How to Set Up SSH Tunneling With InfoSphere CDC

Revision 0.1

SSH Tunnelling with InfoSphere CDC

Elmer Cecilio [email protected]


Elmer Cecilio 19/02/2009 2 of 17

Background Due to increasing customer requirements for security and governance; InfoSphere CDC (ISCDC) is being asked by our customers to support encryption when ISCDC communicates between source and target systems. Since ISCDC does not have built-in encryption tools, we normally asks the customer to either use VPN (their own network people will setup) or 3rd party hardware encryption/compression solutions. However another option available is the use of SSHs tunnelling or port forwarding feature. This document will not go through the details of SSH, other features and setup. You can use Google for that. In this example, SSH is enabled on my target Linux server. SSH is normally included within the default install of Linux/Unix. Here is a wiki explanation of SSH Tunnel. SSH tunneling

An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH tunnels may be used to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount the Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself is unencrypted it is secure because it travels through the encrypted SSH channel.

To create an SSH tunnel, an SSH client is configured to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not be the same as the remote port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services provided that outgoing connections are allowed. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter which provides the organization a means of monitoring and controlling what the user sees through the web. The user may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If a user is able to connect to an external SSH server, it is possible for them to create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server the user would point their browser to http://localhost/.



Setup Diagram

SSH encrypted

On the left would be the regular CDC setup. Right would be how it will work with SSH Tunneling enabled.



The CDC Setup For my setup I have ISCDC for DB2 running on my laptop and using that as a source. For my target, I use ISCDC for Oracle running as a VM. I am using the Host-Only network option within VMware. Source: IP address: 192.168.28.1 or localhost IS CDC DB2 port: 10901 OS: Windows XP Database: DB2 V9.1.3



Access Manager Settings (Source)

Target: IP address: 192.168.28.129 IS CDC port: 11001 OS: Suse Linux Enterprise 10 Database: Oracle 10gr2



Access Manager Settings (Target)

Tools I used for SSH: There are 2 tools that I tried that can establish an SSH connection from my Windows XP into Unix/Linux. There are definitely other tools out there that can do SSH tunnel, its up to you what you want to use. First one is Putty, Putty has tools to do Telnet, Secure FTP and such. Next is Cygwin, Cygwin provides you with a Linux like environment for Windows. Both tools are either freeware or opensource. I installed all the features within Cygwin for this test. You definitely will not need all features, but for my test I wasnt sure what I needed so might as well install all of it. For MF customers, they need to download free IBM ported tools for z/OS to provide ssh functionality. IBM Ported tools for z/OS from: http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html Putty can be downloaded from: http://www.putty.org/ Cygwin can be downloaded from: http://www.cygwin.com/



Setup SSH (Putty): Open up Putty.exe. First thing youll see is the configuration window.

Click on + beside Connection/SSH. Then choose Tunnel.



Destination is shown as the target hostname/ip:port. So I put in the IP address of my target machine and the CDC listening port. Source port would be the local listening port. This local port has to be the same port as remote port. If different, ISCDC will not work with a failed to login message. Once done click on Add.



Then scroll up back to the Session screen and enter the Hostname/IP of the target server then click on Open.



This will establish a connection, authenticate your login id to that target box, as well as enable the listening port you defined on SSH Tunnel. So you should see this login screen. Enter your credentials.



Once that is done, open say a DOS prompt and run netstat an without quotes.

You will then see that you have a listener entry for localhost/127.0.01 and port 11001. So any process that will connect to localhost:11001 will be forwarded automatically into 192.168.28.129:11001. Setup SSH (Cygwin): Open up Cygwin.

If using Cygwin for the first time. I suggest creating a home directory first. So run: $ mkdir /home/yourusername



You needed the home folder so that ssh has a place to put hostname and key authentication information. Then run ssh L 11001:localhost:11001 [email protected] where 11001 = the listener port on your local machine localhost = the local machine (you can also use * to represent all IP addresses) 11001 = remote listening port for ISCDC [email protected] = login id@remote server Again you need to use the same port. Local port has to be the same as the CDC listening port. If running ssh for the first time you may see something similar to below.

Basically its just asking if you want to continue with the connection. If youve login to that server before, the screen will just ask you for a password to login.



Now you can open up your MS-DOS prompt again, you should see a process listening on 11001 for localhost.

IMPORTANT NOTE: The local listening port goes away once the ssh connection is disconnected.



z/OS setup: Once the customer downloads and install the IBM Ported tools for z/OS. They will now have an sshd (secure shell daemon) running. This will allow tools like Putty to connect through ssh to the MF. What we really need to do on this MF is to run the same ssh command, with the parameters of ssh -L port:host:hostport user@]hostname

But in order to run this we first need to ssh to mainframe. So using

my Putty on desktop.

No SSH Tunnel required.

Like any Unix machine you will see a login screen.



You may also want to make sure you can ping localhost and the target server. If it works then issue the ssh command. After logging in to the server, you may want to open up another session to verify the listening status. In case you were wondering why it 10401, its for a different CDC target but this was also created by ssh.



Access Manager Setup. Important Note: In case the Access Manager is on a different server from the source and target box. We also need to create an SSH tunnel from Access Manager server into the target box. So do the same steps you did from source server on configuring SSH local connection. This particular SSH connection on Access Manager is only required when using the GUI. Replication still uses the SSH connection defined on the source server. Now we need to setup a DataStore within Access Manager using localhost and the local port.

Make sure you can ping the agent. Associate this agent to a user. Then setup a subscription using this new agent and thats it.



Performance: In case you were wondering how the performance was with/without encryption. Small test of 500,000 rows using a table with around 850 bytes record length. Refresh only. With Encryption: 30 seconds Without Encryption: 23 seconds

Documents

How to Set Up SSH Tunneling With InfoSphere CDC