Sample security configuration
This topic provides example configurations using typical security settings where all daemons share one certificate. With the following configurations, IBM® Spectrum Conductor uses TLSv1.2.
In the ego.conf file on the primary and management hosts
In the ego.conf file on the primary and management hosts, add SSL
security settings, as
such:
EGO_TRANSPORT_SECURITY=SSL
EGO_KD_TS_PORT=32779 (define port number here)
EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=/etc/.../newcert.pem,CIPHER=ADH-DES-CBC3-SHA,
PRIVATE_KEY=/etc/.../newkey.pem]"
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=ADH-DES-CBC3-SHA]"
This example uses the default cipher. When the default cipher is used, the client
does not ask for the peer server's certificate for authentication, and therefore, the
CAFILE and SERVER_AUTH subparameters are not used and are
not supported. If you use a non-default cipher, then also specify the CAFILE
and SERVER_AUTH subparameters in the EGO_CLIENT_TS_PARAMS
setting. For
example:
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=ADH-DES-CBC3-SHA,CAFILE=/home/.../cacert.pem,SERVER_AUTH={myCN}]"
In the egosc_conf.xml file on the primary and management hosts
In the egosc_conf.xml file on
the primary and management hosts,
add SSL security settings, as
such:
<ESC_TS_PARAM>$EGO_KD_TS_PARAMS</ESC_TS_PARAM>
In the ego.conf file on client hosts
In the ego.conf file on client hosts, add SSL security settings, as
such:
EGO_TRANSPORT_SECURITY=SSL
EGO_KD_TS_PORT=32779 (user has to define port number here)
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=ADH-DES-CBC3-SHA]"
This example uses the default cipher. When the default cipher is used, the client
does not ask for the peer server's certificate for authentication, and therefore, the
CAFILE and SERVER_AUTH subparameters are not used and are
not supported. If you use a non-default cipher, then also specify the CAFILE
and SERVER_AUTH subparameters in the EGO_CLIENT_TS_PARAMS
setting. For
example:
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=ADH-DES-CBC3-SHA,CAFILE=/home/.../cacert.pem,SERVER_AUTH={myCN}]"