Network Data Transmission Configurable Options
Configurable Options
The network protocol can be configured in ways that affect compression, encryption, code pages, and network delays.
The following configuration options are available on many Universal Agent components:
CODE_PAGE
The CODE_PAGE option specifies the code page translation table used to translate network data from and to the local code page for the system on which the program is executing.
A codepage table is text file that contain a two-column table. The table maps local single byte character codes to two-byte UNICODE character codes.
Code pages are located in the product National Language Support (NLS) directory or library. New code pages may be created and added to the NLS directory or library. The CODE_PAGE option value is simply the name of the code page file without any file name extension if present.
CTL_SSL_CIPHER_LIST
The CTL_SSL_CIPHER_LIST option specifies one or more SSL/TLS cipher suites that are acceptable to use for network communications on the control session, which is used for component internal communication.
The SSL/TLS protocol uses cipher suites to specify the combination of encryption and message digest algorithms used for a session. An ordered list of acceptable cipher suites can be specified in a most-to-least order of preference.
An example cipher suite list is RC4-MD5,RC4-SHA,AES128-SHA. The RC4-MD5 cipher suite is the most preferred and AES128-SHA is the least preferred.
When two Universal Agent components (Manager and a Server) first connect, they perform an SSL/TLS handshake that negotiates the cipher suite to use for the session. The Manager presents a list of cipher suites (in descending order of preference) that it would like to use. This is compared against a list of ciphers that the Server supports. The first cipher suite in common is the one used for the session.
DATA_AUTHENTICATION
The DATA_AUTHENTICATION option specifies whether or not the network data is authenticated. Data authentication verifies that the data did not change from the point it was sent to the point it was received.
Data authentication also is referred to as a data integrity in this document.
Data authentication occurs for each message sent over the network. If a message fails authentication, the network session is terminated and both programs end with an error.
The DATA_AUTHENTICATION option is applicable to the UNVv2 protocol only. SSL/TLS always performs authentication.
DATA_COMPRESSION
The DATA_COMPRESSION option specifies that network data be compressed.
Compression attempts to reduce the amount of data to a form that can be decompressed to its original form. The compression ratio is the original size divided by the compressed size. The compression ratio value will depend on the type of data. Some data compress better than others.
Two methods of compression are available:
- ZLIB method provides the highest compression ratio with the highest use of CPU
- HASP method provides the lowest compression ratio with the lowest use of CPU.
Whether or not compression is used and which compression method is used depends on several items:
- Network bandwidth. If network bandwidth is small, compression may be worth the cost in CPU.
- CPU resources. If CPU is limited, the CPU cost may not be worth the reduced bandwidth usage.
- Data compression ratio. If the data does not compress well, it is probably not worth CPU cost. If the data ratio is high, the CPU cost may be worth it.
DATA_ENCRYPTION
The DATA_ENCRYPTION option specifies whether or not network data is encrypted.
Encryption translates data into a format that prevents the original data from being determined. Decryption translates encrypted data back into its original form.
The type of encryption performed depends on the network protocol being used, SSL/TLS or UNVv2.
Data encryption does increase CPU usage. Whether or not encryption is used depends on the sensitivity of the data and the security of the two host systems and the data network between the hosts.
DATA_SSL_CIPHER_LIST
The DATA_SSL_CIPHER LIST option specifies one or more SSL/TLS cipher suites that are acceptable to use for network communications on the data session, which is used for standard I/O file transmission.
(See CTL_SSL_CIPHER_LIST.)
DEFAULT_CIPHER
The DEFAULT_CIPHER option specifies the SSL cipher suite to use (since SSL protocol requires a cipher suite) if the DATA_ENCRYPTION option is set to no. The default DEFAULT_CIPHER is NULL-MD5 (no encryption, MD5 message digest).
All SSL/TLS cipher suites have a message digest for good reasons. The message digest ensures that the data sent are the data received. Without a message digest, it is possible for bits of the data packet to get changed without being noticed.
ENCRYPT_CONTROL_SESSION
The ENCRYPT_CONTROL_SESSION option is a server-only option that enforces encryption on the control session. When the option is set to a value of no, the server will accept a control session protocol without encryption and message authentication codes (MACs). The default is yes.
Starting with Universal Agent, a manager can request that the UNVv2 protocol be used without encryption or MACs. Considering that host systems may require differing security policies, this option allows for each server to be configured appropriately based on its security policy.
KEEPALIVE_INTERVAL
The KEEPALIVE_INTERVAL option specifies how often, in seconds, a keepalive message (also commonly known as a heartbeat message) is sent between a manager and server.
A keepalive message ensures that the network and both programs are operating normally. Without a keepalive message, error conditions can arise that place one or both programs in an infinite wait.
A keepalive message is sent from the server to the manager. If the server does not receive a keepalive acknowledgement from the manager in a certain period of time (calculated as the maximum of 2 x NETWORK_DELAY or the KEEPALIVE_INTERVAL), the server considers the manager or network as unusable.
How the server processes a keepalive time-out depends on what fault tolerant features are being used. If no fault tolerant features are being used, the server ends with an error. The manager expects to receive a keepalive message in a certain period of time (calculated as the KEEPALIVE_INTERVAL + 2 x NETWORK_DELAY.
NETWORK_DELAY
The NETWORK_DELAY option provides the ability to fine tune Universal Agent network protocol. When a data packet is sent over a TCP/IP network, the time it takes to reach the other end depends on many factors, such as, network congestion, network bandwidth, and the network media type. If the packet is lost before reaching the other end, the other end may wait indefinitely for the expected data.
In order to prevent this situation, Universal Agent components time out waiting for a packet to arrive in a specified period of time. The delay option specifies this period of time.
NETWORK_DELAY specifies the maximum acceptable delay in transmitting data between two programs. Should a data transmission take longer than the specified delay, the operation ends with a time out error. Universal Agent components will consider a time out error as a network fault.
The default NETWORK_DELAY value is 120 seconds. This value is reasonable for most networks and operational characteristics. If the value is too small, false network time outs could occur. If the value is too large, programs will wait a long period of time before reporting a time out problem.
SIO_MODE
The SIO_MODE option specifies whether the data transmitted over the network is processed as text data or binary data.
Text data is translated between the remote and local code pages. Additionally, end of line representations are converted
Text translation operates in two modes: direct and UCS. The default is direct. The direct translation mode exchanges code pages between Universal Agent components to build direct translation tables. Direct translation is the fastest translation method when a significant amount (greater then 10K) of text data is transmitted. The code page exchange increases the amount of data sent over the network as part of the network connection negotiation.
UCS translation does not require the exchange of code pages. For transactions that have little text data transmission, this is the fastest.
Binary data is transmitted without any data translation.