Loading into a remote CMOD server with SSL enabled
In most CMOD servers, files are delivered to the CMOD server directly, and loaded using the arsload utility to ingest data locally. This design is fairly secure - if files are delivered via an encrypted service (like SFTP) then unencrypted data doesn't traverse the network as part of the load process. However, in some situations, it may make more sense to offload the 'heavy lifting' of the load process to a dedicated load server. Without TLS/SSL enabled, then report data traverses the network in a compressed, but unencrypted format, which could be intercepted by an adversary with access to your network.
To improve security of your Content Manager OnDemand system, you should absolutely be using TLS/SSL when loading to Content Manager OnDemand remotely.
On your CMOD server, you can follow the directions for enabling TLS/SSL. On the remote load server, you need a few things:
- A working installation of the CMOD software including GSKit (but excluding DB2 and TSM)
- The keystore database with your organizations keychain (Root & Intermediate keys)
- A CMOD Stash File containing the User ID and Password for the load account on the OnDemand server
- A properly configured ars.ini file with the details for your server
[@SRV@_PROD] HOST=production.CMOD.example.com PROTOCOL=2 PORT=-1 SSL_PORT=1446 SSL_KEYRING_FILE=/home/arsload/CMODPROD.kdb SSL_KEYRING_STASH=/home/arsload/CMODPROD.sth SSL_CLNT_USE_SSL=1 SRVR_OD_STASH=/home/arsload/CMODPROD.stash
In this sample, there's a few things to know...
[@SRV@_PROD]specifies the server name for the
arsload -h PROD.
PROTOCOLshould always be set to 2.
- If you want to disable connecting without encryption, set the PORT parameter to -1, which is invalid and will cause an error when attempting to connect without encryption.
SSL_PORTis the TCP/IP port number that CMOD is listening to. There's no defined standard port, but most Content Manager OnDemand servers use next port up from the default of 1445.
SSL_KEYRINGparameters point to the key database and stash file that protect the TLS/SSL certificates used on the server - you should NOT include the server's certificate, just the root and any intermediate certificates.
SSL_CLNT_USE_SSLdetermines if the client program (arsload, arsdoc, etc.) use SSL - in this example, we st it on by default.
SRVR_OD_STASHsets the default location of the stash file, so that you do not need to specify the
-pparameter on the command line.
Once your ars.ini file is configured correctly, the encryption of the connection to the CMOD server is transparent, and everything should work as it has before.
arsload -h PROD -u Remote_Load_User01 -g AppGroupName -a ApplicationName -nfv NameOfFileToLoadIntoCMOD