Setting up IBM AD ZooKeeper to run in Mixed Mode
Before you begin, make sure to complete the instructions on the following pages:
- Requests that come on non-authenticated channel.
- Requests that come on encrypted channel.
The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, an application must be designed and coded to use TLS/SSL protection.
For more information, see the Communication using the Netty framework section of ZooKeeper Administrator's Guide.
- 2181 - unencrypted mode.
- 2281 - encrypted mode (TLS enabled).
By default, the IBM AD ZooKeeper server is installed by IBM Application Discovery application and runs in unencrypted mode. To configure IBM AD ZooKeeper as a server with TLS support, you need to perform the steps described in the following section: Activate the IBM AD ZooKeeper Server to use certificates.
Activate the IBM AD ZooKeeper Server to use certificates
- Access IBM® Application Discovery Configuration Service from , go to the Dashboard tab, click the menu button of Configuration Server, and select Stop Service.
- Go to the <IBM ADDI Installation Folder>\IBM Application Discovery
Configuration Service\conf folder, open the zoo.cfg file by using a
text editor, uncomment and enter the desired values for the following parameters.
secureClientPort=2281 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12 ssl.keyStore.password=password ssl.trustStore.location=<IBM ADDI Installation Folder>\\security\\<environment-id>\\server_keystore.p12 ssl.trustStore.password=passwordNote: You can enter an encrypted Keystore Password. For more information, see Obtaining an encrypted keystore password.Where:
secureClientPort- expects the port on which the secure channel communicates.
serverCnxnFactory- for a successful authentication with TLS do not modify the value of this parameter.
ssl.keyStore.location- expects the location on disk where the keystore was stored.
ssl.keyStore.password- expects the keystore's password.
ssl.trustStore.location- expects the location on disk where the keystore was stored.
ssl.trustStore.password- expects the keystore's password.
- Go to the <IBM ADDI Installation Folder>\IBM Application Discovery Configuration Service\conf folder, open the server.properties file with a text editor, uncomment and fill in server.host with the common name specified in the key certificate.
- Once IBM AD Configuration Server is configured to run in mixed mode, make sure to block the 2181 port on the Firewall for the incoming traffic. For more information, see Block the incoming traffic for the non-authenticated port of IBM AD Zookeeper.