Enabling encryption channel between IBM AD Build Client and IBM AD ZooKeeper

Edit online

Before you begin, make sure to complete the instructions on the following pages:

For earlier versions, the communication between IBM AD Build Client and IBM AD ZooKeeper is unencrypted socket session. Beginning with version IBM AD V6.0.0 interim fix 1, you can configure IBM AD Build Client to enable Transport Layer Security (TLS) connection.
Note: Starting from version 6.1.2, when IBM AD Build Client is installed with other AD components, enabling security from the Dashboard will automatically configure security for IBM AD Build Client. However, if IBM AD Build Client is not installed with other components, manual configuration is required by following the instructions that are provided in this topic.

The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, typically, an application must be designed and coded to use TLS/SSL protection.

By default, the IBM AD Build Client runs in unencrypted mode. To configure IBM AD Build Client with TLS support, you need to perform the steps described in the following section: Activate the IBM AD ZooKeeper Server to use certificates.

Activate IBM AD Build Client to use certificates

  1. Make sure that IBM AD ZooKeeper is configured as a server with TLS support. For more information, see the Securing Apache ZooKeeper SSL connections section.
  2. On the machine where IBM AD Build Client is installed, go to <IBM ADDI Installation Folder>/IBM Application Discovery Build Client/Bin/Release and make sure that the zoo.ini is present. If the zoo.ini file is not present in the /Release folder, go to /Release/Samples and copy the zoo.ini file in the /Release folder. Open the zoo.ini file by using a text editor and enter the desired values for the parameters that are detailed below. Example:
    [SSL/TLS]
;SSL/TLS initialization parameters for Zookeeper
;Allowed values to enable secure communication: y or Y (case insensitive). Anything else means disable secure communication.
zoo_enable_secure_communication=y
zoo_secure_port=2281
​
;Settings for IBM Build Client & Configuration:
;Fully qualified file name for the 'zookeeper' server certificate, E.g.: 'C:\Securitycerts\certZoo\9.20.128.30\zoo.cer'
zoo_server_certificate=<IBM ADDI Installation Folder>\security\<environment-id>\server_certificate.crt
;Fully qualified file name for the 'zookeeper' client certificate, in .pem format, E.g.: 'C:\Securitycerts\tmp\cliCert.pem'
zoo_client_certificate=<IBM ADDI Installation Folder>\security\<environment-id>\server_certificate.crt
;Fully qualified file name for the 'zookeeper' client private key, in .pem format, E.g.: 'C:\Securitycerts\tmp\key.pem'
zoo_client_privateKey=<IBM ADDI Installation Folder>\security\<environment-id>\server.key
;Pass phrase asked when generating the private key:
zoo_client_privateKeyPwd=password
​
;Settings for java compilers:
zoo_java_client_keystore=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12
zoo_java_client_keystorePwd=password
zoo_java_client_truststore=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12
zoo_java_client_truststorePwd=password
​
;end of [SSL/TLS] section
    Detailed information about IBM Build Client & Configuration settings
    • zoo_enable_secure_communication - set to Y or to enable TLS connection.
    • zoo_secure_port - expects the port number that matches to the one that has been assigned for IBM AD ZooKeeper. Default: 2281.
    • zoo_server_certificate - expects the fully qualified file name of the certificate.
    • zoo_client_certificate - expects the fully qualified file name of server_certificate.crt or client_certificate.crt.
    • zoo_client_privateKey - expects the fully qualified file name of server.key or client.key.
    • zoo_client_privateKeyPwd - expects the password that was selected when the server.key was generated or exported. If the key file is not password-protected, leave it unchanged.
    Detailed information about Java compilers settings
    Important:

    Make sure that the server_keystore.p12 file is physically present on the machine where IBM® AD Build Client is installed and configured. You can use the server_keystore.p12 file that was generated for IBM AD ZooKeeper if both IBM AD Build Client and IBM AD ZooKeeper are installed on the same machine. For more information, see Activate the IBM AD ZooKeeper Server to use certificates.

    • zoo_java_client_keystore - expects the fully qualified file name of the keystore.
    • zoo_java_client_keystorePwd - expects the keystore's password.
    • zoo_java_client_truststore - expects the fully qualified file name of the truststore.
    • zoo_java_client_truststorePwd - expects the truststore's password.
  3. Access Start Menu, type regedit, and then select Registry Editor from the results to open it.
  4. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IBM AD\ApplicationDiscovery.
  5. Edit the value of CCS_IP to match the common name specified in the certificate.
  6. Start IBM AD Build Client.
    Note: If you select the Open Project option, the list of projects from the server machine should be available.