This is an optional configuration
To enable TLS 1.2 encryption in DSA data path for DM DSA jobs using DM self signed certificate, run the dsa_tlscert.py script available in packages directory under the dmdsa_TLSconfig directory.
- Both the source and the target systems must support TLSv1.2 encryption. To verify, run following command on the system: "openssl ciphers -v | grep TLS"
- Script needs to connect from the DM/DSC Daemon server to port 22 on source/target systems to copy files and run commands. Make sure ports are enabled.
- If port 22 does not open due to security reasons, please reach out to customer support for assistance with the manual configuration of DSA TLS 1.2 encryption enablement.
HELP: dsa_tlscert.py --source <source_TDPID> --source_username <source_system_username> --source_password <source_system_password>[/ --source_identity_file <identity_file>] --target <target_TDPID> --target_username <target_system_username> --target_password <target_system_password>[/ --target_identity_file <identity_file>] ] ] --help | --help Displays Help --source | --TDPIP/name of source system Source system name --source_username | --source sytem user that has sudo permission Ex: root, ec-user, azureuser, gcpuser --source_password | --Source sudo user password or --source_identity_file | --identity file that includes the private key ** --target | --TDPIP/name of Target system Target system name --target_usrname | --Target sytem user that has sudo permission Ex: root, ec-user, azureuser, gcpuser --target_password | --Target sudo user password or --target_identity_file | --identity file that includes the private key **
Example command: python3 dsa_tlscert.py --source sdt35178 --source_username root --source_password datamover --target sdt35179 --target_username root --target_password datamover
This script enables TLS 1.2 Encryption between source sss and target ttt using self-signed certificates for DM DSA jobs.
This script does not support an existing BAR DSA TLS 1.2 certificate on a shared clienthandler.
- Generate a new pair of self-signed certificates for source sss and target ttt.
- This generates the TLS 1.2 certificates for DSMAIN and clienthandler
- Copies clienthandler.properties to clienthandler.properties.dm_dsaTLS, with added TLS properties
- Runs enableTLS_dsc.sh script, which copies dsc.properties to dsc.properties.tls, with added TLS properties
This option overwrites the certificates on sss and ttt if it already exist.If one system has already been TLS 1.2 encrypted with another third system, choose option 2 or 3.
- Generate a new self-signed certificate for source sss and use existing DM generated self-signed certificate from target ttt.
- Use existing DM generated self-signed certificate from source sss and generate a new self-signed certificate for target ttt.
To finish TLS 1.2 encryption, perform the following manual steps when DSMAIN and clienthandler can be restarted:
- For the newly encrypted DSA system with clienthandler installed, copy clienthandler.properties.dm_dsaTLS to clienthandler.properties and restart clienthandler on all nodes
- If DSC is not previously TLS enabled, copy dsc.properties.tls to dsc.properties and restart DSC
- Reconfigure the newly encrypted DSA system using dsa_configsys or dsc commandline
To disable TLS 1.2 encryption:
- Edit dsc.properties to set tls.datapath.enabled=false
- Restart DSC
- Re-configure source system and restart dsmain, using dsa_configsys or dsc commandline
- Re-configure target system and restart dsmain, using dsa_configsys or dsc commandline.