Create Different Types of Certificates for a Secure Deployment

Create a Self-Signed Trusted (Root) Certificate

You may apply your existing trusted certificate or use the orapki in the OGG_HOME/bin directory.

Note:

Adding a non-CA self-signed certificate as a trusted certificate using Certificate Management page's CA Cert section is not supported and will result in an error.

Here's an example of how you can create a root certificate using orapki:

Create a directory to store your wallets and certificates. For example, ~/wallet_directory.

Create an automatic login wallet. This example uses root_ca for the wallet name.

orapki wallet create -wallet ~/wallet_directory/root_ca -auto_login -pwd welcome123

In the orapki command to create self-signed (root user) certificate, specify the-sign_alg sha256 option.

In orapki wallet:

orapki wallet add -wallet ~/wallet_directory/root_ca -dn "CN=RootCA" -addext_basic_cons -pathlen 10 -keysize 2048 -self_signed -validity 7300 -pwd welcome123 -sign_alg sha256

Export the certificate to a .pem file.

orapki wallet export -wallet ~/wallet_directory/root_ca -dn "CN=RootCA" -cert ~/wallet_directory/rootCA_Cert.pem -pwd welcome123

The certificate creation is complete.

The following code snippet illustrates how to set up orapki generated wallets:

# 1. (Self-Signing) Root Certificate
orapki wallet create -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -auto_login -pwd welcome123 -nologo                                                
orapki wallet add    -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -dn "CN=RootCA_SRC" -addext_basic_cons -pathlen 10 -keysize 2048 \
                                                                          -self_signed -validity 1825 \
                                                                          -pwd welcome123 -nologo 
orapki wallet export -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -dn "CN=RootCA_SRC" -cert ${WORKDIR}"/wallet_SRC/rootCA_SRC_CERT.pem" -pwd welcome123 -nologo  

# 2. Server Certificate
orapki wallet create -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -auto_login -pwd welcome123 -nologo                              
orapki wallet add    -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -dn "CN=${v_hostname}" \
                                                                        -addext_basic_cons -pathlen 10 -keysize 2048 \
                                                                        -pwd welcome123 -nologo       
orapki wallet export -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -dn "CN=${v_hostname}" \
                     -request ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_req.pem" -pwd welcome123 -nologo                               
orapki cert create   -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC \
                     -request ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_req.pem" \
                     -cert ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_Cert.pem" \
                     -serial_num 25 -validity 365 -pwd welcome123 -nologo                                                     

orapki wallet add    -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} \
                     -trusted_cert -cert ${WORKDIR}"/wallet_SRC/rootCA_SRC_CERT.pem" -pwd welcome123 -nologo                   

orapki wallet add    -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} \
                      -user_cert -cert ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_Cert.pem" -pwd welcome123 -nologo     

# 3. Distribution Server Certificate
orapki wallet create -wallet ${WORKDIR}/wallet_SRC/client_SRC -auto_login -pwd welcome123 -nologo     
orapki wallet add    -wallet ${WORKDIR}/wallet_SRC/client_SRC -dn "CN=client_SRC" -keysize 2048 -pwd welcome123 -nologo                
orapki wallet export -wallet ${WORKDIR}/wallet_SRC/client_SRC -dn "CN=client_SRC" \
                     -request ${WORKDIR}/wallet_SRC/client_SRC_req.pem   -pwd welcome123 -nologo                                    
orapki cert create   -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC \
                     -request ${WORKDIR}/wallet_SRC/client_SRC_req.pem \
                     -cert ${WORKDIR}/wallet_SRC/client_SRC_Cert.pem \
                     -serial_num 26 -validity 365 -pwd welcome123 -nologo

Create Server Certificates

The following steps are an example of how you can create a sever certificate using a root certificate named root_ca.

Create a directory to store your wallets and certificates. For example, ~/wallet_directory.

Create an automatic login server wallet.

orapki wallet create -wallet ~/wallet_directory/$(hostname) -auto_login -pwd welcome123

Enter the password for the server when prompted.

Add a Certificate Signing Request (CSR) to the server’s wallet.
```
orapki wallet add -wallet ~/wallet_directory/$(hostname) -dn "CN=$(hostname)" -keysize 2048 -pwd welcome123
```
Note:
The addext_basic_cons -pathlen 10 option is important as it is used to apply the later certificate into another secure store, when setting certificates for two different deployments. See unresolvable-reference.html#GUID-00744E00-2C19-4232-BC59-3C49E82A7A9A.

Export the CSR to a .pem file.

orapki wallet export -wallet ~/wallet_directory/$(hostname) -dn "CN=$(hostname)" -request ~/wallet_directory/servername_req.pem -pwd welcome123

Using the CSR, create a signed server certificate and sign it using the root certificate. Assign a unique serial number to each certificate.

orapki cert create -wallet ~/wallet_directory/root_ca -request ~/wallet_directory/servername_req.pem -cert ~/wallet_directory/servername_Cert.pem -serial_num 20 -validity 375  -sign_alg sha256

Add the root certificate into the server’s wallet as a trusted certificate.

orapki wallet add -wallet ~/wallet_directory/$(hostname) -trusted_cert -cert ~/wallet_directory/rootCA_Cert.pem -pwd welcome123

Add the server certificate as a user certificate into the server’s wallet.

orapki wallet add -wallet ~/wallet_directory/$(hostname) -user_cert -cert ~/wallet_directory/servername_Cert.pem  -pwd welcome123

The wallet creation is complete.

Create a Client Certificate

The following steps are an example of how you can create a Distribution Service user certificate:

Create a directory to store your wallets and certificates. For example, ~/wallet_directory.

Create an automatic login client wallet. This example uses dist_client for the wallet name.

orapki wallet create -wallet ~/wallet_directory/dist_client -auto_login -pwd welcome123

Add a CSR to the wallet.

orapki wallet add -wallet ~/wallet_directory/dist_client -dn "CN=dist_client" -keysize 2048 -pwd welcome123

Export the CSR to a .pem file.

orapki wallet export -wallet ~/wallet_directory/dist_client -dn "CN=dist_client" -request ~/wallet_directory/dist_client_req.pem -pwd welcome123

Using CSR, create a signed client certificate and sign it using the root certificate. Assign a unique serial number to each certificate.

orapki cert create -wallet ~/wallet_directory/root_ca -request ~/wallet_directory/dist_client_req.pem -cert ~/wallet_directory/dist_client_Cert.pem -serial_num 30 -validity 375 -pwd welcome123

Add the root certificate as a trusted certificate into the client’s wallet.

orapki wallet add -wallet ~/wallet_directory/dist_client -trusted_cert -cert ~/wallet_directory/rootCA_Cert.pem -pwd welcome123

Add the client certificate as a user certificate into the client’s wallet.

orapki wallet add -wallet ~/wallet_directory/dist_client -user_cert -cert ~/wallet_directory/dist_client_Cert.pem -pwd welcome123

The wallet creation is complete.

Set Up Trusted Certificates

There are two types of TLS connections. To use TLS, there are certain requirements for the certificate trust chain.

The wss communication protocol is used in the Distribution Service for the Distribution Path to meet the needs of secure communication using TLS in Oracle GoldenGate Microservices Architecture.

Note:

Adding a non-CA self-signed certificate as a trusted certificate using Service Manager's Certificate Management web interface's CA Cert section is not supported and will result in an error.

Setting up the server's CA certificate as a Trusted Certificate for External Identity Provider

To work with an external Identity Provider (IDP) such as IDCS, you need to upload the IDP server's (IDCS) CA certificate as a trusted certificate.

See Manage Certificates for Deployments.

Distribution Service and Receiver Service

Both the Distribution Service and Receiver Service need certificates. The Distribution Service uses the certificate in the client wallet location under outbound section. The location of that wallet can be found in the deploymentConfiguration.dat file under deployment_home/etc/conf.

The certificates in both wallets need to be trusted by each other, so either both need to have commercial certificates issued by Oracle GoldenGate Microservices Architecture, or they have to trust each other using self-signed certificates.

For self-signed certificates, you can choose from one of the following:

Have both certificates signed by the same root certificate. (rootCA)
The other side’s certificate is added to the local wallet as a trusted certificate

For the Receiver Service, the certificate is in the wallet for the local wallet location, which is also in the deploymentConfiguration.dat file.

On the Distribution Service, if the hostname used in the Receiver Service’s certificate can’t be routed correctly, /etc/hosts file should be updated with the correct IP address for that host. The Distribution Service will use this IP address to communicate with the Receiver Service once it accepts the certificate from the Receiver Service.

Using the Reverse Proxy (NGINX) with the Distribution Service and Receiver Service

You only need to add the Nginx certificate to the Distribution Service’s client wallet as a trusted certificate. Usually the certificate used by NGINX is self-signed.

The host name in the Nginx certificate should also be routable. If not, on the Distribution Service, /etc/hosts file needs to be updated to reflect the correct IP address for that host name.The Distribution Service will use the host name in the certificate to communicate to the target. If the NGINX certificate doesn’t have a valid host name in it, but has a Subject Alternative Name record, then the host name is the DNS name there.

See Configure Reverse Proxy with NGINX to Access Oracle GoldenGate Microservices

Create a RootCA External Certificate in the Target Deployment

Use the following steps to create and manage the root CA external certificate and the distribution client certificate for a target deployment that is different from the source deployment.

Here's a sample of the client certificate configuration (client_src_to_trg.cfg) file:

[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "client_src_to_trg"
[ my_extensions ]

The command to generate a client certificate is similar to the following:


# client certificate
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg
openssl x509 -req -days 73000 -in client.csr -CA rootCA_extern.cert -CAkey rootCA_extern.key -CAcreateserial -out client.cert

Here is a sample rootCA_extern.cfg configuration file:

[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
x509_extensions = usr_cert
[ req_distinguished_name ]
#countryName = "US"
#stateOrProvinceName = "CA"
#localityName = "Redwood City"
#streetAddress = "400 Oracle Pkwy"
#organizationName = "Oracle USA Inc"
#organizationalUnitName = "Security"
commonName = "rootCA_extern"
#emailAddress = "rootsecurity@oracle.com"
[ v3_req ]
basicConstraints=CA:TRUE
[ v3_ca ]
basicConstraints=CA:TRUE
[ usr_cert ]
basicConstraints=CA:TRUE
[ my_extensions ]

The command to generate the rootCA external certificate is:

# rootCA certificate
openssl req -x509 -newkey rsa:4096 -keyout rootCA_extern.key -out rootCA_extern.cert -days 73000 -nodes -config rootCA_extern.cfg