ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Encrypting ODBC traffic in IIB

Post new topic  Reply to topic
 Encrypting ODBC traffic in IIB « View previous topic :: View next topic » 
Author Message
Vitor
PostPosted: Thu Oct 20, 2016 12:03 pm    Post subject: Encrypting ODBC traffic in IIB Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

IIB 9.0.0.5
RHEL 6
Oracle 12

This is a PMR if ever I heard one, but I'm wondering if anyone has any experiences they'd like to share.

We have a business requirement to connect to an Oracle database with ODBC and encrypt the traffic between IIB and the database. What we're doing is controlled by the Feds so getting the requirement changed or asking for justification is a waste of breath; there may be no good reason but hey - we're still going to need to do it.

Looking through the odbc.ini, people who know more than I do say the parameter they'd expect to see that switches this on is missing from the sample file and the Knowledge Center.

- Can you encrypt this kind of ODBC connection? If so, is there a link we've missed?
- Can we do this with a JDBC connection? Are there any gotchas we should be aware of?

Like I said, a PMR is in progress but any contributions are welcomed.

(I did ask about network level encryption. I was told that we could have a wire encrypted link that didn't leave our data center and we'd still be required to encrypt the connection.....)
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Oct 20, 2016 12:52 pm    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

There is a way to switch IIB to use the Oracle client config behind the scenes of the DataDirect driver.

This *should* allow you to use encryption.

Install the full Oracle Client, create the oracle config, and remove the hostname/port from the broker odbc config.

If I remember right. that should then cause the config lookup to be taken from the oracle client, and used - including encryption...

But
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
smdavies99
PostPosted: Thu Oct 20, 2016 11:05 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

I think that this not so little feature will become increasingly important as time goes by.
To me this is a clear RFE topic so that not only Oracle but DB2, SQLServer etc are all supported by the product.

I have seen requests for this sort of thing before but have managed to deflect them away. It would be nice to have a positive answer for the future.
Some of those requests to encrypt were for data that did not hold any personal or financial information. This leads me to think that just about everything will all be encrypted in the not too distant future.
I shudder to think of the issues that will get raised by all those Keys expiring at thesame time. There has to be a better way of managing and deploying them that what we have at present.

followed by
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Oct 21, 2016 4:20 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I don't think you can get away with using DB2 ODBC without installing (and using) the full DB2 client. This would be responsible for knowing if the connection should be encrypted or not, and handling that part of the communication.

With Oracle, as I mumbled about, I believe one can still do the same thing. Install the Oracle client, make sure that the ORACLE_HOME variable (or whatever it's called) is set in the Broker runtime environment, and remove the hostname/port from the ODBC config. That should cause the DataDirect driver to use the Oracle client config instead.

Likewise, I suspect you can do similar things with the other DataDirect drivers.

They are actually documented by DataDirect...
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
mgk
PostPosted: Sun Oct 23, 2016 2:14 am    Post subject: Reply with quote

Padawan

Joined: 31 Jul 2003
Posts: 1638

I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work...
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
Back to top
View user's profile Send private message
smdavies99
PostPosted: Sun Oct 23, 2016 3:20 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

mgk wrote:
I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work...


It would be nice if those instructions were to find their way into the documentation for the benefit of others.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Oct 24, 2016 3:47 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

smdavies99 wrote:
mgk wrote:
I know that the DataDirect driver itself can make SSL/TLS encrypted connections all by itself without needing other parts to be installed. Hopefully the PMR should be able to give you the instructions on how to make it work...


It would be nice if those instructions were to find their way into the documentation for the benefit of others.


While I entirely agree...

The DataDirect documentation has the options to add to your ODBC configuration...

http://media.datadirect.com/download/docs/openaccess/alloa/help.htm#page/adminguide%2Fusing-the-openaccess-sdk-manager.html%23
Look for
Quote:
OpenAccess SDK Service Attributes->Defining Service Attributes

_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
smdavies99
PostPosted: Mon Oct 24, 2016 4:46 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

I was thinking more of the IIB Documentation or at least a link to the relevant bits of the Datadirect docs in the IIB Docs.
Why?
Well how many IIB admins would think to look in the DataDirect docs?
If it isn't in the IIB then they'd usually give up and tell you that it is not possible.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Oct 24, 2016 4:57 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

smdavies99 wrote:
I was thinking more of the IIB Documentation or at least a link to the relevant bits of the Datadirect docs in the IIB Docs.
Why?
Well how many IIB admins would think to look in the DataDirect docs?
If it isn't in the IIB then they'd usually give up and tell you that it is not possible.


I really do.

But until that time, Vitor can at least solve his problem by using the SSL config parameters of the DataDirect drivers put into the ODBC config.

Or the SSL config of the Oracle client, which can be referred to by the parameters of the DataDirect driver.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
IIB_Intel
PostPosted: Thu Oct 26, 2017 6:45 am    Post subject: Reply with quote

Acolyte

Joined: 07 May 2015
Posts: 64

I know this is a little older thread but seems like I have a similar requirement but for sql server.

Has anything being added to IIB version 10 to make secured connections using odbc to sql server?
Back to top
View user's profile Send private message
balajip
PostPosted: Wed Oct 18, 2023 9:40 pm    Post subject: Reply with quote

Newbie

Joined: 15 Sep 2014
Posts: 1

We got the similar requirement between Oracle 12 and IIB 10. Please assist if there are steps to be performed to implement data encryption between Oracle DB and IIB?
Back to top
View user's profile Send private message
mgk
PostPosted: Thu Oct 19, 2023 4:48 am    Post subject: Reply with quote

Padawan

Joined: 31 Jul 2003
Posts: 1638

Hi

This page from the docs explains how to use SSL to connect to Oracle for IIB v10:

https://www.ibm.com/docs/en/integration-bus/10.0?topic=eocd-connecting-database-from-linux-unix-systems-by-using-integration-odbc-database-extender

However, you really should upgrade to v12 and the docs for doing SSL with Oracle in v12 are here:

https://www.ibm.com/docs/en/app-connect/12.0?topic=databases-enabling-odbc-connections

There is also a blog that covers setting up ODBC in containers that might be helpful:

https://community.ibm.com/community/user/integration/blogs/amar-shah1/2022/01/23/connecting-to-databases-from-app-connect-enterpris

Hope this helps.
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Encrypting ODBC traffic in IIB
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.