Loading into a remote CMOD server with SSL enabled

From CMOD.wiki
Jump to navigation Jump to search

Background

In most CMOD servers, files are delivered to the CMOD server directly, and loaded using the arsload utility to ingest data locally. This design is fairly secure - if files are delivered via an encrypted service (like SFTP) then unencrypted data doesn't traverse the network as part of the load process. However, in some situations, it may make more sense to offload the 'heavy lifting' of the load process to a dedicated load server. Without TLS/SSL enabled, then report data traverses the network in a compressed, but unencrypted format, which could be intercepted by an adversary with access to your network.

To improve security of your Content Manager OnDemand system, you should absolutely be using TLS/SSL when loading to Content Manager OnDemand remotely.

Configuring ars.ini

On your CMOD server, you can follow the directions for enabling TLS/SSL. On the remote load server, you need a few things:

  1. A working installation of the CMOD software including GSKit (but excluding DB2 and TSM)
  2. The keystore database with your organizations keychain (Root & Intermediate keys)
  3. A CMOD Stash File containing the User ID and Password for the load account on the OnDemand server
  4. A properly configured ars.ini file with the details for your server

Sample

[@SRV@_PROD]
HOST=production.CMOD.example.com
PROTOCOL=2
PORT=-1
SSL_PORT=1446
SSL_KEYRING_FILE=/home/arsload/CMODPROD.kdb
SSL_KEYRING_STASH=/home/arsload/CMODPROD.sth
SSL_CLNT_USE_SSL=1
SRVR_OD_STASH=/home/arsload/CMODPROD.stash

In this sample, there's a few things to know...

  • [@SRV@_PROD] specifies the server name for the -h option, like arsload -h PROD .
  • PROTOCOL should always be set to 2.
  • If you want to disable connecting without encryption, set the PORT parameter to -1, which is invalid and will cause an error when attempting to connect without encryption.
  • SSL_PORT is the TCP/IP port number that CMOD is listening to. There's no defined standard port, but most Content Manager OnDemand servers use next port up from the default of 1445.
  • The SSL_KEYRING parameters point to the key database and stash file that protect the TLS/SSL certificates used on the server - you should NOT include the server's certificate, just the root and any intermediate certificates.
  • SSL_CLNT_USE_SSL determines if the client program (arsload, arsdoc, etc.) use SSL - in this example, we st it on by default.
  • SRVR_OD_STASH sets the default location of the stash file, so that you do not need to specify the -p parameter on the command line.

Using arsload

Once your ars.ini file is configured correctly, the encryption of the connection to the CMOD server is transparent, and everything should work as it has before. 

 arsload -h PROD -u Remote_Load_User01 -g AppGroupName -a ApplicationName -nfv NameOfFileToLoadIntoCMOD
Retrieved from "https://CMOD.wiki/index.php?title=Loading_into_a_remote_CMOD_server_with_SSL_enabled&oldid=1072"