on the
local computer, for example:
cdr list server --connect=serv1 Because secure ports can be used only for replication communication, you cannot test the connections until you start replication.