Encrypting data traffic between HDR database servers

Before you begin

To support encrypted HDR connections in conjunction with Communication Support Module (CSM) client/server encryption, two network ports must be configured:
  • One network port must be configured for HDR.
  • The other network port must be configured for CSM client/server connections.

About this task

You can use HCL OneDB™ server encryption options to encrypt the data traffic between the database servers of an HDR pair. Do this when you want to ensure secure transmission of data.

After you enable encryption, the first database server in an HDR pair encrypts the data before sending the data to the other server in the pair. The server that receives the data, decrypts the data as soon as it receives the data.

For updatable secondary servers in a high-availability cluster environment, encryption from the updatable secondary server to primary server requires SMX encryption. To encrypt data sent from an updatable secondary server to the primary server, set the ENCRYPT_SMX configuration parameter on the secondary server. See ENCRYPT_SMX configuration parameter for more information.
Restriction: You cannot start HDR on a network connection that is configured to use CSM encryption for client/server connections.

Additional buffers or larger buffers might be necessary to accommodate the size of encrypted data.

To encrypt data traffic between two HDR database servers:

Procedure

  1. Set the following configuration parameters on the first server in the HDR pair.
    • ENCRYPT_HDR, which enables or disables HDR encryption
    • ENCRYPT_CIPHERS, which specifies the ciphers and modes to use for encryption
    • ENCRYPT_MAC, which controls the level of message authentication code (MAC) generation
    • ENCRYPT_MACFILE, which specifies a list of the full path names of MAC key files
    • ENCRYPT_SWITCH, which specifies the number of minutes between automatic renegotiations of ciphers and keys

    To change these parameters, follow the instructions in Changing the configuration parameters for an HDR replication pair.

  2. Set the encryption configuration parameters on the secondary server.
    The ENCRYPT_HDR, ENCRYPT_CIPHERS, ENCRYPT_MAC, and the ENCRYPT_SWITCH configuration parameters must have the same values as the corresponding configuration parameters on the primary server. The ENCRYPT_MACFILE configuration parameter can have a different value on each server, but the files must contain the same MAC keys.

Example

For example, specify the following information about the primary and secondary servers in an HDR pair:
Configuration parameter Sample setting on primary server Sample setting on secondary server
ENCRYPT_HDR 1 1
ENCRYPT_CIPHERS all all
ENCRYPT_MAC medium medium
ENCRYPT_MACFILE /vobs/tristan/sqldist/etc/mac1.dat vobs/tristan/sqldist/etc/mac2.dat
ENCRYPT_SWITCH 60,60 60,60

In this example, the file name in the ENCRYPT_MACFILE path for the primary server is mac1.dat and the file name in the ENCRYPT_MACFILE path for the secondary server is mac2.dat. Otherwise, all settings are the same on both servers.

Only use these configuration parameters to specify encryption information for HDR. You cannot specify HDR encryption information by using the CSM option in the sqlhosts file.

HDR encryption works in conjunction with Enterprise Replication encryption and operates whether Enterprise Replication encryption is enabled or not. When working in conjunction with each other, HDR and Enterprise Replication share the same ENCRYPT_CIPHER, ENCRYPT_MAC, ENCRYPT_MACFILE and ENCRYPT_SWITCH configuration parameters.

For more information about these configuration parameters, see the HCL OneDB Administrator's Reference.