1. Microservices Architecture Documentation
  2. Quickstarts
  3. Connecting Two Deployments Using External RootCA Certificate

Connecting Two Deployments Using External RootCA Certificate

There are multiple approaches which you can implement for applying certificates when working across different source and target deployments.

This quickstart demonstrates how to set up and apply certificates when using external RootCA certificate.

Environment

Each deployment uses its own set of Root, Server, and Client certificates generated for that system. These server and client certificates are imported at the time of configuring deployment with the OGGCA utility. As this quickstart assumes to use a secure deployment, the server certificates and the corresponding root certificates are already installed at the time of deployment. In this quickstart, you will learn how an independent (external) Client Certificate is added to the source deployment for authenticating the Distribution Path (using the wss protocol) on the target deployment.

  • Source: west.oracle.com

  • Target: east.oracle.com

The target server presents a Server Certificate to the source deployment. The pre-installed CA Certificate at the source verifies the identity of the target Server Certificate. Similarly, the source distribution client presents a Client Certificate to the target deployment and the pre-installed CA Certificate on the target site verifies the identity of the distribution client.Diagram shows the source and target deployments across the network using CA certificates for verifying and authorizing communication through the DISTPATH client and target server.

The process includes the following steps:

  1. Create an additional external distribution path client (dist_client) certificate signed by an external Certificate Authority (rootCA_extern) for the Distribution Path using the secure Web-Socket protocol (wss).

  2. On the source deployment, apply the target server certificate (created for the initial deployment) as a root CA certificate. This allows the source deployment to validate the authenticity of the target system.

  3. Integrate the external dist_client to the system:

    1. In the source deployment, apply the external dist_client certificate.

    2. In the target deployment, apply the external root CA certificate (rootCA_extern) from the external dist_client certificate.

    Now, the target deployment can validate the authenticity of the external dist_client certificate.

  4. In the target deployment, create an Oracle GoldenGate user certified by the dist_client certificate with the Operator role. This user automatically gets the name in form of a Common Name (CN).

  5. In the source deployment, create the distribution path using the wss protocol with the Certificate target authentication method. This certificate matches the Oracle GoldenGate CN user at the target deployment.