Connecting to TLS-enabled IBM Spectrum Symphony and TLS-disabled IBM Spectrum Symphony clusters

A workload placement enabled client configured for the IBM® Spectrum Symphony multicluster feature can connect to secure (TLS-enabled) or not secure (TLS-disabled) IBM Spectrum Symphony multicluster clusters, or both, simultaneously.

Note: For multicluster scenarios using secure TLS communication between the SD (session director) SOAP server and SD SOAP client, if you join a cluster into that multicluster environment, ensure that secure TLS connections between the SD and SOAP are not open during the join.

Example scenarios

To establish connections to TLS-enabled or TLS-disabled IBM Spectrum Symphony clusters, you set multicluster connections, which can include inbound and outbound connections on the applicable cluster (primary, member, or client cluster). Depending on the business scenario, you configure any or all of these clusters: edit the smcp.xml file on multicluster member clusters, or edit the ego.conf file on the IBM Spectrum Symphony client. You do not need to edit configuration on the multicluster primary cluster.

Also depending on your business scenario, the configuration steps necessary to set up your connections can differ. Multicluster connections are in the context of the action of the multicluster member cluster in relation to (initiating connections to, or waiting for connections coming out from) the multicluster primary cluster. The following scenarios show example common scenarios of a multicluster primary cluster, with connections to two multicluster member clusters (member cluster 1 and member cluster 2), and the configuration steps required for each scenario.

Scenario 1
In scenario 1, the TLS and multicluster connections are as follows:
  • TLS communication is enabled between VEMKD and the VEMKD client for member cluster 1.
  • TLS communication is disabled for the multicluster primary cluster and for member cluster 2.
  • You want member cluster 1 to use outbound connections from the multicluster primary cluster to the multicluster member cluster.
  • You want member cluster 2 to use inbound connections from the member cluster to the primary cluster. Note that the default setting is inbound multicluster connections, so there is no configuration steps needed to set inbound connections to member cluster 2.
To connect TLS-enabled IBM Spectrum Symphony and TLS-disabled IBM Spectrum Symphony clusters for scenario 1:
  1. Enable multicluster outbound connections for member cluster 1:
    1. On member cluster 1, edit the smcp.xml file and set the SMC_PROXY_INBOUND_CONNECTION environment variable to Y:
      <ego:EnvironmentVariable name="SMC_PROXY_INBOUND_CONNECTION">Y</ego:EnvironmentVariable>
    2. On the multicluster primary cluster, run the smcadmin cluster add command to add cluster 1's VEMKD information (the VEMKD daemon runs on this primary host):
      smcadmin cluster add -c member_cluster_cluster_name -m member_cluster_primary_list -p member_cluster_VEMKD_TS_port -s security_parameters
      For example:
      smcadmin cluster add -c membercluster1 -m primary.example.com -p 42345 -s "SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]"
    3. Restart member cluster 1.
  2. Enable connections on the multicluster enabled workload client:
    1. For the client connect to the TLS-enabled member cluster 1, add the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the client's ego.conf file:
      • Windows client: %SOAM_HOME%\conf\ego.conf
      • Linux® client: $SOAM_HOME/conf/ego.conf

      For the client to connect to the TLS disabled member cluster 2, there is no need to add these environment variables to the file.

    2. Optionally set the SMC_MASTER_CLUSTER_URL environment variable in the multicluster enabled workload client, to point to the multicluster primary cluster. If used, this value must be set in the client environment prior to running the client or from the client API. Set the environment variable as follows:
      • Windows:
        set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters||master_list://primary_host:primary_KD_TS_port"
        For example:
        set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE_WIN=C:\path\to\cacert.pem]||master_list://primary.example.com:42345"
      • Linux:
        export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters]||master_list://primary_host:primary_KD_TS_port"
        For example:
        export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem]||master_list://primary_host:42345"
Scenario 2
In scenario 2, the TLS and multicluster connections are as follows:
  • TLS communication is enabled between VEMKD and the VEMKD client for member cluster 1.
  • TLS communication between VEMKD and the VEMKD client is enabled for the multicluster primary.
    Remember: With TLS between VEMKD and the VEMKD enabled on the primary cluster, synchronizing multicluster service packages will not work.
  • TLS communication is disabled for the member cluster 2.
  • You want member cluster 1 to use outbound connections from the multicluster primary cluster to the multicluster member cluster.
  • You want member cluster 2 to use inbound connections from the member cluster to the primary cluster. Note that the default setting is inbound multicluster connections, so there is no configuration steps needed to set inbound connections to member cluster 2.
To connect TLS-enabled IBM Spectrum Symphony and TLS-disabled IBM Spectrum Symphony clusters for scenario 2:
  1. Enable multicluster outbound connections for member cluster 1:
    1. On member cluster 1, edit the smcp.xml file and set the SMC_PROXY_INBOUND_CONNECTION environment variable to Y:
      <ego:EnvironmentVariable name="SMC_PROXY_INBOUND_CONNECTION">Y</ego:EnvironmentVariable>
    2. On the multicluster primary cluster, run the smcadmin cluster add command to add cluster 1's VEMKD information (the VEMKD daemon runs on this primary host):
      smcadmin cluster add -c member_cluster_cluster_name -m member_cluster_primary_list -p member_cluster_VEMKD_TS_port -s security_parameters
      For example:
      smcadmin cluster add -c membercluster1 -m primary.example.com -p 42345 -s "SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]"
    3. Restart member cluster 1.
  2. Enable multicluster inbound connections for member cluster 2:
    1. On member cluster 2, edit the smcp.xml file and set the SMC_KD_SSL_PARAMS environment variable with TLS configuration. For example:
      <ego:EnvironmentVariable name="SMC_KD_SSL_PARAMS">SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem,CAFILE_WIN=C:\path\to\cacert.pem]</ego:EnvironmentVariable>
    2. Restart member cluster 2.
  3. Enable connections on the multicluster enabled workload client:
    1. For the client connect to the TLS-enabled member cluster 1, add the EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_CLIENT_TS_PARAMS environment variables to the client's ego.conf file:
      • Windows client: %SOAM_HOME%\conf\ego.conf
      • Linux client: $SOAM_HOME/conf/ego.conf

      For the client to connect to the TLS disabled member cluster 2, there is no need to add these environment variables to the file.

    2. Optionally set the SMC_MASTER_CLUSTER_URL environment variable in the multicluster enabled workload client, to point to the multicluster primary cluster. If used, this value must be set in the client environment prior to running the client or from the client API. Set the environment variable as follows:
      • Windows:
        set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters||master_list://primary_host:primary_KD_TS_port"
        For example:
        set SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE_WIN=C:\path\to\cacert.pem]||master_list://primary.example.com:42345"
      • Linux:
        export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[security_parameters]||master_list://primary_host:primary_KD_TS_port"
        For example:
        export SMC_MASTER_CLUSTER_URL="platcomm:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/path/to/cacert.pem]||master_list://primary_host:42345"