8.3 Configuring Workflow for Two-Way SSL in Oracle GoldenGate Veridata 23c using Custom Certificates

Prerequisites

• Ensure PATH environment variable contains the path to JDK 17 bin directory, where keytool is located.
• Keystore is also known as Identity Store in older releases.
• For HP NonStop, see Configuring Two-Way SSL for the NSK C-Agent on the Veridata Server.

Configuring a two-way SSL using Custom Certificates:

• Copying Custom Certificates
  
• Enabling SSL in the Agent Properties File
  
• Generating Agent Keystore and Truststore
  
• Saving Agent Keystore/ Truststore Passwords to Agent Wallet
  
• Generating Server Keystore and Truststore
  
• Saving Server Keystore/ Truststore Passwords to Server Wallet
  
• Creating an Agent Connection in UI
  

8.3.1 Copying Custom Certificates

Custom Certificates are of usually 3 types which are in .pem formats.

• Private Key
• Server Certificate
• CA Certificate

1. Copy all 3 server custom certificates to <Server_installation_location>/config directory
2. Rename CA certificate to ca_server.pem
3. Copy all 3 agent custom certificates to <AGENT_DEPLOY_LOCATION>/config/certs directory
4. Rename CA certificate to ca_agent.pem

8.3.2 Enabling SSL in the Agent Properties File

To enable SSL in the Agent properties file:

1. Open the <AGENT_DEPLOY_LOCATION>/<AGENT PROPERTIES> file. The default <AGENT PROPERTIES> would be agent.properties.
2. Find the entry server.useSsl, set it to true and save the changes.

8.3.3 Generating Agent Keystore and Truststore

To generate AgentKeystore

1. Go to <AGENT_DEPLOY_LOCATION>/config/certs directory. It will contain 3 .pem files.
2. Run the below command:

   openssl pkcs12 -export \
   -in agent-cert.pem \
   -inkey agent-key.pem \
   -certfile ca_agent.pem \
   -out vdtAgentKeystore.p12 \
   -name <alias> \
   -passout pass:<password>

Note:

When importing multiple agent certificates into a server truststore, assign a unique -alias value to each agent certificate.

This command generates vdtAgentKeystore.p12 in <AGENT_DEPLOY_LOCATION>/config/certs directory.

To generate Agent Truststore

1. Copy ca_server.pem from Server node (<Server_installation_location>/config ) to<AGENT_DEPLOY_LOCATION>/config/certs directory.
2. Rename ca_server.pem to ca_server.crt.
3. Run the below command:

   keytool -importcert -file ca_server.crt -alias <alias> -keystore 
   vdtAgentTruststore.p12 -storepass <password>

8.3.4 Saving Agent Keystore/ Truststore Passwords to Agent Wallet

1. Run the script configure_agent_ssl.sh under <AGENT_DEPLOY_LOCATION> directory. The parameter AgentID is the name of the agent properties file, without the .properties extension:

   ./configure_agent_ssl.sh AgentID
   2024-08-30 11:21:25.782 TRACE OGGV-80018 Wallet messages are installed correctly.
   OGGV-80028: Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
   OGGV-80029: Veridata Agent SSL Configuration Utility
   OGGV-80030: Notes:
   OGGV-80031: OGGV-80031: This utility allows Veridata to access keystore and truststore. When entering the passwords  below, unlock password should match the one used in keytool -storepass  option.
   [OGGV-80022: Enter Agent Keystore Store unlock password:]
   [OGGV-80024: Enter Agent Trust Store unlock password:]
   OGGV-80037: SSL Configuration of Veridata Agent is successful.
   

2. Delete ca_server.crt from <AGENT_DEPLOY_LOCATION>/config/certs.

8.3.5 Generating Server Keystore and Truststore

To generate Server Keystore

1. Go to <Server_installation_location>/config directory. It will contain 3 .pem files that are copied while Copying Custom Certificates.
2. Run the below command:

   openssl pkcs12 -export \
     -in vdtServer.pem \
     -inkey server-key.pem \
     -certfile ca_server.pem \
     -out vdtServerKeystore.p12 \
     -name <alias> \
     -passout pass:<password>
   

   This command generates vdtServerKeystore.p12 in <Server_installation_location>/config.

Note:

When importing multiple Server certificates into an agent truststore, assign a unique -alias value to each Server certificate. This is less common, because there is typically only one Oracle GoldenGate Veridata server.

To generate Server Truststore

1. Copy ca_agent.pem from Agent node (<AGENT_DEPLOY_LOCATION>/config/certs) to <Server_installation_location>/config directory.
2. Rename ca_agent.pem to ca_agent.crt.
3. Run below command

   keytool -importcert -file ca_agent.crt -alias <alias> -keystore 
   vdtServerTruststore.p12 -storepass <password>

   This command generates vdtServerTruststore.p12 in <Server_installation_location>/config directory.

8.3.6 Saving Server Keystore/ Truststore Passwords to Server Wallet

1. Run the following script configure_server_ssl.sh under <Server_installation_location>/config directory:

   ./configure_server_ssl.sh
   OGGV-80056: Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
   OGGV-80057: Veridata Server SSL Configuration Utility
   OGGV-80058: Notes:
   OGGV-80059: OGGV-80059: This utility allows Veridata to access keystore and truststore. When entering the passwords below, unlock password should match the one used in keytool -storepass option
   [OGGV-80060: Enter Server Keystore unlock password:]
   [OGGV-80062: Enter Server Truststore unlock password:]
   

2. Delete ca_agent.crt from <Server_installation_location>/config directory.

8.3.7 Creating an Agent Connection in UI

1. Log in to the Veridata UI, navigate to the Connections page, and click Create. Enter the required connection name and agent host machine address/ port. Check the Use SSL for communication checkbox to enable SSL for the connection, and click Verify to verify the connection.
2. Enter the database username and password, then click the Test Connection to validate the credentials. If different credentials are needed for repair, uncheck the Use Data Source Connection Credential for Repair checkbox and enter the repair credentials.
3. Click Submit to save the connection.

For more details about all the parameters, see Creating a Connection.