Encrypting data traffic between HDR database servers

To support encrypted HDR connections in conjunction with Communication Support Module (CSM) client/server encryption, two network ports must be configured:
  • One network port must be configured for HDR.
  • The other network port must be configured for CSM client/server connections.
Note: Support for Communication Support Module (CSM) is removed starting Informix Server 14.10.xC9 . You should use Transport Layer Security (TLS)/Secure Sockets Layer (SSL) instead.

You can use Informix® server encryption options to encrypt the data traffic between the database servers of an HDR pair. Do this when you want to ensure secure transmission of data.

After you enable encryption, the first database server in an HDR pair encrypts the data before sending the data to the other server in the pair. The server that receives the data, decrypts the data as soon as it receives the data.

For updatable secondary servers in a high-availability cluster environment, encryption from the updatable secondary server to primary server requires SMX encryption. To encrypt data sent from an updatable secondary server to the primary server, set the ENCRYPT_SMX configuration parameter on the secondary server. See ENCRYPT_SMX configuration parameter for more information.
Restriction: You cannot start HDR on a network connection that is configured to use CSM encryption for client/server connections.

Additional buffers or larger buffers might be necessary to accommodate the size of encrypted data.

To encrypt data traffic between two HDR database servers:

  1. Set the following configuration parameters on the first server in the HDR pair.
    • ENCRYPT_HDR, which enables or disables HDR encryption
    • ENCRYPT_CIPHERS, which specifies the ciphers and modes to use for encryption
    • ENCRYPT_MAC, which controls the level of message authentication code (MAC) generation
    • ENCRYPT_MACFILE, which specifies a list of the full path names of MAC key files
    • ENCRYPT_SWITCH, which specifies the number of minutes between automatic renegotiations of ciphers and keys

    To change these parameters, follow the instructions in Changing the configuration parameters for an HDR replication pair.

  2. Set the encryption configuration parameters on the secondary server.
    The ENCRYPT_HDR, ENCRYPT_CIPHERS, ENCRYPT_MAC, and the ENCRYPT_SWITCH configuration parameters must have the same values as the corresponding configuration parameters on the primary server. The ENCRYPT_MACFILE configuration parameter can have a different value on each server, but the files must contain the same MAC keys.