Oracle GoldenGate Microservices Architecture: Using Self-signed Certificates

Introduction

Oracle GoldenGate Microservices Architecture (OGG-MA) provides functionality for securing Rest API calls and communications channels between the Distribution and Receiver Servers over Transport Layer Security (TLS).

In order to activate this security protocol a SSL Certificate must be obtained from a Certificate Authority (CA) and installed on the server prior to creating the OGG-MA Services Manager and Deployment. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details; such as domain name, server name or hostname, and the organizational identity and location.

However, test or sandbox environments typically do not receive CA generated SSL Certificates. In this article we’ll create a Self-signed SSL Certificate and use it to create a secure OGG-MA test environment.

The concepts, scripts, and information presented in this article are for educational purposes only. They are not supported by Oracle Development or Support, and come with no guarantee or warrant for functionality in any environment other than the test system used to prepare this article. Before applying any changes presented in this article to your environment, you should thoroughly test to assess functionality and performance implications.

Main Article

For this article, the OGG-MA release code has been previously installed, the OGG_HOME environmental variable set to point to that location, and other required variables set properly (ORACLE_HOME, LD_LIBRARY_PATH, and so forth). Other environmental variables I set in my environments are:

## OGG-MA install location
export OGG_HOME=/u01/oracle/app/goldengate/ogg123ma
## OGG main directory
export OGG_BASE_DIR=/u01/oracle/app/goldengate
## OGG wallet location for storing ssl certs
export OGG_WALLET=$OGG_BASE_DIR/wallet
## OGG deployment location
export OGG_DEPLOYMENT=$OGG_BASE_DIR/deployments

Create the Self-Signed Certificate

The orapki utility comes packaged in the OGG-MA release, and is located in the $OGG_HOME/bin directory. ORAPKI is a command line utility that is used to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists. It also provides a way to create self-signed certificates for testing purposes.

To use orapki, go to the $OGG_HOME/bin directory.

[oracle@centos0ra12 ~]$ cd $OGG_HOME/bin
[oracle@centos0ra12 bin]$

At the command line, create the directory we’ll use to house the OGG Wallet:

[oracle@centos0ra12 bin]$ mkdir $OGG_WALLET

Invoke orapki to create an automatic login wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet create -wallet $OGG_WALLET/Root_CA -auto_login -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

 Oracle1! is a bad password and should never be used to create your auto login wallet. You must follow your company security guidelines for passwords when defining the automatic login wallet password.

Create the root certificate

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/Root_CA -dn ‘CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US’ -keysize 2048 -self_signed -validity 15000 -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

This command creates a certificate that is valid for 15,000 days and a Distinguished Name (DN) that uniquely identifies this test environment. This becomes the trusted certificate that is used to establish communication links between each OGG-MA environment across the enterprise. The DN consists of the following:

(a) CN is the Common Name which identifies the enterprise associated with the certificate, which is usually a fully qualified domain name. Since this server is not part of an enterprise network, I am using a dummy enterprise name (“Loren”).

(b) OU is the Organization Unit within the company that is associated with this server.

(c) O is the Organization, or company that owns this server.

(d) L is the Locality, or location of the server associated with this certificate.

(e) ST is the State or Province Name of the Locality.

(f) C is the Country.

Use the orapki wallet display command to display the certificate requests, user certificates, and trusted certificates contained in the wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet display -wallet $OGG_WALLET/Root_CA -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US
Trusted Certificates:
Subject:        CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US

Export the root certificate to a pem file. This file will be used to sign the Server and Distribution Server certificates used in our secure OGG-MA replication environment.

[oracle@centos0ra12 bin]$ ./orapki wallet export -wallet $OGG_WALLET/Root_CA -dn ‘CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US’ -cert $OGG_WALLET/root_ca.pem -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

The wallet directory will contain the following files and subdirectories:

[oracle@centos0ra12 wallet]$ ls
Root_CA  root_ca.pem

Create Server Certificates

To create server certificates, do the following for each server that will comprise the OGG-MA replication environment.

Invoke orapki to create the server wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet create -wallet $OGG_WALLET/centosora12 -auto_login -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Add a certificate request to the newly created wallet that will identify the server:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/centosora12 -dn ‘CN=centosora12,L=Redwood Shores,ST=CA,C=US’ -keysize 2048 -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Export the request:

[oracle@centos0ra12 bin]$ ./orapki wallet export -wallet $OGG_WALLET/centosora12 -dn ‘CN=centosora12,L=Redwood Shores,ST=CA,C=US’ -request $OGG_WALLET/centosora12_req.pem
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Create a signed certificate from the request. Be sure to assign an unique serial number to each certificate.

[oracle@centos0ra12 bin]$ ./orapki cert create -wallet $OGG_WALLET/Root_CA -request $OGG_WALLET/centosora12_req.pem -cert $OGG_WALLET/centosora12_cert.pem -serial_num 20 -validity 15000
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

View the certificate:

[oracle@centos0ra12 bin]$ ./orapki cert display -cert $OGG_WALLET/centosora12_cert.pem -complete
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

{ fingerprint = 36f0f0197fb0baff43559d69267f10ab, notBefore = Mon Jul 09 15:39:17 EDT 2018, notAfter = Sun Aug 03 15:39:17 EDT 2059, holder = CN=centosora12,L=Redwood Shores,ST=CA,C=US, issuer = CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US, serialNo = 0, sigAlgOID = 1.2.840.113549.1.1.11, key = { modulus = 19710596730143387297792462636913044239918848840298051038571571067288717293313495126414480132001907549091456696796821819101727825163873298727482779168546634120986523301449793443734271669770658140047686414842916520385753131984565835468831087413693741950722767717594437049721747217481092630525772412990277882074345088735672290286434199051655202938392232003445005665319867040814450332942132736480675463902892222106807659238931290411027200577283192201976520406130845284496625491259122030837107023373964039564031093135768700393423700227798856646944031736928281017850410064817706504177679330878565553802804609699048056798089, exponent = 65537 } }

Add the trusted certificate to the server wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/centosora12 -trusted_cert -cert $OGG_WALLET/root_ca.pem -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Add the server certificate to the wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/centosora12 -user_cert -cert $OGG_WALLET/centosora12_cert.pem -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

To view the user and trusted certificates in the wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet display -wallet $OGG_WALLET/centosora12
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=centosora12,L=Redwood Shores,ST=CA,C=US
Trusted Certificates:
Subject:        CN=Loren,OU=A-Team,O=Oracle America,L=Redwood Shores,ST=CA,C=US

After creating wallets and certificates for each server in my trusted OGG-MA environment, the wallet directory contained the following files and directories:

[oracle@centos0ra12 wallet]$ ls
centosora12           centosora12_req.pem  ora12nomt_cert.pem  Root_CA
centosora12_cert.pem  ora12nomt            ora12nomt_req.pem   root_ca.pem

We can clean things up by removing the server certificate request and certificate files. Be sure to preserve the root certificate (root_ca.pem) so additional server certificates may be created.

[oracle@centos0ra12 wallet]$ rm centosora12_req.pem ora12nomt_cert.pem centosora12_cert.pem ora12nomt_req.pem
[oracle@centos0ra12 wallet]$ ls
centosora12  ora12nomt  Root_CA  root_ca.pem

Copy each server wallet to the $OGG_WALLET location on their respective server.

 

Create the Distribution Server Certificate

The Distribution Server certificate is used to identify a trusted source OGG-MA Distribution Server to remote OGG-MA sites. The process is the same as creating a server wallet:

Create the Distribution Server wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet create -wallet $OGG_WALLET/oggmadistsrvr -auto_login -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Add a certificate request to the newly created wallet that will identify the Distribution Server:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/oggmadistsrvr -dn ‘CN=distclient,L=Redwood Shores,ST=CA,C=US’ -keysize 2048 -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Export the request:

[oracle@centos0ra12 bin]$ ./orapki wallet export -wallet $OGG_WALLET/oggmadistsrvr -dn ‘CN=distclient,L=Redwood Shores,ST=CA,C=US’ -request $OGG_WALLET/distclient_req.pem
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Create a signed certificate from the request. Be sure to assign an unique serial number to each certificate.

[oracle@centos0ra12 bin]$ ./orapki cert create -wallet $OGG_WALLET/Root_CA -request $OGG_WALLET/distclient_req.pem -cert $OGG_WALLET/distclient_cert.pem -serial_num 20 -validity 15000
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Add the trusted certificate to the wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/oggmadistsrvr -trusted_cert -cert $OGG_WALLET/root_ca.pem -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Add the Distribution Server certificate to the wallet:

[oracle@centos0ra12 bin]$ ./orapki wallet add -wallet $OGG_WALLET/oggmadistsrvr -user_cert -cert $OGG_WALLET/distclient_cert.pem -pwd Oracle1!
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Copy the Distribution Server wallet to the $OGG_WALLET location on each remote server in the OGG-MA replication environment.

 

Create the OGG-MA Deployment

Create the deployment by running the script oggca.sh in the $OGG_HOME/bin directory.

The Configuration Wizard will start. The first screen is where we define and create the OGG-MA Service Manager.

oggma_deploy1

As shown above, I am creating a new Service Manager, with a listener port of 17100 on the test server centosora12, registering the Service Manager process as a system daemon, and lastly storing all files associated with it in the disk location $OGG_DEPLOYMENT/ServiceManager.

Step 7 of the Configuration Wizard is where we setup TLS security for the deployment.

In the Server section, select Use Existing Wallet and browse to the $OGG_WALLET location and select the server wallet for this machine.

In the Client section, select Use Existing Wallet and browse to the $OGG_WALLET location and select the Distribution Server wallet.

Complete the deployment configuration.

Test TLS Connectivity

Using the Firefox web browser, connect to the OGG-MA Service Manager using the https protocol. Firefox will display a screen saying the security certificate is invalid. Technically this is correct because the certificate was not created by an authorized Certificate Authority so it fails the web browser’s validation.

oggma_deploy_test

Add an exception and continue.

oggma_deploy_test1

The Service Manager login screen will display.

oggma_deploy_test2

Login to the Service Manager.

oggma_deploy_test3

Create the Distribution Path

I created an Integrated Extract to capture data from my source database previously, now I want to create a secure path to distribute this data to remote OGG-MA deployments for replication into target databases. Using the Firefox web browser, connect to the OGG-MA Distribution Server using the https protocol.

Select the add path button (“+”). Enter an unique name for this distribution path and select the source Extract and Extract Trail for distribution.

 

Select wss as the path communication protocol (this is the default). WSS stands for Web Socket Secure, which provides highly efficient, bidirectional, message-oriented streaming of data between server and client. Enter the target endpoint information: (1) the node name or ip address of the remote server, (2) the OGG-MA Receiver Server listener port for the remote deployment, (3) the OGG Trail name to be created on the remote deployment, and (4) the desired OGG Trail size.

Select the Create Path button to complete the process.

Start the distribution path.

Verify the path by accessing the OGG-MA Receiver Server on the remote machine.

Select Details from the drop-down box to verify data is being received and view information about the data and path.

 

 

 

Summary

In this article we demonstrated how to create a SSL/TLS Self-signed certificate for use with a secure Oracle GoldenGate Microservices Architecture deployments and secure distribution paths.

For more information on what other articles are available for Oracle GoldenGate please view our index page.

Add Your Comment