How To Set Up SSH Tunneling With InfoSphere CDC PDF
How To Set Up SSH Tunneling With InfoSphere CDC PDF
How To Set Up SSH Tunneling With InfoSphere CDC PDF
Elmer Cecilio
ececilio@ca.ibm.com
Revision 0.1
SSH Tunnelling with InfoSphere CDC
Background
Due to increasing customer requirements for security and governance; InfoSphere CDC
(ISCDC) is being asked by our customers to support encryption when ISCDC
communicates between source and target systems. Since ISCDC does not have built-
in encryption tools, we normally asks the customer to either use VPN (their own network
people will setup) or 3rd party hardware encryption/compression solutions. However
another option available is the use of SSH’s tunnelling or port forwarding feature.
This document will not go through the details of SSH, other features and setup. You can
use Google for that. In this example, SSH is enabled on my target Linux server. SSH is
normally included within the default install of Linux/Unix.
SSH tunneling
An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH
tunnels may be used to tunnel unencrypted traffic over a network through an encrypted
channel. For example, Windows machines can share files using the SMB protocol, which
is not encrypted. If you were to mount a Windows filesystem remotely through the
Internet, someone snooping on the connection could see your files. To mount the
Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic
to the remote fileserver through an encrypted channel. Even though the SMB protocol
itself is unencrypted it is secure because it travels through the encrypted SSH channel.
To create an SSH tunnel, an SSH client is configured to forward a specified local port to
a port on the remote machine. Once the SSH tunnel has been established, the user can
connect to the specified local port to access the network service. The local port need not
be the same as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services
provided that outgoing connections are allowed. For example, an organization may
prohibit a user from accessing Internet web pages (port 80) directly without passing
through the organization's proxy filter which provides the organization a means of
monitoring and controlling what the user sees through the web. The user may not wish
to have their web traffic monitored or blocked by the organization's proxy filter. If a user
is able to connect to an external SSH server, it is possible for them to create an SSH
tunnel to forward a given port on their local machine to port 80 on a remote web server.
To access the remote web server the user would point their browser to http://localhost/.
Setup Diagram
d
te
yp
cr
en
H
SS
On the left would be the regular CDC setup. Right would be how it will work with SSH
Tunneling enabled.
For my setup I have ISCDC for DB2 running on my laptop and using that as a source.
For my target, I use ISCDC for Oracle running as a VM. I am using the Host-Only
network option within VMware.
Source:
IP address: 192.168.28.1 or localhost
IS CDC DB2 port: 10901
OS: Windows XP
Database: DB2 V9.1.3
Target:
IP address: 192.168.28.129
IS CDC port: 11001
OS: Suse Linux Enterprise 10
Database: Oracle 10gr2
There are 2 tools that I tried that can establish an SSH connection from my Windows XP
into Unix/Linux. There are definitely other tools out there that can do SSH tunnel, its up
to you what you want to use. First one is Putty, Putty has tools to do Telnet, Secure
FTP and such. Next is Cygwin, Cygwin provides you with a Linux like environment for
Windows. Both tools are either freeware or opensource. I installed all the features
within Cygwin for this test. You definitely will not need all features, but for my test I
wasn’t sure what I needed so might as well install all of it.
For MF customers, they need to download free IBM ported tools for z/OS to provide ssh
functionality.
Source port would be the local listening port. This local port has to be the same port as
remote port. If different, ISCDC will not work with a failed to login message.
Then scroll up back to the Session screen and enter the Hostname/IP of the target
server then click on Open.
This will establish a connection, authenticate your login id to that target box, as well as
enable the listening port you defined on SSH Tunnel.
Once that is done, open say a DOS prompt and run “netstat –an” without quotes.
You will then see that you have a listener entry for localhost/127.0.01 and port 11001.
So any process that will connect to localhost:11001 will be forwarded automatically into
192.168.28.129:11001.
Open up Cygwin.
If using Cygwin for the first time. I suggest creating a home directory first. So run:
$ mkdir /home/yourusername
You needed the home folder so that ssh has a place to put hostname and key
authentication information.
Then run
where
Again you need to use the same port. Local port has to be the same as the CDC
listening port.
If running ssh for the first time you may see something similar to below.
Basically its just asking if you want to continue with the connection.
If you’ve login to that server before, the screen will just ask you for a password to login.
Now you can open up your MS-DOS prompt again, you should see a process listening
on 11001 for localhost.
IMPORTANT NOTE: The local listening port goes away once the ssh connection
is disconnected.
z/OS setup:
Once the customer downloads and install the IBM Ported tools for z/OS. They will now
have an sshd (secure shell daemon) running. This will allow tools like Putty to connect
through ssh to the MF.
What we really need to do on this MF is to run the same ssh command, with the
parameters of
You may also want to make sure you can ping localhost and the target server. If it works
then issue the ssh command. After logging in to the server, you may want to open up
another session to verify the listening status. In case you were wondering why it
10401, its for a different CDC target but this was also created by ssh.
Important Note: In case the Access Manager is on a different server from the
source and target box. We also need to create an SSH tunnel from Access
Manager server into the target box. So do the same steps you did from source
server on configuring SSH local connection.
This particular SSH connection on Access Manager is only required when using
the GUI. Replication still uses the SSH connection defined on the source server.
Now we need to setup a DataStore within Access Manager using localhost and the local
port.
Make sure you can ping the agent. Associate this agent to a user. Then setup a
subscription using this new agent and that’s it.
Performance:
In case you were wondering how the performance was with/without encryption. Small
test of 500,000 rows using a table with around 850 bytes record length. Refresh only.