Connecting to TLS-enabled IBM Spectrum Symphony and TLS-disabled IBM Spectrum Symphony clusters
A workload placement enabled client configured for the IBM® Spectrum Symphony multicluster feature can connect to secure (TLS-enabled) or not secure (TLS-disabled) IBM Spectrum Symphony multicluster clusters, or both, simultaneously.
Example scenarios
To establish connections to TLS-enabled or TLS-disabled IBM Spectrum Symphony clusters, you set multicluster connections, which can include inbound and outbound connections on the applicable cluster (primary, member, or client cluster). Depending on the business scenario, you configure any or all of these clusters: edit the smcp.xml file on multicluster member clusters, or edit the ego.conf file on the IBM Spectrum Symphony client. You do not need to edit configuration on the multicluster primary cluster.
Also depending on your business scenario, the configuration steps necessary to set up your connections can differ. Multicluster connections are in the context of the action of the multicluster member cluster in relation to (initiating connections to, or waiting for connections coming out from) the multicluster primary cluster. The following scenarios show example common scenarios of a multicluster primary cluster, with connections to two multicluster member clusters (member cluster 1 and member cluster 2), and the configuration steps required for each scenario.
- TLS communication is enabled between VEMKD and the VEMKD client for member cluster 1.
- TLS communication is disabled for the multicluster primary cluster and for member cluster 2.
- You want member cluster 1 to use outbound connections from the multicluster primary cluster to the multicluster member cluster.
- You want member cluster 2 to use inbound connections from the member cluster to the primary cluster. Note that the default setting is inbound multicluster connections, so there is no configuration steps needed to set inbound connections to member cluster 2.
- Enable multicluster outbound connections
for member cluster 1:
- On member cluster 1, edit the
smcp.xml
file and set the SMC_PROXY_INBOUND_CONNECTION environment variable to Y:<ego:EnvironmentVariable name="SMC_PROXY_INBOUND_CONNECTION">Y</ego:EnvironmentVariable>
- On the multicluster
primary cluster, run the smcadmin cluster add command
to add cluster 1's VEMKD information (the VEMKD daemon runs on this primary
host):
smcadmin cluster add -c member_cluster_cluster_name -m member_cluster_primary_list -p member_cluster_VEMKD_TS_port -s security_parameters
For example:smcadmin cluster add -c membercluster1 -m primary.example.com -p 42345 -s "SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]"
- Restart member cluster 1.
- On member cluster 1, edit the
- Enable connections on the multicluster enabled workload client:
- For the client connect to the TLS-enabled member cluster 1, add
the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the
client's
ego.conf
file:- Windows client: %SOAM_HOME%\conf\ego.conf
- Linux® client: $SOAM_HOME/conf/ego.conf
For the client to connect to the TLS disabled member cluster 2, there is no need to add these environment variables to the file.
- Optionally set the SMC_MASTER_CLUSTER_URL environment variable in the multicluster enabled workload
client, to point to the multicluster
primary cluster. If used, this
value must be set in the client environment prior to running the client or from the client API. Set
the environment variable as follows:
- Windows:
set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters||master_list://primary_host:primary_KD_TS_port"
For example:set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE_WIN=C:\path\to\cacert.pem]||master_list://primary.example.com:42345"
- Linux:
export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters]||master_list://primary_host:primary_KD_TS_port"
For example:export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem]||master_list://primary_host:42345"
- Windows:
- For the client connect to the TLS-enabled member cluster 1, add
the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the
client's
- TLS communication is enabled between VEMKD and the VEMKD client for member cluster 1.
- TLS communication between VEMKD and the VEMKD client is enabled
for the multicluster
primary. Remember: With TLS between VEMKD and the VEMKD enabled on the primary cluster, synchronizing multicluster service packages will not work.
- TLS communication is disabled for the member cluster 2.
- You want member cluster 1 to use outbound connections from the multicluster primary cluster to the multicluster member cluster.
- You want member cluster 2 to use inbound connections from the member cluster to the primary cluster. Note that the default setting is inbound multicluster connections, so there is no configuration steps needed to set inbound connections to member cluster 2.
- Enable multicluster outbound connections
for member cluster 1:
- On member cluster 1, edit the
smcp.xml
file and set the SMC_PROXY_INBOUND_CONNECTION environment variable to Y:<ego:EnvironmentVariable name="SMC_PROXY_INBOUND_CONNECTION">Y</ego:EnvironmentVariable>
- On the multicluster
primary cluster, run the smcadmin cluster add command
to add cluster 1's VEMKD information (the VEMKD daemon runs on this primary
host):
smcadmin cluster add -c member_cluster_cluster_name -m member_cluster_primary_list -p member_cluster_VEMKD_TS_port -s security_parameters
For example:smcadmin cluster add -c membercluster1 -m primary.example.com -p 42345 -s "SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]"
- Restart member cluster 1.
- On member cluster 1, edit the
- Enable multicluster
inbound connections for member cluster 2:
- On member cluster 2, edit the
smcp.xml
file and set the SMC_KD_SSL_PARAMS environment variable with TLS configuration. For example:<ego:EnvironmentVariable name="SMC_KD_SSL_PARAMS">SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]</ego:EnvironmentVariable>
- Restart member cluster 2.
- On member cluster 2, edit the
- Enable connections on the multicluster enabled workload client:
- For the client connect to the TLS-enabled member cluster 1, add
the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the
client's
ego.conf
file:- Windows client: %SOAM_HOME%\conf\ego.conf
- Linux client: $SOAM_HOME/conf/ego.conf
For the client to connect to the TLS disabled member cluster 2, there is no need to add these environment variables to the file.
- Optionally set the SMC_MASTER_CLUSTER_URL environment variable in the multicluster enabled workload
client, to point to the multicluster
primary cluster. If used, this
value must be set in the client environment prior to running the client or from the client API. Set
the environment variable as follows:
- Windows:
set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters||master_list://primary_host:primary_KD_TS_port"
For example:set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE_WIN=C:\path\to\cacert.pem]||master_list://primary.example.com:42345"
- Linux:
export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters]||master_list://primary_host:primary_KD_TS_port"
For example:export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem]||master_list://primary_host:42345"
- Windows:
- For the client connect to the TLS-enabled member cluster 1, add
the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the
client's