Security Guide > Domain Security > Secure Communication Within the Domain

Secure Communication Within the Domain

You can use the Secure Communication option to secure the connection between services and between services and the service managers in the domain. Additionally, you can enable security for workflows and use secure databases for the repositories that you create in the domain.

After you secure the domain, configure the Informatica client applications to work with a secure domain.

Default Directory for Keystore and Truststore

The Informatica deployment includes default keystore and truststore files in the following default directory:

<Informatica installation directory>\services\shared\security

Informatica recommends that you use the default keystore and truststore only for setup and proof-of-concept use cases.

To secure a production environment, use the following guidelines:

•When you configure secure communication, do not modify, replace, or delete files in the default directory:

<Informatica installation directory>\services\shared\security

•You cannot use the default keystore and truststore to configure other services or clients.
•Configure a custom keystore and truststore for secure communication in a location other than the default directory.
•If you replaced the default Informatica keystore and truststore files with custom keystore and truststore files in the previous Informatica installation directory structure, you must run the infasetup UpdateGatewayNode command to update the locations of the custom keystore and truststore for the domain.

Secure Communication for Services and the Service Manager

You can configure secure communication within the domain during installation. After installation, you can configure secure communication for the domain on the Administrator tool or from the command line.

Informatica provides an SSL certificate that you can use to secure the domain. However, you should provide a custom SSL certificate for domains that require a higher level of security, such as a domain in a production environment. Specify the keystore and truststore files that contain the SSL certificates you want to use.

Note: Informatica provides SSL certificates for evaluation purposes. If you do not provide an SSL certificate, Informatica uses the same default private key for all Informatica installations. The security of your domain could be compromised. Provide an SSL certificate to ensure a high level of security for the domain. The certificate that you provide can be self-signed or from a certificate authority (CA).

When you configure secure communication for the domain, you secure the connections between the following components:

•The Service Manager and all services running in the domain
•The Data Integration Service and the Model Repository Service
•The Data Integration Service and the workflow processes
•The PowerCenter Integration Service and the PowerCenter Repository Service
•The domain services and the Informatica client tools and command line programs

Requirements for Secure Communication within the Domain

Before you enable secure communication within the domain, ensure that the following requirements are met:

You created a certificate signing request (CSR) and private key.: You can use keytool or OpenSSL to create the CSR and private key.; If you use RSA encryption, you must use more than 512 bits.

You have a signed SSL certificate.: The certificate can be self-signed or CA signed. Informatica recommends a CA signed certificate.

You imported the certificate into keystores.: You must have a keystore in PEM format named infa_keystore.pem and a keystore in JKS format named infa_keystore.jks.; The keystore files must contain the root and intermediate SSL certificates.

You imported the certificate into truststores.: You must have a truststore in PEM format named infa_truststore.pem and a truststore in JKS format named infa_truststore.jks.; The truststore files must contain the root, intermediate, and end user SSL certificates.

The keystores and truststores are in the correct directory.: If you enable secure communication during installation, the keystore and truststore must be in a directory that is accessible to the installer.; If you enable secure communication after installation, the keystore and truststore must be in a directory that is accessible to the command line programs.

You enforced the HTTP Strict Transport Security (HSTS) response header.: You can choose to enable HSTS response header in your domain to prevent man-in-the-middle (MITM) security threats. If you enable HSTS response header, you can stop HTTP redirects to HTTPS and ensure that only secured URLs (HTTPS) are accessed.; To enable this option, set the INFA_HSTS_HEADER_ENABLED environment variable to true and import the certificates from infa_truststore and Informatica Administrator keystore to your browser.

Guidelines for Using Default and Custom Truststore Files

The installer places the default infa_truststore.jks and keystore files in the <Informatica installation directory>/services/shared/security directory on each node. You can use the default truststore for setup and proof-of-concept, but the default truststore and keystore files provide limited security. For production, Informatica recommends using custom truststore and keystore files for more secure communication and SAML authentication.

Place custom truststore and keystore files in a custom directory. The truststore file name must be infa_truststore.jks.

Do not overwrite, delete or move the default truststore and keystore files. Do not place custom truststore and keystore files in the <Informatica installation directory>/services/shared/security directory

When you create an alias for new certificates and private keys, do not use the default "Informatica LLC" name, which is used by the default truststore and keystore files.

Guidelines for Creating Certificates and Custom Truststore and Keystore Files

You can use the Java keytool key and certificate management utility to create an SSL certificate or a certificate signing request (CSR) as well as keystores and truststores in JKS format.

The keytool is available in the following directory on domain nodes:

<Informatica installation directory>\java\bin

If the domain nodes run on AIX, you can use the keytool provided with the IBM JDK to create an SSL certificate or a Certificate Signing Request (CSR) as well as keystores and truststores:

1. Copy the certificate files to a local folder on a gateway node within the Informatica domain.
2. From the command line, go to the location of the keytool utility on the node.
3. Run the keytool utility to import the certificate.
4. Restart the node.

Next Steps

For more information about how to create a custom keystore and truststore and import certificates in your browser, see the Informatica How-To Library article How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain: https://docs.informatica.com/data-quality-and-governance/data-quality/h2l/0700-how-to-create-keystore-and-truststore-files-for-secure-comm/abstract.html

After you secure the domain, configure the Informatica client applications to work with a secure domain.

Enabling Secure Communication for the Domain from the Command Line

Use the infacmd and infasetup commands to enable secure communication for the domain. After you enable secure communication, you must restart the domain for the change to take effect.

To use your SSL certificate files, specify the keystore files when you run the infasetup command.

To configure secure domain communication from the command line, use the following commands:

infacmd isp UpdateDomainOptions: Use the UpdateDomainOptions command to set the secure communication mode for the domain.
infasetup UpdateGatewayNode: Use the UpdateGatewayNode command to enable secure communication for the Service Manager on a gateway node in a domain. If the domain has multiple gateway nodes, run the UpdateGatewayNode command on each gateway node.
infasetup UpdateWorkerNode: Use the UpdateWorkerNode command to enable secure communication for the Service Manager on a worker node in a domain. If the domain has multiple worker nodes, run the UpdateWorkerNode command on each worker node.

1. Verify that the domain you want to secure is running.

2. Update the domain.

Run the following command with the required options and arguments:

- Windows: infacmd isp UpdateDomainOptions
- UNIX: infacmd.sh isp UpdateDomainOptions

To configure secure communication for the domain, include the following option when you run the infacmd command:

Option	Argument	Description
-DomainOptions -do	option_name=value	Set the following option to configure secure communication for the domain: TLSMode=True

3. Shut down the domain.

The domain must be shut down before you run the infasetup commands.

4. Run infasetup with the required options and arguments.

Enter the following command:

- Windows: infasetup UpdateGatewayNode or infasetup UpdateWorkerNode
- UNIX: infasetup.sh UpdateGatewayNode or infasetup.sh UpdateWorkerNode

To configure secure communication on the nodes, run the commands with the following options:

Option	Argument	Description
-EnableTLS -tls	enable_tls	Configures secure communication for the services in the Informatica domain.
-NodeKeystore -nk	node_keystore_directory	Optional if you use the default SSL certificate from Informatica. Required if you use your SSL certificate. Directory that contains the keystore files. The Informatica domain requires the SSL certificate in PEM format and in Java Keystore (JKS) files. The directory must contain keystore files in PEM and JKS formats. The keystore files must be named infa_keystore.jks and infa_keystore.pem You can use the same keystore file for multiple nodes.
-NodeKeystorePass -nkp	node_keystore_password	Optional if you use the default SSL certificate from Informatica. Required if you use your SSL certificate. Password for the infa_keystore.jks file.
-NodeTruststore -nt	node_truststore_directory	Optional if you use the default SSL certificate from Informatica. Directory that contains the truststore files. You can use the same truststore file for multiple nodes.
-NodeTruststorePass -ntp	node_truststore_password	Optional if you use the default SSL certificate from Informatica. Password for the infa_truststore.jks file.

5. Run the infasetup command on each node in the domain.

If you have multiple gateway nodes in the domain, run infasetup UpdateGatewayNode on each gateway node. If you have multiple worker nodes, run infasetup UpdateWorkerNode on each worker node. You must use the same keystore files for all nodes in the domain.

6. Restart the domain.

Enabling Secure Communication for the Domain in the Administrator Tool

You can use the Administrator tool to enable secure communication for the domain. When you enable secure communication in the Administrator tool, you must also run infasetup commands to update the nodes.

When you enable the Secure Communication option in the Administrator tool, you also need to run the infasetup command to update Informatica configuration files on each node. To specify the SSL certificate files to use, specify the keystore files when you run the infasetup command.

To update the Informatica configuration files on each node, use the following commands:

infasetup UpdateGatewayNode: Use the UpdateGatewayNode command to enable secure communication for the Service Manager on a gateway node in a domain. If the domain has multiple gateway nodes, run the UpdateGatewayNode command on each gateway node.
infasetup UpdateWorkerNode: Use the UpdateWorkerNode command to enable secure communication for the Service Manager on a worker node in a domain. If the domain has multiple worker nodes, run the UpdateWorkerNode command on each worker node.

To enable secure domain communication from the Administrator tool, perform the following steps:

1. On the Administrator tool, select the domain.

2. In the contents panel, click the Properties view.

3. Go to the General Properties section and click Edit.

4. On the Edit General Properties window, select Enable Secure Communication.

5. Click OK

6. Shut down the domain.

The domain must be shut down before you run the infasetup commands.

7. Run infasetup with the required options and arguments.

Enter the following command:

- Windows: infasetup UpdateGatewayNode or infasetup UpdateWorkerNode
- UNIX: infasetup.sh UpdateGatewayNode or infasetup.sh UpdateWorkerNode

To configure secure communication on the nodes, run the commands with the following options:

Option	Argument	Description
-EnableTLS -tls	enable_tls	Configures secure communication for the services in the Informatica domain.
-NodeKeystore -nk	node_keystore_directory	Optional if you use the default SSL certificate from Informatica. Required if you use your SSL certificate. Directory that contains the keystore files. The Informatica domain requires the SSL certificate in PEM format and in Java Keystore (JKS) files. The directory must contain keystore files in PEM and JKS formats. The keystore files must be named infa_keystore.jks and infa_keystore.pem You can use the same keystore file for multiple nodes.
-NodeKeystorePass -nkp	node_keystore_password	Optional if you use the default SSL certificate from Informatica. Required if you use your SSL certificate. Password for the infa_keystore.jks file.
-NodeTruststore -nt	node_truststore_directory	Optional if you use the default SSL certificate from Informatica. Directory that contains the truststore files. You can use the same truststore file for multiple nodes.
-NodeTruststorePass -ntp	node_truststore_password	Optional if you use the default SSL certificate from Informatica. Password for the infa_truststore.jks file.

8. Run the infasetup command on each node in the domain.

9. Restart the domain.

Configuring the Informatica Client Applications to Work with a Secure Domain

When you enable secure communication within the domain, you also secure connections between the domain and Informatica client applications, such as the Developer tool. You might need to specify the location and password for the truststore files that you use to secure the domain in environment variables. You set the environment variables on machines hosting client applications that access services within the domain.

SSL certificates that are used to secure an Informatica domain are contained in truststore files named infa_truststore.jks and infa_truststore.pem. The truststore files must be available on each client host.

You might need to set the following environment variables on each client host:

INFA_TRUSTSTORE: Set this variable to the directory that contains the infa_truststore.jks and infa_truststore.pem truststore files.

INFA_TRUSTSTORE_PASSWORD: Set this variable to the password for the truststore. The password must be encrypted. Use the command line program pmpasswd to encrypt the password.

Informatica provides an SSL certificate in default truststore files that you can use to secure the domain. When you install the Informatica clients, the installer sets the environment variables and installs the truststore files in the following directory by default: <Informatica installation directory>\clients\shared\security

If you use the default Informatica SSL certificate, and the infa_truststore.jks and infa_truststore.pem files are in the default directory, you do not need to set the INFA_TRUSTSTORE or INFA_TRUSTSTORE_PASSWORD environment variables.

You must set the INFA_TRUSTSTORE and INFA_TRUSTSTORE_PASSWORD environment variables on each client host in the following scenarios:

You use a custom SSL certificate to secure the domain.
You replace the default Informatica truststore files with your own truststore files in the default directory.: If you replace the default the infa_truststore.jks and infa_truststore.pem truststore files with your own truststore files in the default Informatica directory, you must specify the truststore password. The truststore files must have the same filenames as the default truststore files.
You use the default Informatica SSL certificate, but the truststore files are not in the default Informatica directory.: If you use the default Informatica SSL certificate, but the default infa_truststore.jks and infa_truststore.pem truststore files are not in the default directory, you must specify the location of the files and the truststore password.

Secure Domain Configuration Repository Database

The Informatica domain configuration repository stores configuration information and user account privileges and permissions. When you create an Informatica domain, you must create a domain configuration repository.

You can create a domain configuration repository on a database that is secured with the SSL protocol. The SSL protocol uses SSL certificates stored in a truststore file. Access to the secure database access requires a truststore that contains the certificates for the database.

You can create a secure domain configuration repository database when you install the Informatica services and create a domain. For more information about configuring a secure domain configuration repository during installation, see the Informatica installation guides.

After installation, you can configure a secure domain configuration repository database from the command line.

Note: Before you configure a secure domain configuration repository database after installation, you must enable secure communication for the domain.

You can create a secure domain configuration repository on the following databases:

•Oracle
•Microsoft SQL Server
•IBM DB2

Configuring a Secure Domain Configuration Repository Database

After installation, you can change the domain configuration repository to a secure database. You can use a secure domain configuration repository database only if you enable secure communication for the domain.

You must shut down the domain before you change the domain configuration repository database. Use the infasetup command to back up the domain configuration repository database and to restore it in a secure database. When you restore the domain configuration repository in the secure database, specify the security parameters for the secure database. Then update the gateway node with the domain configuration repository information.

To back up and restore the repository database and update the gateway node, use the following commands:

infasetup BackupDomain: Use the BackupDomain option to back up data from the domain configuration repository database.
infasetup RestoreDomain: Use the RestoreDomain option to restore domain configuration repository data to a secure database.
infasetup UpdateGatewayNode: Use the UpdateGatewayNode option update the domain configuration repository settings in the gateway nodes of the domain.

To change the domain configuration repository to a secure database, complete the following steps:

1. Verify that secure communication is enabled for the domain.

The domain must be secure before you can use a secure database for the domain configuration repository.

2. Shut down the domain.

3. Run the infasetup BackupDomain command and specify the database connection information.

When you run the BackupDomain command, infasetup backs up most of the domain configuration database tables to the file name you specify.

Note: If the infasetup backup or restore command fails with a Java memory error, increase the system memory available for infasetup. To increase system memory, set the -Xmx value in the INFA_JAVA_CMD_OPTS environment variable.

4. Use the database backup utility to manually back up additional repository tables that the infasetup command does not back up.

Back up the contents of the following table:

- ISP_RUN_LOG

5. To restore the domain configuration repository in the secure database, run the infasetup RestoreDomain command and specify the database connection information.

In addition to the connection information, specify the following options required for the secure database:

Option	Argument	Description
-DatabaseTlsEnabled -dbtls	database_tls_enabled	Required. Indicates whether the database into which the domain configuration repository will be restored is a secure database. Set this option to True.
-DatabaseTruststoreLocation -dbtl	database_truststore_location	Required. Path and file name of the truststore file that contains the SSL certificate for the database.
-DatabaseTruststorePassword -dbtp	database_truststore_password	Required. Password for the database truststore file for the secure database.

In the connection string, include the following security parameters:

EncryptionMethod
ValidateServerCertificate
HostNameInCertificate
cryptoProtocolVersion

6. Use the database restore utility to restore the repository tables that you manually backed up.

Restore the following table:

- ISP_RUN_LOG

7. To update the nodes in the domain with information about the secure domain configuration repository, run the infasetup UpdateGatewayNode command and specify the secure database connection information.

In addition to the node options, specify the following options required for the secure database:

Option	Argument	Description
-DatabaseTlsEnabled -dbtls	database_tls_enabled	Required. Indicates the database used for the domain configuration repository is a secure database. Set this option to True.
-DatabaseConnectionString -cs	database_connection_string	Required. Connection string to use to connect to the secure database. The connection string must include the security parameters that you included in the connection string when you ran the infasetup RestoreDomain command in step 5
-DatabaseTruststorePassword -dbtp	database_truststore_password	Required. Password for the database truststore file for the secure database.

If you have multiple gateway nodes in the domain, run infasetup UpdateGatewayNode on each gateway node.

8. Restart the domain.

Secure PowerCenter Repository Database

When you create a PowerCenter Repository Service, you can create the associated PowerCenter repository on a database secured with the SSL protocol.

The PowerCenter Repository Service connects to the PowerCenter repository database through native connectivity.

When you create a PowerCenter repository on a secure database, verify that the database client files contain the secure connection information for the database. For example, if you create a PowerCenter repository on a secure Oracle database, configure the Oracle database tnsnames.ora and sqlnet.ora client files with the secure connection information.

Secure Model Repository Database

When you create a Model Repository Service, you can create the associated Model repository in a database secured with the SSL protocol.

The Model Repository Service connects to the Model repository database through JDBC drivers.

1. Set up a database secured with the SSL protocol.

2. In the Administrator tool, create a Model Repository Service.

3. In the New Model Repository Service dialog box, enter the general properties for the Model Repository Service and click Next.

4. Enter the database properties and the JDBC connection string for the Model Repository Service.

To connect to a secure database, enter the secure database parameters in the Secure JDBC Parameters field. Informatica treats the value of Secure JDBC Parameters field as sensitive data and stores the parameter string encrypted.

The following list describes the secure database parameters:

EncryptionMethod
ValidateServerCertificate
HostNameInCertificate
cryptoProtocolVersion
TrustStore: Required. Path and file name of the truststore file that contains the SSL certificate for the database.
TrustStorePassword: Required. Password for the truststore file for the secure database.

Note: Informatica appends the secure JDBC parameters to the JDBC connection string. If you include the secure JDBC parameters directly to the connection string, do not enter any parameter in the Secure JDBC Parameters field.

5. Test the connection to verify that the connection to the secure repository database is valid.

6. Complete the process to create a Model Repository Service.

Secure Communication for Workflows and Sessions

By default, when you enable secure communication option for the domain, Informatica secures the connection between the Data Integration Service and PowerCenter Integration Service and the DTM processes.

In addition, if you run PowerCenter sessions on a grid, you can enable an option to secure the data communication between the DTM processes.

To enable secure data communication between DTM processes in PowerCenter sessions, select the Enable Data Encryption option for the PowerCenter Integration Service.

Note: PowerCenter sessions require more CPU and memory when the DTM processes run in secure mode. Before you enable secure data communication between DTM processes for PowerCenter sessions, determine whether the domain resources are adequate for the additional load.

Enabling Secure Communication for PowerCenter DTM Processes

To secure the connection between the DTM processes in PowerCenter sessions running on a grid, configure the PowerCenter Integration Service to enable the data encryption for DTM processes.

1. In the Navigator of the Administrator tool, select the PowerCenter Integration Service.

2. In the contents panel, click the Properties view.

3. Go to the PowerCenter Integration Service Properties section and click Edit.

4. On the Edit PowerCenter Integration Service Properties window, select Enable Data Encryption.

5. Click OK.

When you run a PowerCenter session on a grid, the DTM processes send encrypted data when they communicate with other DTM processes.