1. Microservices Architecture Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Create Certificates for a Secure Deployments
  5. Create External Trusted RootCA and Distribution Client Certificates

Create External Trusted RootCA and Distribution Client Certificates

For certain scenarios where two deployments need to connect the distribution and receiver paths to trail data transfer, you may decide to use an external RootCA certificate to validate a distribution client user using a distribution client (distclient) certificate. The distribution client certificate is stored on the target deployment and a distribution client user (operator role) is created on the source deployment. The validation type of this user is set to Certificate.

In such cases, you need to create external rootCA certificate and a distribution client certificate. This section describes the OpenSSL commands to generate these certificates.

Create a RootCA External Certificate in the Target Deployment

Use the following steps to create and manage the root CA external certificate (rootCA_ext) for a target deployment that is different from the source deployment.

Here is a sample rootCA_ext.cfg configuration file:
[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
x509_extensions = usr_cert
[ req_distinguished_name ]
#countryName = "US"
#stateOrProvinceName = "CA"
#localityName = "Redwood City"
#streetAddress = "400 Oracle Pkwy"
#organizationName = "Oracle USA Inc"
#organizationalUnitName = "Security"
commonName = "rootCA_ext"
#emailAddress = "rootsecurity@oracle.com"
[ v3_req ]
basicConstraints=CA:TRUE
[ v3_ca ]
basicConstraints=CA:TRUE
[ usr_cert ]
basicConstraints=CA:TRUE
[ my_extensions ]

The command to generate the rootCA external certificate is:

openssl req -subj "/CN=RootCA_ext"      \
            -newkey rsa:2048 -nodes     \
            -keyout rootCA_ext_key.pem  \
            -new -x509                  \
            -days 365                   \
            -out rootCA_ext_cert.pem

Create a Distribution Client Certificate

The command to generate a client certificate is similar to the following:

extendedKeyUsage = clientAuth
openssl req -subj "/CN=distclient"    \
        -newkey rsa:2048 -nodes       \
        -keyout distclient_key.pem    \
        -new                          \
        -out distclient.csr
This distclient certificate is verified by the rootCA_ext certificate, using the following command:
openssl x509 -CAcreateserial          \
        -CA    rootCA_cert.pem        \
        -CAkey rootCA_key.pem         \
        -req                          \
        -in distclient.csr            \
        -extfile distclient_cert.cnf  \
        -days 365                     \
        -out distclient_cert.pem

The distclient certificate and the private key are generated. Both files are stored in the Privacy Exhanced Mail (PEM) and the private key is created in a Public-Key Cryptography Standards (PKCS) #8 format.