8.2 Configuring Two-Way SSL for the NSK C-Agent on the Veridata Server

Prerequisites for Veridata Server

  1. Ensure PATH environment variable contains the path to JDK 17 bin directory, where keytool is located.
  2. Keystore is also known as Identity Store in older releases

SSL Configuration on Veridata Server

Generate Server Keystore and Certificate

If the Oracle GoldenGate Veridata server keystore has not been created, then use the keytool command as follows to generate the server keystore.

  1. Go to <Server_installation_location>/config directory.
  2. Build Server Keystore with the following command: 
    keytool -genkeypair -keyalg RSA -keystore vdtServerKeystore.p12 -storepass <unlock-password>
  3. Export Server Keystore to a certificate with the following command 
    keytool -exportcert -keystore vdtServerKeystore.p12 -storepass <unlock-password> -file vdtServer.crt
  4. Convert the certificate from CRT format to PEM format with the following command: 
    openssl x509 -in vdtServer.crt -outform PEM -out vdtServer.pem -inform DER

Import NSK C-Agent Certificate to Server Truststore

  1. Go to <Server_installation_location>/config directory, and copy the NSK C-agent certificate to this directory.
  2. Run the following command to create a server truststore and import the NSK C-agent certificate into this truststore:
    keytool -importcert -file <nsk-agent-certificate-file> -alias vdtAgent.crt.<unique-id> -keystore vdtServerTruststore.p12 -storepass <unlock-password>

    Note:

    When importing multiple nsk c-agent certificates into a server truststore, assign a unique -alias value to each nsk c-agent certificate.
  3. Delete the nsk c-agent certificate in <Server_installation_location>/config directory

Save Server Keystore/ Truststore passwords to Server Wallet

Run the following script configure_server_ssl.sh under <Server_installation_location>/config directory. 

./configure_server_ssl.sh OGGV-80056: Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved. OGGV-80057: Veridata Server SSL Configuration Utility OGGV-80058: Notes: OGGV-80059: This utility allows Veridata to access keystore and truststore. When entering the passwords below, unlock password should match the one used in keytool -storepass option. [OGGV-80060: Enter Server Keystore unlock password:] OGGV-80062: Enter Server Truststore unlock password:]

SSL Configuration on NSK C-agent

The SSLCA file is the Certificate Authority file distributed with the NSK C-agent. The SSLCERT file is the default certificate for the NSK C-agent.

For a successful two-way SSL configuration, the NSK C-agent’s certificate (for example, SSLCERT) must be:
  • Imported into the Veridata Server’s truststore.
  • Appended into the SSLCA file of NSK C-agent.

Update SSLCA file with Veridata Server Certificate

  1. Open the SSLCA file using the vi editor in OSS (POSIX environment).
  2. Append the contents of Veridata Server certificate pem file, for example, vdtServer.pem to the end of the SSLCA file. For more information about steps to generate a new Veridata Server’s certificate, see Generate Server Keystore and Certificate.

Create a Agent Connection in UI

  1. Log in to the Veridata website, navigate to the Connections page from the left side panel, and click Create on the right side of the page.
  2. Enter the required connection name and agent host machine address/port. Select the Use SSL for communication checkbox to enable SSL for the connection, and click Verify to verify the connection.
  3. The Username, Password, Repair User and Repair Password are optional for NSK C-agent connection. The Test Connection buttons are disabled for now.
  4. Click Submit button to save the connection.

Parent topic: Secure