SSH Tunnelling with InfoSphere CDC

Elmer Cecilio
[email protected]

Revision 0.1
 SSH Tunnelling with InfoSphere CDC

Background

Due to increasing customer requirements for security and governance; InfoSphere CDC
(ISCDC) is being asked by our customers to support encryption when ISCDC
communicates between source and target systems. Since ISCDC does not have built-
in encryption tools, we normally asks the customer to either use VPN (their own network
people will setup) or 3rd party hardware encryption/compression solutions. However
another option available is the use of SSH’s tunnelling or port forwarding feature.

This document will not go through the details of SSH, other features and setup. You can
use Google for that. In this example, SSH is enabled on my target Linux server. SSH is
normally included within the default install of Linux/Unix.

Here is a wiki explanation of SSH Tunnel.

SSH tunneling

An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH
tunnels may be used to tunnel unencrypted traffic over a network through an encrypted
channel. For example, Windows machines can share files using the SMB protocol, which
is not encrypted. If you were to mount a Windows filesystem remotely through the
Internet, someone snooping on the connection could see your files. To mount the
Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic
to the remote fileserver through an encrypted channel. Even though the SMB protocol
itself is unencrypted it is secure because it travels through the encrypted SSH channel.

To create an SSH tunnel, an SSH client is configured to forward a specified local port to
a port on the remote machine. Once the SSH tunnel has been established, the user can
connect to the specified local port to access the network service. The local port need not
be the same as the remote port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services
provided that outgoing connections are allowed. For example, an organization may
prohibit a user from accessing Internet web pages (port 80) directly without passing
through the organization's proxy filter which provides the organization a means of
monitoring and controlling what the user sees through the web. The user may not wish
to have their web traffic monitored or blocked by the organization's proxy filter. If a user
is able to connect to an external SSH server, it is possible for them to create an SSH
tunnel to forward a given port on their local machine to port 80 on a remote web server.
To access the remote web server the user would point their browser to http://localhost/.

Elmer Cecilio 19/02/2009 2 of 17

 SSH Tunnelling with InfoSphere CDC

Setup Diagram

d
te
yp
cr
en
H
SS
On the left would be the regular CDC setup. Right would be how it will work with SSH
Tunneling enabled.

Elmer Cecilio 19/02/2009 3 of 17

 SSH Tunnelling with InfoSphere CDC

The CDC Setup

For my setup I have ISCDC for DB2 running on my laptop and using that as a source.
For my target, I use ISCDC for Oracle running as a VM. I am using the Host-Only
network option within VMware.

Source:
IP address: 192.168.28.1 or localhost
IS CDC DB2 port: 10901
OS: Windows XP
Database: DB2 V9.1.3

Elmer Cecilio 19/02/2009 4 of 17

 SSH Tunnelling with InfoSphere CDC

Access Manager Settings (Source)

Target:

IP address: 192.168.28.129
IS CDC port: 11001
OS: Suse Linux Enterprise 10
Database: Oracle 10gr2

Elmer Cecilio 19/02/2009 5 of 17

 SSH Tunnelling with InfoSphere CDC

Access Manager Settings (Target)

Tools I used for SSH:

There are 2 tools that I tried that can establish an SSH connection from my Windows XP
into Unix/Linux. There are definitely other tools out there that can do SSH tunnel, its up
to you what you want to use. First one is Putty, Putty has tools to do Telnet, Secure
FTP and such. Next is Cygwin, Cygwin provides you with a Linux like environment for
Windows. Both tools are either freeware or opensource. I installed all the features
within Cygwin for this test. You definitely will not need all features, but for my test I
wasn’t sure what I needed so might as well install all of it.

For MF customers, they need to download free IBM ported tools for z/OS to provide ssh
functionality.

IBM Ported tools for z/OS from:

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html

Putty can be downloaded from: http://www.putty.org/

Cygwin can be downloaded from: http://www.cygwin.com/

Elmer Cecilio 19/02/2009 6 of 17

 SSH Tunnelling with InfoSphere CDC

Setup SSH (Putty):

Open up Putty.exe. First thing you’ll see is the configuration window.

Click on + beside Connection/SSH. Then choose Tunnel.

Elmer Cecilio 19/02/2009 7 of 17

 SSH Tunnelling with InfoSphere CDC

Destination is shown as the target hostname/ip:port. So I put in the IP address of my

target machine and the CDC listening port.

Source port would be the local listening port. This local port has to be the same port as
remote port. If different, ISCDC will not work with a failed to login message.

Once done click on Add.

Elmer Cecilio 19/02/2009 8 of 17

 SSH Tunnelling with InfoSphere CDC

Then scroll up back to the Session screen and enter the Hostname/IP of the target
server then click on Open.

Elmer Cecilio 19/02/2009 9 of 17

 SSH Tunnelling with InfoSphere CDC

This will establish a connection, authenticate your login id to that target box, as well as
enable the listening port you defined on SSH Tunnel.

So you should see this login screen. Enter your credentials.

Elmer Cecilio 19/02/2009 10 of 17

 SSH Tunnelling with InfoSphere CDC

Once that is done, open say a DOS prompt and run “netstat –an” without quotes.

You will then see that you have a listener entry for localhost/127.0.01 and port 11001.
So any process that will connect to localhost:11001 will be forwarded automatically into
192.168.28.129:11001.

Setup SSH (Cygwin):

Open up Cygwin.

If using Cygwin for the first time. I suggest creating a home directory first. So run:

$ mkdir /home/yourusername

Elmer Cecilio 19/02/2009 11 of 17

 SSH Tunnelling with InfoSphere CDC

You needed the home folder so that ssh has a place to put hostname and key
authentication information.

Then run

ssh –L 11001:localhost:11001 [email protected]

where

11001 = the listener port on your local machine

localhost = the local machine (you can also use ‘*’ to represent all IP addresses)
11001 = remote listening port for ISCDC

[email protected] = login id@remote server

Again you need to use the same port. Local port has to be the same as the CDC
listening port.

If running ssh for the first time you may see something similar to below.

Basically its just asking if you want to continue with the connection.

If you’ve login to that server before, the screen will just ask you for a password to login.

Elmer Cecilio 19/02/2009 12 of 17

 SSH Tunnelling with InfoSphere CDC

Now you can open up your MS-DOS prompt again, you should see a process listening
on 11001 for localhost.

IMPORTANT NOTE: The local listening port goes away once the ssh connection
is disconnected.

Elmer Cecilio 19/02/2009 13 of 17

 SSH Tunnelling with InfoSphere CDC

z/OS setup:

Once the customer downloads and install the IBM Ported tools for z/OS. They will now
have an sshd (secure shell daemon) running. This will allow tools like Putty to connect
through ssh to the MF.

What we really need to do on this MF is to run the same ssh command, with the
parameters of

ssh -L port:host:hostport user@]hostname

But in order to run this we first need to ssh to mainframe. So using

my Putty on desktop.

No SSH Tunnel required.

Like any Unix machine you will see a login screen.

Elmer Cecilio 19/02/2009 14 of 17

 SSH Tunnelling with InfoSphere CDC

You may also want to make sure you can ping localhost and the target server. If it works
then issue the ssh command. After logging in to the server, you may want to open up
another session to verify the listening status. In case you were wondering why it
10401, its for a different CDC target but this was also created by ssh.

Elmer Cecilio 19/02/2009 15 of 17

 SSH Tunnelling with InfoSphere CDC

Access Manager Setup.

Important Note: In case the Access Manager is on a different server from the
source and target box. We also need to create an SSH tunnel from Access
Manager server into the target box. So do the same steps you did from source
server on configuring SSH local connection.

This particular SSH connection on Access Manager is only required when using
the GUI. Replication still uses the SSH connection defined on the source server.

Now we need to setup a DataStore within Access Manager using localhost and the local
port.

Make sure you can ping the agent. Associate this agent to a user. Then setup a
subscription using this new agent and that’s it.

Elmer Cecilio 19/02/2009 16 of 17

 SSH Tunnelling with InfoSphere CDC

Performance:

In case you were wondering how the performance was with/without encryption. Small
test of 500,000 rows using a table with around 850 bytes record length. Refresh only.

With Encryption: 30 seconds

Without Encryption: 23 seconds

Elmer Cecilio 19/02/2009 17 of 17