Setting up IBM AD ZooKeeper to run in Mixed Mode

Edit online
Important: Enabling secure connection on Dashboard automatically configures IBM AD ZooKeeper to run in mixed mode. The following steps for manual setup are provided for advanced use.

Before you begin, make sure to complete the instructions on the following pages:

By manually enabling the IBM AD ZooKeeper instance to run in mixed mode, the server will respond on both types of requests:
  • Requests that come on non-authenticated channel.
  • Requests that come on encrypted channel.
The main advantage in having IBM AD ZooKeeper set up in mixed mode is that you can easily access the IBM AD ZooKeeper server remotely by using the Transport Layer Security (TLS) protocol.

The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, an application must be designed and coded to use TLS/SSL protection.

For more information, see the Communication using the Netty framework section of ZooKeeper Administrator's Guide.

The IBM AD ZooKeeper server needs to be configured to work on separate ports. The default ports are:
  • 2181 - unencrypted mode.
  • 2281 - encrypted mode (TLS enabled).

By default, the IBM AD ZooKeeper server is installed by IBM Application Discovery application and runs in unencrypted mode. To configure IBM AD ZooKeeper as a server with TLS support, you need to perform the steps described in the following section: Activate the IBM AD ZooKeeper Server to use certificates.

Activate the IBM AD ZooKeeper Server to use certificates

  1. Access IBM® Application Discovery Configuration Service from Start Menu > IBM Application Discovery and Delivery Intelligence > Launch IBM Application Discovery Configuration Service Admin, go to the Dashboard tab, click the menu button of Configuration Server, and select Stop Service.
  2. Go to the <IBM ADDI Installation Folder>\IBM Application Discovery Configuration Service\conf folder, open the zoo.cfg file by using a text editor, uncomment and enter the desired values for the following parameters. Example:
    secureClientPort=2281
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory 
ssl.keyStore.location=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12
ssl.keyStore.password=password 
ssl.trustStore.location=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12
ssl.trustStore.password=password
    Note: You can enter an encrypted Keystore Password. For more information, see Obtaining an encrypted keystore password.
    Where:
    • secureClientPort - expects the port on which the secure channel communicates.
    • serverCnxnFactory - for a successful authentication with TLS do not modify the value of this parameter.
    • ssl.keyStore.location - expects the location on disk where the keystore was stored.
    • ssl.keyStore.password - expects the keystore's password.
    • ssl.trustStore.location - expects the location on disk where the keystore was stored.
    • ssl.trustStore.password - expects the keystore's password.
  3. Go to the <IBM ADDI Installation Folder>\IBM Application Discovery Configuration Service\conf folder, open the server.properties file with a text editor, uncomment and fill in server.host with the common name specified in the key certificate.
  4. Once IBM AD Configuration Server is configured to run in mixed mode, make sure to block the 2181 port on the Firewall for the incoming traffic. For more information, see Block the incoming traffic for the non-authenticated port of IBM AD Zookeeper.