Create Different Types of Certificates for a Secure Deployment
Certificates are used when configuring a deployment that has a Distribution path from the Distibution and Reciver Service within a single (or same) deployment or a hub deployment.
Here's how you can create client, server certificates, and trusted chain certificates to set up a secure Oracle GoldenGate Microservices Architecture deployment.
Create a Self-Signed Trusted (Root) Certificate
orapki
in the OGG_HOME/bin
directory.
Note:
Adding a non-CA self-signed certificate as a trusted certificate using Certificate Management page's CA Cert section is not supported and will result in an error.Here's an example of how you can create a root certificate using orapki
:
orapki
generated
wallets:# 1. (Self-Signing) Root Certificate
orapki wallet create -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -auto_login -pwd welcome123 -nologo
orapki wallet add -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -dn "CN=RootCA_SRC" -addext_basic_cons -pathlen 10 -keysize 2048 \
-self_signed -validity 1825 \
-pwd welcome123 -nologo
orapki wallet export -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC -dn "CN=RootCA_SRC" -cert ${WORKDIR}"/wallet_SRC/rootCA_SRC_CERT.pem" -pwd welcome123 -nologo
# 2. Server Certificate
orapki wallet create -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -auto_login -pwd welcome123 -nologo
orapki wallet add -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -dn "CN=${v_hostname}" \
-addext_basic_cons -pathlen 10 -keysize 2048 \
-pwd welcome123 -nologo
orapki wallet export -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} -dn "CN=${v_hostname}" \
-request ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_req.pem" -pwd welcome123 -nologo
orapki cert create -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC \
-request ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_req.pem" \
-cert ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_Cert.pem" \
-serial_num 25 -validity 365 -pwd welcome123 -nologo
orapki wallet add -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} \
-trusted_cert -cert ${WORKDIR}"/wallet_SRC/rootCA_SRC_CERT.pem" -pwd welcome123 -nologo
orapki wallet add -wallet ${WORKDIR}"/wallet_SRC/server_"${v_hostname} \
-user_cert -cert ${WORKDIR}"/wallet_SRC/server_"${v_hostname}"_Cert.pem" -pwd welcome123 -nologo
# 3. Distribution Server Certificate
orapki wallet create -wallet ${WORKDIR}/wallet_SRC/client_SRC -auto_login -pwd welcome123 -nologo
orapki wallet add -wallet ${WORKDIR}/wallet_SRC/client_SRC -dn "CN=client_SRC" -keysize 2048 -pwd welcome123 -nologo
orapki wallet export -wallet ${WORKDIR}/wallet_SRC/client_SRC -dn "CN=client_SRC" \
-request ${WORKDIR}/wallet_SRC/client_SRC_req.pem -pwd welcome123 -nologo
orapki cert create -wallet ${WORKDIR}/wallet_SRC/rootCA_SRC \
-request ${WORKDIR}/wallet_SRC/client_SRC_req.pem \
-cert ${WORKDIR}/wallet_SRC/client_SRC_Cert.pem \
-serial_num 26 -validity 365 -pwd welcome123 -nologo
Create Server Certificates
root_ca
.
Create a Client Certificate
Set Up Trusted Certificates
There are two types of TLS connections. To use TLS, there are certain requirements for the certificate trust chain.
wss
communication protocol is used in the
Distribution Service for the Distribution Path to meet the needs of secure
communication using TLS in Oracle GoldenGate Microservices
Architecture.
Note:
Adding a non-CA self-signed certificate as a trusted certificate using Service Manager's Certificate Management web interface's CA Cert section is not supported and will result in an error.Setting up the server's CA certificate as a Trusted Certificate for External Identity Provider
To work with an external Identity Provider (IDP) such as IDCS, you need to upload the IDP server's (IDCS) CA certificate as a trusted certificate.
Distribution Service and Receiver Service
Both the Distribution Service and Receiver Service need
certificates. The Distribution Service uses the certificate in the
client wallet location under outbound section. The location of that
wallet can be found in the
deploymentConfiguration.dat
file under
deployment_home/etc/conf
.
The certificates in both wallets need to be trusted by each other, so either both need to have commercial certificates issued by Oracle GoldenGate Microservices Architecture, or they have to trust each other using self-signed certificates.
-
Have both certificates signed by the same root certificate. (
rootCA
) -
The other side’s certificate is added to the local wallet as a trusted certificate
For the Receiver Service, the certificate is in the wallet
for the local wallet location, which is also in the
deploymentConfiguration.dat
file.
On the Distribution Service, if the hostname used in the
Receiver Service’s certificate can’t be routed correctly,
/etc/hosts
file should be updated with the
correct IP address for that host. The Distribution Service will use
this IP address to communicate with the Receiver Service once it
accepts the certificate from the Receiver Service.
Using the Reverse Proxy (NGINX) with the Distribution Service and Receiver Service
You only need to add the Nginx certificate to the Distribution Service’s client wallet as a trusted certificate. Usually the certificate used by NGINX is self-signed.
The host name in the Nginx certificate should also be
routable. If not, on the Distribution Service,
/etc/hosts
file needs to be updated to
reflect the correct IP address for that host name.The Distribution
Service will use the host name in the certificate to communicate to
the target. If the NGINX certificate doesn’t have a valid host name
in it, but has a Subject Alternative Name record, then the host name
is the DNS name there.
See Configure Reverse Proxy with NGINX to Access Oracle GoldenGate Microservices
Create a RootCA External Certificate in the Target Deployment
Use the following steps to create and manage the root CA external certificate and the distribution client certificate for a target deployment that is different from the source deployment.
client_src_to_trg.cfg
)
file:[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "client_src_to_trg"
[ my_extensions ]
# client certificate
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg
openssl x509 -req -days 73000 -in client.csr -CA rootCA_extern.cert -CAkey rootCA_extern.key -CAcreateserial -out client.cert
rootCA_extern.cfg
configuration
file:[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
x509_extensions = usr_cert
[ req_distinguished_name ]
#countryName = "US"
#stateOrProvinceName = "CA"
#localityName = "Redwood City"
#streetAddress = "400 Oracle Pkwy"
#organizationName = "Oracle USA Inc"
#organizationalUnitName = "Security"
commonName = "rootCA_extern"
#emailAddress = "rootsecurity@oracle.com"
[ v3_req ]
basicConstraints=CA:TRUE
[ v3_ca ]
basicConstraints=CA:TRUE
[ usr_cert ]
basicConstraints=CA:TRUE
[ my_extensions ]
The command to generate the rootCA external certificate is:
# rootCA certificate
openssl req -x509 -newkey rsa:4096 -keyout rootCA_extern.key -out rootCA_extern.cert -days 73000 -nodes -config rootCA_extern.cfg