The security configuration for the Data Gate synchronization function fails
An error message indicates the failure of the security configuration for the synchronization function.
Symptoms
An error message similar to the following is displayed on the Cloud Pak for Data web interface:Unable to configure security for synchronization. Unable to test connection. Check your network connection, validate PKCS12 certificate.
Causes
During the configuration of a data source, Data Gate tests the connection to Db2 for z/OS, to the web user interface service, and to the Data Gate server service on Cloud Pak for Data. The connection test can be broken up into the following steps:
- The web user interface service on Cloud Pak for Data connects to Db2 for z/OS by a Java Database Connectivity (JDBC) SSL connection and calls a stored procedure.
-
The Db2 for z/OS stored procedure connects to the Data Gate server service on Cloud Pak for Data through an encrypted connection. This is a two-step process:
- The stored procedure sends a request to the Stunnel service on Cloud Pak for Data.
- The Stunnel service routes the request to the Data Gate server service on Cloud Pak for Data.
- The Data Gate server service sends a response to the stored procedure.
- The stored procedure passes the response to the web user interface service on Cloud Pak for Data.
A failure in any of these steps leads to the failure of the entire connection test. There might be various reasons for this.
Diagnosing the problem
The most likely reasons are listed here. Check each one of them to see if it applies:
- The inbound network connection to z/OS
is not configured correctly. For example, the host name, the port, or the IP address of the Data Gate instance might be wrong. For more
information about the configuration of inbound network connections, see Configuring inbound access to Db2 for z/OS for Data Gate.
Also make sure that you run the command F PAGENT,REFRESH to let changes to the configuration of the policy agent take effect.
- The outbound network connection from z/OS is not configured correctly. The PKCS12 certificate might be invalid, or the user might have
insufficient privileges. For more information about the configuration of outbound network
connections, see Encrypting outbound network traffic from Db2 for z/OS to Data Gate
The PKCS12 certificate is used by the Stunnel service on Cloud Pak for Data. Verify that the Stunnel service is working by running following command on the machine where Cloud Pak for Data is installed:
whereopenssl s_client -connect <hostname>:<port> -msg- <hostname>
- Is the host name you specified during the creation (provisioning) of the Data Gate instance.
- <port>
- Is the port number you specified during the creation (provisioning) of the Data Gate instance.
The expected output of this command is:
TLS 1.2 Handshake [length 00c3], ClientHello ... ... <<< TLS 1.2 Handshake [length 003d], ServerHello ... ... <<< TLS 1.2 Handshake [length 0631], Certificate ... ... <<< TLS 1.2 Handshake [length 014d], ServerKeyExchange ... ... <<< TLS 1.2 Handshake [length 0004], ServerHelloDone ... ... TLS 1.2 Handshake [length 0046], ClientKeyExchange ... ... TLS 1.2 ChangeCipherSpec [length 0001] 01 TLS 1.2 Handshake [length 0010], Finished ... ...
- The route is not configured correctly. To check this:
- Log in to the infrastructure node of Cloud Pak for Data.
- List the existing routes by running the following
command:
oc get route -n $PROJECT_CPD_INST_OPERANDS - Make sure there is only one record for a particular Data Gate instance. For example:
NAME HOST/PORT PATH SERVICES PORT TERMINATION dg1591202855434 dg.demo.os.ibm.com dg-1591202855434-data-gate-server-svc 11400 passthrough
The NAME contains the ID (that is, 1591202855434 in the above example) of the Data Gate instance. This ID is also shown in the URL on the web user interface when you open the Data Gate instance, for example:https://xxxxx/data-gate/#/details/dg-1591202855434 - Forwarding rule of load balancer is not configured correctly. You need to configure port
forwarding rules to redirect access from the specified port Data Gate instance specified to the
OpenShift route port(443). If you are using HAProxy, log in to the load balancer node and check the
HAProxy configure file
/etc/haproxy/haproxy.cfg. If you are using a load balancer other than HAProxy, see the documentation for your load balancer for information about how to configure it. - The setting for IP forwarding is incorrect. If the port of the Data Gate instance is 443 (the default value), you
need not configure IP forwarding (
net.ipv4.ip_forward)However, if the port of the Data Gate instance is not 443 (for example, the port might be 44443), check ifnet.ipv4.ip_forwardis set to1in the /etc/sysctl.conf file. To this end, display thenet.ipv4.ip_forwardsetting in sysctl.conf by running the following command:cat /etc/sysctl.conf | grep net.ipv4.ip_forwardA value of
1means that IP forwarding is enabled. A value of0means IP forwarding is disabled.Make sure that
net.ipv4.ip_forward = 1is set.
Resolving the problem
- If the inbound network connection to z/OS is not configured correctly, correct the configuration by following the steps in Configuring inbound access to Db2 for z/OS for Data Gate.
- If the outbound network connection from z/OS is not configured correctly, correct the configuration by following the steps in Encrypting outbound network traffic from Db2 for z/OS to Data Gate.
- If the route is not configured correctly, change the route setting for the Data Gate instance. The route is set during the creation of the instance (provisioning). So you need to delete the instance and provision a new one.
- If forwarding rule of the load balancer is not configured correctly, update your configuration using the step ("In the Port field, specify the network port that is used by the route.") in Creating a service instance for Data Gate from the web client.
- If port forwarding is disabled, run the following command to fix
this:
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf sysctl -p