Bit of a hack this, but for those who are concerned about security, or need to setup their BladeLogic environment inside their DMZ…this works fine, albeit it’s probably unsupported by BMC.
By default BladeLogic 7.x and 8.0 do not provide an option to encrypt communication between Application Servers and the database. There is no option way to simply turn on encryption within the BladeLogic configuration.
It is however possible to use an SSH tunnel to encrypt traffic between database and application server. I’ve tested this with Oracle 11g and BladeLogic 8.0 SP8 on CentOS 5.5.
On the AppServer, generate an ssh key pair, for example:
[cc]ssh-keygen -t dsa[/cc]
Import the AppServer public key into the authorized_keys file on the DB server. Check that you can connect via SSH from AppServer to DB without being prompted for a password. You can try the command:
[cc]ssh root@dbserver date[/cc]
This should display the current date/time without prompting for a password.
To setup the tunnel, on the AppServer run:
[cc escaped="true"]ssh -f root@dbserver -L <localport>:<remoteserver>:<remoteport> -N[/cc]
[cc]ssh -f root@dbserver -L 9999:dbserver:1521 -N[/cc]
When configuring the BladeLogic AppServer, the database connection string should be specified as localhost:9999 if using the above example with port 9999 as the local listening port.
The command runs in the background, but needs to be started up prior to bringing the AppServer online. This can be done on Linux using an /etc/init.d script. The script can be configured to startup at required runlevels using chkconfig —add <script-name>. Steal an existing init.d script and modify to make life easier, but make sure that it will startup before the AppServer tries to when booting up, and shuts down after the AppServer when shuting down.