StarQuest Technical Documents

Preparing IBM i for use with SQDR Cloud Services

Last Update: 13 December 2016
Product: SQDR Plus
Version: 4.50 and later
Article ID: SQV00PL026

Abstract

This technical document describes preparing an in-house IBM i (iSeries) server for incremental replication using StarQuest Data Replicator (SQDR) running on a virtual machine running on a cloud service as Microsoft Azure or Amazon Web Services (AWS).

After completion of these tasks, refer to the technical document Configuring SQDR Cloud Services for information on configuring SQDR Plus and SQDR to connect to the IBM i server.

Solution

Enable SSL for host servers used by iAccess

To configure a System i host system to use the Secure Sockets Layer (SSL) protocol you must have the following components:

  • Digital Certificate Manager - option 34 of 5722-SS1 (v5r4), 5761-SS1 (6.1), or 5770-SS1(7.x)
  • TCP/IP Connectivity Utilities - 5722-TC1(v5r4), 5761-TC1 (6.1), or 5770-SS1 (7.x)
  • IBM HTTP Server - 5722-DG1 (v5r4), 5761-DG1 (6.1) or 5770-DG1 (7.x)

Following are general procedures for configuring SSL on the IBM i host. Refer to your IBM documentation for details, especially the IBM i product documentation and the IBM Redbook IBM iSeries Wired Network Security OS/400 V5R1 DCM and Cryptography Enhancements (GSG24-6168).

  1. Start the Admin HTTP instance. To verify that it is running, enter WRKACTJOB JOB(ADMIN). If it is not running, start it with STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).
  2. Use a browser and the URL https://myas400:2001 to connect to the Digital Certificate Manager. On i 6.1 and later, this URL will redirect you to IBM Navigator for i, running on port 2005; from there, select IBM i Tasks Page to see the previous version of the 2001 port tasks, which includes the Digital Certificate Manager.
  3. Create a local Certificate Authority or obtain a certificate from a public Internet Certificate Authority.
  4. Create a *SYSTEM certificate store.
  5. Use Manage Applications to assign a server certificate to the iAccess/Java Toolbox host servers (Central Server, Database Server, Data Queue Server, Remote Command Server, Signon Server, Host Servers, File Server).

Export the Certificate Authority certificate for use by SQDR and SQDR Plus

  1. If you are using a local Certificate Authority, select Install Local CA Certificate on Your PC from the left column of tasks.  You may need to return to the main IBM Navigator for i page and re-enter DCM before the  Install Local CA Certificate to your PC option is visible.
  2. Select Copy and paste certificate; this will display the CA certificate in Base64-encoded ASCII data format.  Select the contents of the certificate (all of the text from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----) and save it in a text file, to be used when configuring SQDR Plus and iAccess on the SQDR cloud service VM.

Create a router/firewall exception (port forwarding)

In a typical scenario, the IBM i server is located on an internal network protected by a router that acts as a firewall. Configure the router/firewall to allow incoming traffic from the SQDR cloud service VM (a single static IP address) that is then fowarded to the IBM i server for the TCP/IP ports used by iAccess and Java Toolbox SSL traffic:

  • 449 as-svrmap
  • 9470 as-central
  • 9471 as-database
  • 9473 as-file
  • 9475 as-rmtcmd
  • 9476 as-signon

Configure TCP/IP KeepAlive setting

To prevent connections between the IBM i Server and the SQDR cloud service VM from timing out, you may need to adjust the TCP/IP KeepAlive setting on the IBM i server. When SQDR is running on an Azure VM, we recommend setting KeepAlive to four minutes:

CHGTCPA TCPKEEPALV(4)

 

 

 


DISCLAIMER

The information in technical documents comes without any warranty or applicability for a specific purpose. The author(s) or distributor(s) will not accept responsibility for any damage incurred directly or indirectly through use of the information contained in these documents. The instructions may need to be modified to be appropriate for the hardware and software that has been installed and configured within a particular organization.  The information in technical documents should be considered only as an example and may include information from various sources, including IBM, Microsoft, and other organizations.