Securing MDM Publisher connections to Master Data Connect
If you intend to use IBM® MDM Publisher with IBM Master Data Connect, you must share your MDM Publisher instance's public key to each instance of Master Data Connect that you need to publish to.
About this task
Transferring data through IBM MDM Publisher to a IBM Master Data Connect instance uses public key authentication mechanism between an IBM Aspera® Client and Server.
When the init_publisher.sh
script is run during the installation of MDM Publisher, a file called id_rsa.pub
is generated to contain the public key for this MDM Publisher
instance.
id_rsa.pub
must be shared with each instance of Master Data Connect that you
will be publishing to. Depending on the platform that you are publishing to, you can either:- Securely copy the whole file from the MDM Publisher installation directory host to the Master Data Connect installation directory host.
- Copy the contents of the file.
Securing MDM Publisher with the Master Data Connect service on IBM Cloud Pak for Data
A user who has administrator rights to the Master Data Connect namespace
must complete these steps on a machine that has oc
command line interface access to
the Cloud Pak for Data
OpenShift® cluster.
- Ensure that your OpenShift context is set to the Master Data Connect namespace
by running the following
command:
oc config set-context --current --namespace=mdc-namespace
- Create the following
bash
script:#!/bin/bash read -r -d '' _DATA_PATCH << EOF {"data":{"${_ALIAS}":"${_CERTIFICATE}"}} EOF oc patch cm/mdc-aspera-server-client-keys \ --type merge \ -p "$_DATA_PATCH" # restart aspera pod oc delete pod mdc-aspera-server-0
Replace
ALIAS
with the name of your MDM Publisher installation andCERTIFICATE
with the contents of theid_rsa.pub
public key file.Note: If you use anALIAS
value that has been used before, the certificate provided in this script will overwrite the previous certificate. - Make the script executable by running
chmod +x
on the file. - Run the script to apply the MDM Publisher certificate to the Master Data Connect service installation.
- Wait for the Aspera HSTS server pod to become
available. Monitor its status by running the following
command:
oc rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
You are now ready to run MDM Publisher bulk jobs.
Securing MDM Publisher with Master Data Connect on Kubernetes or Minikube
- On your MDM Publisher
instance, run the following command to open the
publisher-aspera-id-rsa-pub
configuration map.kubectl -n mdm-publisher get configmap publisher-aspera-id-rsa-pub -o yaml
- Copy the content of
id_rsa.pub
. For example:ssh-rsa <SSH_KEY>= Aspera Client Key <MDC_NAME>
- On your Master Data Connect instance, go to <MDC_INSTALL_HOME>/config/aspera/authorized-client-keys/ and create a new file named <PUBLISHER_NAME>_id_rsa.pub. Paste the copied content from the previous step into this new file.
- Run the following command to clean existing the existing Aspera configuration:
clean.sh -s aspera
- Run the following command to apply the new configuration:
deploy.sh -s aspera
- Wait for the Aspera HSTS server pod to become available. Monitor its status by running the following command:
kubectl rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
You are now ready to run MDM Publisher bulk jobs.
Securing MDM Publisher with Master Data Connect on Red Hat OpenShift
Complete these steps on the host that was used to perform the original Master Data Connect installation.
- Ensure that your Red Hat®
OpenShift context is set to the Master Data Connect namespace
by running the following
command:
oc config set-context --current --namespace=mdc-namespace
- Run the openshift/bin/add_publisher_cert.sh script. Provide an
ALIAS value that is the name of your MDM Publisher
installation and a CERTIFICATE value with the contents of the public key
file.Note: If you use an
ALIAS
value that has been used before, the certificate provided in this script will overwrite the previous certificate. - Wait for the Aspera HSTS server pod to become
available. Monitor its status by running the following
command:
oc rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
You are now ready to run MDM Publisher bulk jobs.