Securing MDM Publisher connections to Master Data Connect

About this task

Transferring data through IBM MDM Publisher to a IBM Master Data Connect instance uses public key authentication mechanism between an IBM Aspera® Client and Server.

When the init_publisher.sh script is run during the installation of MDM Publisher, a file called id_rsa.pub is generated to contain the public key for this MDM Publisher instance.

Securing MDM Publisher with the Master Data Connect service on IBM Cloud Pak for Data

A user who has administrator rights to the Master Data Connect namespace must complete these steps on a machine that has oc command line interface access to the Cloud Pak for Data OpenShift® cluster.

1. Ensure that your OpenShift context is set to the Master Data Connect namespace by running the following command:

   oc config set-context --current --namespace=mdc-namespace

2. Create the following bash script:

   #!/bin/bash
   
   read -r -d '' _DATA_PATCH << EOF
   {"data":{"${_ALIAS}":"${_CERTIFICATE}"}}
   EOF
   
   oc patch cm/mdc-aspera-server-client-keys \
     --type merge \
     -p "$_DATA_PATCH"
   
   # restart aspera pod 
   oc delete pod mdc-aspera-server-0

   Replace ALIAS with the name of your MDM Publisher installation and CERTIFICATE with the contents of the id_rsa.pub public key file.

   Note: If you use an ALIAS value that has been used before, the certificate provided in this script will overwrite the previous certificate.
3. Make the script executable by running chmod +x on the file.
4. Run the script to apply the MDM Publisher certificate to the Master Data Connect service installation.
5. Wait for the Aspera HSTS server pod to become available. Monitor its status by running the following command:

   oc rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
   

You are now ready to run MDM Publisher bulk jobs.

Securing MDM Publisher with Master Data Connect on Kubernetes or Minikube

1. On your MDM Publisher instance, run the following command to open the publisher-aspera-id-rsa-pub configuration map.

   kubectl -n mdm-publisher get configmap publisher-aspera-id-rsa-pub -o yaml

2. Copy the content of id_rsa.pub. For example:

   ssh-rsa <SSH_KEY>= Aspera Client Key <MDC_NAME>

3. On your Master Data Connect instance, go to <MDC_INSTALL_HOME>/config/aspera/authorized-client-keys/ and create a new file named <PUBLISHER_NAME>_id_rsa.pub. Paste the copied content from the previous step into this new file.
4. Run the following command to clean existing the existing Aspera configuration:

   clean.sh -s aspera

5. Run the following command to apply the new configuration:

   deploy.sh -s aspera

6. Wait for the Aspera HSTS server pod to become available. Monitor its status by running the following command:

   kubectl rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
   

You are now ready to run MDM Publisher bulk jobs.

Securing MDM Publisher with Master Data Connect on Red Hat OpenShift

Complete these steps on the host that was used to perform the original Master Data Connect installation.

1. Ensure that your Red Hat® OpenShift context is set to the Master Data Connect namespace by running the following command:

   oc config set-context --current --namespace=mdc-namespace

2. Run the openshift/bin/add_publisher_cert.sh script. Provide an ALIAS value that is the name of your MDM Publisher installation and a CERTIFICATE value with the contents of the public key file.
   Note: If you use an ALIAS value that has been used before, the certificate provided in this script will overwrite the previous certificate.
3. Wait for the Aspera HSTS server pod to become available. Monitor its status by running the following command:

   oc rollout status statefulset/mdc-aspera-server -n mdc-namespace --timeout 2m
   

You are now ready to run MDM Publisher bulk jobs.