Skip to main content

I have been looking for ways to encrypt data sent from a publisher to a subscriber. That data is sent to unirpcd on the subscriber and I have confirmed that, at present, it is sent as plain text.

We have a lead interested in replication but want to ensure that the data transferred between the publisher and subscriber is encrypted (they're Unidata on AIX). I noted the existence of the "-s" option for unirpcd, but when I force unirpcd to start on pub and sub with this option, replication does not operate. I've been told that there is no "official" way to encrypt the replication data travelling between pub and sub(s), but that using a ssh tunnel may be an option.

I'm pretty decent at setting up tunnels - I do it all the time, but I have yet to work out how to get replication to go through a tunnel. Any suggestions? Or does anyone have any other suggestions about getting the data from the publisher to the subscriber to be encrypted (preferably without having to do file encryption for ever replicated file on the system!)?



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

I have been looking for ways to encrypt data sent from a publisher to a subscriber. That data is sent to unirpcd on the subscriber and I have confirmed that, at present, it is sent as plain text.

We have a lead interested in replication but want to ensure that the data transferred between the publisher and subscriber is encrypted (they're Unidata on AIX). I noted the existence of the "-s" option for unirpcd, but when I force unirpcd to start on pub and sub with this option, replication does not operate. I've been told that there is no "official" way to encrypt the replication data travelling between pub and sub(s), but that using a ssh tunnel may be an option.

I'm pretty decent at setting up tunnels - I do it all the time, but I have yet to work out how to get replication to go through a tunnel. Any suggestions? Or does anyone have any other suggestions about getting the data from the publisher to the subscriber to be encrypted (preferably without having to do file encryption for ever replicated file on the system!)?



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

I'm not sure about the '-s' option specifically, but I have some experience with universe replication which also uses unirpcd.

From memory, the main difficulty you will have with SSH tunnels (assuming you mean SSH), will come from the fact that unirpc uses the hostname/IP to identify the replication parties. So if on the master you setup a tunnel to the guest at localhost:<someport>, that's probably going to conflict in some way.

For these reasons I would probably suggest using some virtual networking that provides each party a unique IP address. IPSec would probably be a good candidate, because an IPSec tunnel can give each host a unique IP address and also takes care of securing the channel.

Once you have the IPSec tunnel setup, setup replication with the new IP addresses as normal and IPSec takes care of the encryption.



------------------------------
Peter Curtis
Independent consultant
Australia
https://www.linkedin.com/in/peter-curtis-a629948a/
------------------------------

I have been looking for ways to encrypt data sent from a publisher to a subscriber. That data is sent to unirpcd on the subscriber and I have confirmed that, at present, it is sent as plain text.

We have a lead interested in replication but want to ensure that the data transferred between the publisher and subscriber is encrypted (they're Unidata on AIX). I noted the existence of the "-s" option for unirpcd, but when I force unirpcd to start on pub and sub with this option, replication does not operate. I've been told that there is no "official" way to encrypt the replication data travelling between pub and sub(s), but that using a ssh tunnel may be an option.

I'm pretty decent at setting up tunnels - I do it all the time, but I have yet to work out how to get replication to go through a tunnel. Any suggestions? Or does anyone have any other suggestions about getting the data from the publisher to the subscriber to be encrypted (preferably without having to do file encryption for ever replicated file on the system!)?



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

Hi Martin. Any reason you don't want to encrypt the data at rest (file encryption)? Doing it this way makes the pub->sub simple as long as the encryption keys are the same on both systems.



------------------------------
Chris Charles
Senior Software Engineer
Rocket Forum Shared Account
------------------------------

I have been looking for ways to encrypt data sent from a publisher to a subscriber. That data is sent to unirpcd on the subscriber and I have confirmed that, at present, it is sent as plain text.

We have a lead interested in replication but want to ensure that the data transferred between the publisher and subscriber is encrypted (they're Unidata on AIX). I noted the existence of the "-s" option for unirpcd, but when I force unirpcd to start on pub and sub with this option, replication does not operate. I've been told that there is no "official" way to encrypt the replication data travelling between pub and sub(s), but that using a ssh tunnel may be an option.

I'm pretty decent at setting up tunnels - I do it all the time, but I have yet to work out how to get replication to go through a tunnel. Any suggestions? Or does anyone have any other suggestions about getting the data from the publisher to the subscriber to be encrypted (preferably without having to do file encryption for ever replicated file on the system!)?



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

Thanks for the suggestions/comments. I have worked it out and will offer a brief outline of the method.

And yes, file encryption is certainly a means to achieve this, but on a 24×7 system with lots of files it means spending some time encrypting all - or at least most - of the files. If it is possible to encrypt all the traffic in one go then that would seem to be a simpler solution. I'd very much encourage Rocket into looking at making this possible.

Peter, I did try the "-s" option. Unfortunately that prevents replication from working at all, so it didn't lead anywhere.

The fundamental step in getting this going is to set up a firewall rule (using iptables on Linux or ipsec on AIX) that intercepts outgoing traffic on port 31438 and redirects it to the localhost on a different port, a port where one end of the tunnel is waiting. To check it worked I added a firewall rule on the subscriber to block incoming traffic from the publisher on port 31438 and ran tcpdump to monitor the content of the traffic between the publisher and subscriber (something I did previously to prove that the content was not encrypted by default).



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

Thanks for the suggestions/comments. I have worked it out and will offer a brief outline of the method.

And yes, file encryption is certainly a means to achieve this, but on a 24×7 system with lots of files it means spending some time encrypting all - or at least most - of the files. If it is possible to encrypt all the traffic in one go then that would seem to be a simpler solution. I'd very much encourage Rocket into looking at making this possible.

Peter, I did try the "-s" option. Unfortunately that prevents replication from working at all, so it didn't lead anywhere.

The fundamental step in getting this going is to set up a firewall rule (using iptables on Linux or ipsec on AIX) that intercepts outgoing traffic on port 31438 and redirects it to the localhost on a different port, a port where one end of the tunnel is waiting. To check it worked I added a firewall rule on the subscriber to block incoming traffic from the publisher on port 31438 and ran tcpdump to monitor the content of the traffic between the publisher and subscriber (something I did previously to prove that the content was not encrypted by default).



------------------------------
Martin Shields
Senior Technical Consultant
Meier Business Systems PTY LTD
Carnegie VIC AU
------------------------------

Martin,

There already is an enhancement request in the system to do this. This is viewed by development as a large ticket item (i.e it will take a large chunk of any development cycle for a release). When deciding on what we do for a release it is a balancing exercise to make sure we deliver the most bang for our buck. In terms of this particular request, although it is a good idea the demand from the customer base and the time it would take has resulted in this issue not being done. Currently it is unlikely it will done in the UniData 8.4.1 release.

We are having a round table at the upcoming symposium in Denver in June and one of the discussions that is schedulded for that meeting is to ask the customers what they view as a priority for the new release. I would strongly suggest attending the symposium to get your voice heard in such discussions.

Thanks,



------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------
Terms & ConditionsAccessibility statement