Encrypting data traffic between HDR database servers
- One network port must be configured for HDR.
- The other network port must be configured for CSM client/server connections.
You can use Informix® server encryption options to encrypt the data traffic between the database servers of an HDR pair. Do this when you want to ensure secure transmission of data.
After you enable encryption, the first database server in an HDR pair encrypts the data before sending the data to the other server in the pair. The server that receives the data, decrypts the data as soon as it receives the data.
Additional buffers or larger buffers might be necessary to accommodate the size of encrypted data.
To encrypt data traffic between two HDR database servers:
Configuration parameter | Sample setting on primary server | Sample setting on secondary server |
---|---|---|
ENCRYPT_HDR | 1 |
1 |
ENCRYPT_CIPHERS | all |
all |
ENCRYPT_MAC | medium |
medium |
ENCRYPT_MACFILE | /vobs/tristan/sqldist/etc/mac1.dat |
vobs/tristan/sqldist/etc/mac2.dat |
ENCRYPT_SWITCH | 60,60 |
60,60 |
In this example, the file name in the ENCRYPT_MACFILE path for the primary server is mac1.dat and the file name in the ENCRYPT_MACFILE path for the secondary server is mac2.dat. Otherwise, all settings are the same on both servers.
Only use these configuration parameters to specify encryption information for HDR. You cannot specify HDR encryption information by using the CSM option in the sqlhosts file.
HDR encryption works in conjunction with Enterprise Replication encryption and operates whether Enterprise Replication encryption is enabled or not. When working in conjunction with each other, HDR and Enterprise Replication share the same ENCRYPT_CIPHER, ENCRYPT_MAC, ENCRYPT_MACFILE and ENCRYPT_SWITCH configuration parameters.
For more information about these configuration parameters, see the IBM® Informix Administrator's Reference.