Sub-parameters for the ego.conf file

You can configure ego.conf file sub-parameters for the EGO_DEFAULT_TS_PARAMS, EGO_KD_TS_PARAMS, EGO_CLIENT_TS_PARAMS, EGO_KD_PEM_TS_PARAMS and EGO_PEM_TS_PARAMS parameters.

CERTIFICATE
(Daemon only) The location of the certificate file. Certificate files with the PEM file format are supported. For information about generating certificates using OpenSSL, refer to https://www.openssl.org/docs/. For testing on Linux® hosts, IBM® Spectrum Symphony provides a self-signed server certificate (user.pem), which is at /opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/.
CIPHER
(Daemon and client) A list of ciphers used by EGO TLS. The client and server will negotiate the cipher list and select the first shared one. The default cipher is AES256-GCM-SHA384.

When the default cipher is used, the client does not ask for the peer server's certificate for authentication, and therefore, the CAFILE and SERVER_AUTH subparameters are not used and are not supported. Do not define these subparameters.

The following example shows the CIPHER subparameter, using the default cipher:
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=AES256-GCM-SHA384]"
The following example shows the CIPHER subparameter, using a non-default cipher, and also the CAFILE, and SERVER_AUTH subparameters:
EGO_CLIENT_TS_PARAMS="SSL[CIPHER=AES128-SHA,CAFILE=/home/.../cacert.pem,SERVER_AUTH={myCN}]"
CAFILE
(Client only) the location of the Certification Authority (CA) certificate. The client reads this file and trusts the CA within the file. This parameter is used in cases where there is only one certificate file. For testing on Linux hosts, IBM Spectrum Symphony provides a self-signed CA certificate (cacert.pem), which is at /opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/.
Note: The built-in certificate is installed with IBM Spectrum Symphony only on management hosts. If you enable security for system daemons and want to run a client on compute hosts or a client outside the cluster, you must copy the cacert.pem certificate to your client host and configure the ego.conf file on the local host.
PRIVATE_KEY
(Daemon only) the location of the private key file. The private key of the default self-signed certificate is user.key.
SERVER_AUTH
(Client only) Defines whether client should authenticate the server and how to authenticate.
Note: If the SERVER_AUTH subparameter is not set, or if the value is set to NONE, the client will not verify the server's certificate. To ensure that the client verifies the server's certificate, set the SERVER_AUTH subparameter to a value other than NONE.
Syntax:
  • SERVER_AUTH=NONE|HOST|{string}name{string}…
  • [7.3.2 Fix]SERVER_AUTH=NONE|HOST|{string}name{string}…|HOST_CN_DNS
where:
  • NONE: No server authentication is required. This is the default value.
  • HOST: Per host certificate, check the connected host with the subject CN (common name) in the certificate.
  • {string}name{string}…: This format enables certificate verification on a per cluster, daemon, or application basis. The name can be either a name of a daemon (such as VEMKD) or an application (such as SOATesting). The string is the subject CN in the certificate. The first {string} is the default value for daemons or applications whose names are not defined here.
  • [7.3.2 Fix]HOST_CN_DNS: The client verifies the server certificate by checking the server’s hostname against the server certificate’s DNS (which is defined in the subject alternative name) or against its CN. Hostname checking succeeds if the DNS name defined in certificate’s subject alternative name or in the CN matches the server’s hostname.

    The certificate’s DNS name defined in subject alternative name can be one or multiple DNS names.

    The hostname checking is done using the OpenSSL API X509_check_host during certificate verification, and the hostname checking behavior follows the API description. The hostname checking disables wildcard expansions using the X509_CHECK_FLAG_NO_WILDCARDS flag.

Note: All IBM Spectrum Symphony daemons have reserved names. An application cannot have the same name as an IBM Spectrum Symphony daemon. For example, you cannot define an IBM Spectrum Symphony application with the name vemkd.
Here are some examples:
  1. SERVER_AUTH={EGO}: Only the default is provided. All daemons share the same certificate as EGO.
  2. SERVER_AUTH=vemkd{vemkd}egosc{ServiceController}: A value is provided for each daemon. The client will check the VEMKD certificate with vemkd and the EGOSC certificate with Service Controller.
  3. SERVER_AUTH={EGO}SOATesting{SOA Testing}: Both the default and name-value pair are provided. IBM Spectrum Symphony client of SOATesting will check SSM certificate with SOA Testing. All other clients check daemon certificate against EGO.
  4. [7.3.2 Fix]SERVER_AUTH=HOST_CN_DNS: Specifying HOST_CN_DNS for the SERVER_AUTH value allows the client to check the connected server hostname against the server certificate's DNS (which is defined in the subject alternative name) or against its CN.