SSL parameters

SSL parameters for IBM® Spectrum Conductor include the following EGO parameters.

To configure SSL for individual connections between the EGO client and EGO, edit the ego.conf file on the management and client hosts as well as the egosc_conf.xml file on the EGO Service Controller host.

ego.conf parameters
This section details the configurable parameters of the ego.conf file. The SSL parameters in the ego.conf file must be configured for the VEMKD daemon and the client, whichever is applicable.
  • EGO_TRANSPORT_SECURITY: (daemon and client) Enables or disables the transport security feature.
  • EGO_DEFAULT_TS_PARAMS: (daemon only) Requires SSL subparameters that apply to every daemon and container in the cluster. If parameters are not defined, SSL will use anonymous DH as the cipher. You can then define daemon-specific parameters that override these default parameters. For a list of applicable sub-parameters, see Sub-parameters for the ego.conf file.
  • EGO_KD_TS_PORT: (daemon and client) Specifies the SSL port number of VEMKD.
  • EGO_KD_TS_PARAMS: (daemon only) Specifies SSL parameters specific to VEMKD. For a list of applicable subparameters, see Sub-parameters for the ego.conf file.
  • EGO_CLIENT_TS_PARAMS: (client only) Specifies SSL parameters specific to the client. For a list of applicable subparameters, see Sub-parameters for the ego.conf file.
ego.conf subparameters

EGO_DEFAULT_TS_PARAMS, EGO_KD_TS_PARAMS, and EGO_CLIENT_TS_PARAMS contain the following configurable subparameters:

  • CERTIFICATE: (daemon only) Specifies the location of the certificate file. Certificate files with the PEM file format are supported. For information about generating certificates using openssl, see http://www.openssl.org/docs/apps/openssl.html. For testing purposes, IBM Spectrum Conductor provides a self-signed server certificate user.pem, which is at /opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/.
  • CIPHER: (daemon and client) Specifies the cipher list to use by SSL. The client and server will negotiate the cipher list and select the first shared one.

    CBC ciphers are known to be vulnerable to SSLv3 POODLE attacks. However, because IBM Spectrum Conductor uses the TLSv1.2 protocol, you can safely use CBC ciphers. The default cipher is ADH-DES-CBC3-SHA.

  • CAFILE: (client only) Specifies the location of the Certification Authority (CA) certificate. The client reads this file and trusts the CA within the file. This parameter is used in cases where there is only one certificate file. For testing purposes, IBM Spectrum Conductor provides a self-signed CA certificate cacert.pem, which is at /opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/.
    Note: The built-in certificate is installed with IBM Spectrum Conductor only on management hosts. If you enable SSL for system daemons and want to run a client on compute hosts or a client outside the cluster, you must copy the cacert.pem certificate to your client host and configure the ego.conf file on the local host.
  • PRIVATE_KEY: (daemon only) Specifies the location of the private key file. The private key of the default self-signed certificate is user.key.

    Note that IBM Spectrum Conductor system daemons do not support encrypted private keys.

  • SERVER_AUTH: (client only) Defines whether the client must authenticate the server and how.

    Syntax: SERVER_AUTH=NONE|HOST|{string}name{string}...

    where:
    • NONE: Indicates that the client will not verify the server certificate. This is the default value. To ensure that the client verifies the server's certificate, set a value for SERVER_AUTH and ensure that it is not set to SERVER_AUTH=NONE).
    • HOST: Specifies a per-host certificate. Check the connected host with the subject CN (common name) in the certificate.
    • {string}name{string}...: Use this format to enable certificate verification on a per cluster, daemon, or application basis.

      The name can be either a name of a daemon (such as VEMKD) or an application (such as SampleTest). The string is the subject CN in the certificate. The first {string} is the default value for daemons or applications whose names are not defined here.

    Note: All IBM Spectrum Conductor daemons have reserved names. A Spark instance group cannot have the same name as a IBM Spectrum Conductor daemon; for example, you cannot define a Spark instance group with the name vemkd.
    For example:
    SERVER_AUTH={Platform EGO}
    Only the default is provided. All daemons share the same certificate of Platform EGO.
    SERVER_AUTH=vemkd{Platform vemkd}egosc{Platform Service Controller}
    The value is provided for each daemon. Client will check VEMKD certificate with Platform vemkd, and EGOSC certificate with Platform Service Controller.
    SERVER_AUTH={{Platform EGO}SampleTest{Sample Test}
    Both the default and name-value pair are provided. All clients check daemon certificate against Platform EGO.
egosc_conf.xml parameters
The egosc_conf.xml file contains one configurable SSL parameter.
  • ESC_TS_PARAMS: Specifies SSL parameters for the EGO Service Controller.

    ESC_TS_PARAMS uses the same sub-parameters as EGO_KD_TS_PARAMS but they apply only to the Service Controller. For a list of applicable sub-parameters, see Sub-parameters for the ego.conf file.