Enabling encryption channel between IBM AD Analyze Client and IBM AD ZooKeeper

Before you begin:

  • Make sure that a Java™ Runtime Environment is installed on your machine and that the JAVA_HOME variable is defined in the Environment variables. For more information, see the Java Runtime Environment section.
  • Make sure that you obtain a signed certificate from a certificate authority (CA) and that you have its root certificate.
    Note: If you don't want to use a CA-signed certificate, you can use a self-signed certificate instead. For more information, see (Optional) Generate a self-signed key certificate.

The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, typically, an application must be designed and coded to use TLS/SSL protection.

By default, the IBM AD Analyze Client runs in unencrypted mode. To configure IBM AD Analyze Client with TLS support, you need to perform the following steps:
  1. Make sure HTTPS is configured from Security Page.
  2. Edit the eclipse.ini configuration file and add the following lines, in the -vmargs section. Avoid blank lines in the -vmargs section. Example:
    -Dzookeeper.ssl.keyStore.location=<IBM ADDI Installation Folder>\security\<environment-id>\server_keystore.p12
    -Dzookeeper.ssl.trustStore.location=<IBM ADDI Installation Folder>\security\<environment-id>\server_keystore.p12
    • Make sure that the server_keystore.p12 file is physically present on the machine where IBM® AD Analyze Client is installed and configured. You can use the same server_keystore.p12 file that was generated for IBM AD ZooKeeper if both IBM AD Analyze Client and IBM AD ZooKeeper are installed on the same machine. For more information, see Prepare a keystore for IBM AD Zookeeper.

    • You can enter an encrypted Keystore Password. For more information, see Obtaining an encrypted keystore password.
    • ​-Dzookeeper.client.secure - set to true to enable TLS connection.
    • ​-Dzookeeper.ssl.keyStore.location - expects the location on disk where the keystore was stored.
    • -Dzookeeper.ssl.keyStore.password - expects the keystore's password.
    • -Dzookeeper.ssl.trustStore.location - expects the location on disk where the keystore was stored.
    • -Dzookeeper.ssl.trustStore.password - expects the keystore's password.
  3. Start IBM AD Analyze Client.
  4. Go to IBM AD Analyze Client and select Window > Preferences > Application Discovery > Environment settings and enter the following information:
    • Host - type the hostname or the IP address of the machine where IBM AD ZooKeeper is installed. This value needs to match the common name specified in the certificate.
    • Port - type the 2281 port number that is used by IBM AD ZooKeeper to communicate on TLS.
    • Unique id - type the unique id assigned by IBM AD Configuration Server to the current environment.
    • Name - type the name of current environment, as defined in IBM AD Configuration Server.
  5. Click Apply and Close and restart IBM AD Analyze Client.
  6. When IBM AD Analyze Client starts, the list of the mainframe projects is empty. To have the list of mainframe projects available, it is necessary to use the Get project list contextual-menu option by right-clicking in the Explore projects view.