| Author |
Message
|
| Vitor |
 Posted: Thu Oct 20, 2016 12:03 pm Post subject: Encrypting ODBC traffic in IIB |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
IIB 9.0.0.5
RHEL 6
Oracle 12
This is a PMR if ever I heard one, but I'm wondering if anyone has any experiences they'd like to share.
We have a business requirement to connect to an Oracle database with ODBC and encrypt the traffic between IIB and the database. What we're doing is controlled by the Feds so getting the requirement changed or asking for justification is a waste of breath; there may be no good reason but hey - we're still going to need to do it.
Looking through the odbc.ini, people who know more than I do say the parameter they'd expect to see that switches this on is missing from the sample file and the Knowledge Center.
- Can you encrypt this kind of ODBC connection? If so, is there a link we've missed?
- Can we do this with a JDBC connection? Are there any gotchas we should be aware of?
Like I said, a PMR is in progress but any contributions are welcomed. 
(I did ask about network level encryption. I was told that we could have a wire encrypted link that didn't leave our data center and we'd still be required to encrypt the connection.....)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Oct 20, 2016 12:52 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There is a way to switch IIB to use the Oracle client config behind the scenes of the DataDirect driver.
This *should* allow you to use encryption.
Install the full Oracle Client, create the oracle config, and remove the hostname/port from the broker odbc config.
If I remember right. that should then cause the config lookup to be taken from the oracle client, and used - including encryption...
But 
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Oct 20, 2016 11:05 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I think that this not so little feature will become increasingly important as time goes by.
To me this is a clear RFE topic so that not only Oracle but DB2, SQLServer etc are all supported by the product.
I have seen requests for this sort of thing before but have managed to deflect them away. It would be nice to have a positive answer for the future.
Some of those requests to encrypt were for data that did not hold any personal or financial information. This leads me to think that just about everything will all be encrypted in the not too distant future.
I shudder to think of the issues that will get raised by all those Keys expiring at thesame time. There has to be a better way of managing and deploying them that what we have at present.
 followed by 
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Oct 21, 2016 4:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't think you can get away with using DB2 ODBC without installing (and using) the full DB2 client. This would be responsible for knowing if the connection should be encrypted or not, and handling that part of the communication.
With Oracle, as I mumbled about, I believe one can still do the same thing. Install the Oracle client, make sure that the ORACLE_HOME variable (or whatever it's called) is set in the Broker runtime environment, and remove the hostname/port from the ODBC config. That should cause the DataDirect driver to use the Oracle client config instead.
Likewise, I suspect you can do similar things with the other DataDirect drivers.
They are actually documented by DataDirect...
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| mgk |
| Posted: Sun Oct 23, 2016 2:14 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work...
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sun Oct 23, 2016 3:20 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mgk wrote: |
| I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work... |
It would be nice if those instructions were to find their way into the documentation for the benefit of others.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Oct 24, 2016 3:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| smdavies99 wrote: |
| mgk wrote: |
| I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work... |
It would be nice if those instructions were to find their way into the documentation for the benefit of others. |
While I entirely agree... 
The DataDirect documentation has the options to add to your ODBC configuration...
http://media.datadirect.com/download/docs/openaccess/alloa/help.htm#page/adminguide%2Fusing-the-openaccess-sdk-manager.html%23
Look for
| Quote: |
| OpenAccess SDK Service Attributes->Defining Service Attributes |
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Oct 24, 2016 4:46 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I was thinking more of the IIB Documentation or at least a link to the relevant bits of the Datadirect docs in the IIB Docs.
Why?
Well how many IIB admins would think to look in the DataDirect docs?
If it isn't in the IIB then they'd usually give up and tell you that it is not possible.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Oct 24, 2016 4:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| smdavies99 wrote: |
I was thinking more of the IIB Documentation or at least a link to the relevant bits of the Datadirect docs in the IIB Docs.
Why?
Well how many IIB admins would think to look in the DataDirect docs?
If it isn't in the IIB then they'd usually give up and tell you that it is not possible. |
I really do.
But until that time, Vitor can at least solve his problem by using the SSL config parameters of the DataDirect drivers put into the ODBC config.
Or the SSL config of the Oracle client, which can be referred to by the parameters of the DataDirect driver.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| IIB_Intel |
| Posted: Thu Oct 26, 2017 6:45 am Post subject: |
|
|
Acolyte
Joined: 07 May 2015
Posts: 64
|
I know this is a little older thread but seems like I have a similar requirement but for sql server.
Has anything being added to IIB version 10 to make secured connections using odbc to sql server? |
|
| Back to top |
|
|
| balajip |
| Posted: Wed Oct 18, 2023 9:40 pm Post subject: |
|
|
Newbie
Joined: 15 Sep 2014
Posts: 1
|
| We got the similar requirement between Oracle 12 and IIB 10. Please assist if there are steps to be performed to implement data encryption between Oracle DB and IIB? |
|
| Back to top |
|
|
| mgk |
| Posted: Thu Oct 19, 2023 4:48 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
|
| Back to top |
|
|
|
|
