Instana U

 View Only

Monitoring IBM i partition by using Instana with TLS connection

By Bikram Debnath posted Thu May 23, 2024 05:17 AM

  

Monitoring IBM i partition by using Instana with TLS connection 

Co-Authors: Aditya Dahiya, Steven Hansen 

  

Today our life revolves around the internet, which is an integral part of our life. As it provides access to the information that we seek, it deals with many sensitive data amid growing cyber threats. Therefore, we need to make sure that our data is travelling safely over the internet.  

  

What is TLS? 

TLS stands for Transport Layer Security, and it refers to a protocol for encrypting, securing, and authenticating communications that take place on the internet. 

The main use case for TLS is securing communications between a client and a server, but it can also secure email, VoIP, and other communications over unsecured networks. 

  

How does TLS work? 

The following are the essential principles to grasp to understand how TLS/SSL works: 

  1. Secure communication begins with a TLS handshake, in which the two communicating parties open a secure connection and exchange the public key 

  1. During the TLS handshake, the two parties generate session keys. These session keys encrypt and decrypt all communications after the TLS handshake 

  1. Different session keys are used to encrypt communications in each new session 

  1. TLS ensures that the party on the server side or the website the user is interacting with, is actually who they claim to be 

  1. TLS also ensures that data is not altered by including a message authentication code (MAC) with transmissions 

With TLS, both HTTP data that users send to a website (by clicking, filling out forms, etc.) and the HTTP data that websites send to users is encrypted. Encrypted data must be decrypted by the recipient by using a key. 

  

This blog focuses on the configurations that must be done to enable TLS while trying to remotely monitor an IBM i partition. 

A green shield with a check mark Description automatically generated

Using Digital certificates 

Digital certificates enable secure communications for Instana by using Transport Layer Security (TLS) between the remote host agent and the IBM i system. IBM Digital Certificate Manager for i (DCM) is used to configure and manage the digital certificates. 

Digital certificates can be of the following two types:  

  • Self-signed certificate that is generated by a local certificate authority (CA) on the IBM i by using DCM  

  • Public internet CA certificate that is created by a third party. The same public internet CA certificate needs to be present on the client side.  

To use an IBM i local self-signed certificate, for more information about how to get a copy of the local IBM i CA certificate, see Obtaining a copy of the private CA certificate. 

To use a public internet CA, for more information on how to create a certificate request, send request to public CA, receive file back, upload, import file, and assign the certificate to application IDs,
see Managing public Internet certificates for TLS communications sessions. 

The DCM tool can be used to either download the certificate into your browser or copy the local CA certificate into a file so that other client software can access and use it. 

Prerequisites for DCM are provided in Starting-Digital-Certificate-Manager. 

DCM can be accessed through IBM Navigator for i or directly through a browser.  

To access the DCM page from a browser, use your IBM i system name or IP address in any one of the following URLs: 

  • http://<IBM i name or IP address>:2006/dcm 

  • https://<IBM i name or IP address>:2007/dcm 

Note: TLS is not enabled for DCM by default.  

See Digital Certificate Manager for i (DCM) for instructions to enable TLS for DCM on IBM i. 

 

To set up and configure certificates, complete the following steps: 

  1. Create a certificate authority (CA) and system store.

  2.  Create a self-signed local CA certificate or import a public Internet CA certificate.

  3. Create a server certificate by using the CA certificate.

  4. Assign the server certificate to application definitions by using DCM.

  5. If a private local CA certificate is used, obtain a copy of the local CA certificate that is used to sign the server certificate. Import this copy of the local CA certificate to the Instana remote host agent.

  6. If a public Internet CA certificate is used, import a copy of the public CA certificate to the Instana remote host agent. The following application definitions are used by Db2 for i and IBM Toolbox for Java. Instana uses a subset of the following definitions: 

    • QIBM_OS400_QZBS_SVR_CENTRAL
    •  QIBM_OS400_QZBS_SVR_DATABASE
    • QIBM_OS400_QZBS_SVR_DTAQ (not used for Instana) 
    • QIBM_OS400_QZBS_SVR_NETPRT (not used for Instana) 
    • QIBM_OS400_QZBS_SVR_RMTCMD 
    • QIBM_OS400_QZBS_SVR_SIGNON 
    • QIBM_OS400_QZBS_SVR_FILE (not used for Instana) 
    • QIBM_OS400_QRW_SVR_DDM_DRDA 

     7. Assign server or client certificate to applications.

For more information, see Setting-Up-Certificates-First-Time.

To assign a certificate to application definitions, see Managing-certificate-assignment-for-an-application. 

Note: When prompted to select the certificate store, choose *SYSTEM certificate store.

If the server presents a certificate from a private local CA, you must use Digital Certificate Manager (DCM) to obtain a copy of the local CA certificate.

To obtain a copy of the private CA certificate, see Obtaining-copy-of-the-private-CA-certificate.


Steps to enable SSL in the agent:

Navigate to the server or machine where you installed or planning to install the agent, and complete the following steps:

  1. Place the CA.crt certificate file in any folder in the server or machine where the agent is running.
    Note: CA.crt is the certificate that you receive from your trusted source for the IBM i partition.
     
  2. To run the agent with the preceding certificate, the certificate must be a part of the cacerts file.
    To import the certificate in the     cacerts file, execute the following command from the terminal:
    keytool -import -alias ALIAS_NAME -keystore "/path/to/jre/cacerts" -file CA.crt

    The following parameters are mentioned in the previous command:  

    ALIAS_NAME Certificate name imported to cacerts file 
    Sample path to cacerts file (MacOS)  /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre/lib/security 
    Sample path to cacerts  file (Windows)  %JAVA_HOME%\jre\lib\security\cacerts 
    Sample path to cacerts file (Linux)  /etc/ssl/certs/java/cacerts 
    CA.crt The certificate file that you received from your trusted source or partner 

    Note: Cacerts file is a truststore, which stores all the server certificates and helps in verifying if the remote server is who they claim to be.
  3. After you add the certificate into your truststore, enter the password. By default, the password is changeit. Then, restart your terminal.

  4. To verify whether the certificate is successfully added to cacerts file, run the following command:
    keytool -v -list -keystore /path/to/keystore 

    On successful verification, the following details are displayed:

  5. In the agent configuration file (path: /Instana/agent-installer/instana-agent/etc/instana), make sure that you have set the sslEnabled property to true. If this property is not mentioned, the default value is set to false. 
    The following sample configuration snippet depicts the attribute in the configuration:



    Note: If you set sslEnabled to true, make sure to import the certificate to the cacerts file or the handshaking between the client and server fails.
    For more information, see IBM i Configuration      

  6. Now, you can start the agent which makes sure that the connection between the IBM i partition and the Instana agent is secure. 

  7. Validate whether the ports used by agent uses the SSL port. 

    Note: For more information about what server ports are used by Toolbox for Java, visit IBM Support. 







           

     

Permalink