Certificate management and remote connections
Overview
The server is the Delphix engine and the client is the remote host. This can be used for SnapSync, Oracle V2P (Virtual to Physical), and remote host connections. Once either of these options is enabled, the steps for adding certificate must be done for all environments in the engine.
Enabling server authentication
To enable server authentication, follow the below steps:
Replace the desired certificate for DSP (Delphix Session Protocol) in the engine KeyStore. For more details, refer to KeyStore Settings
Create a JKS or PKCS#12 keystore on the remote host with the full CA chain of the replaced certificate. Make sure the created keystore has permissions such that it is readable by all environment users configured in Delphix, and enter the keystore details into the host’s truststore configuration on the engine. For more details, refer to Host DSP Configuration
Select Perform server (this engine) authorization for remote connections.
Altering the authentication settings will require DSP keystore and truststore parameters to be configured for all existing environments, if not the refreshing of existing host environments will fail.
Enabling client authentication
1. DSP connector (for both Windows and Unix hosts)
To enable client authentication using DSP connector, first enable server authentication (refer to the above steps), then follow the below steps:
Create a JKS or PKCS#12 keystore on the remote host with the desired key pair. Make sure the created keystore has permissions such that it is readable by all environment users configured in Delphix, then enter the keystore details into the host’s keystore configuration on the engine. For more details, refer to Host DSP Configuration
Add the full CA chain of the remote host’s key pair to the TrustStore on the engine. For more details, refer to TrustStore Settings
Select Perform Client (the target host) authorization for remote connections.
Once the configurations have been set as desired, you will be presented with a summary page. Clicking Submit will trigger a stack restart, which is necessary for the configuration changes to take effect. Note: all jobs will be stopped, but VDBs will continue to run.
2. Connector installer connector (specific for Windows hosts)
There are two ways to generate self signed certificates :
a) By Installing the Delphix Connector, which will by default create certificates.
b) By using Self-signed Certificates
To enable client authentication using connector installer, you must perform the below steps for all Windows hosts, which are being added to the Delphix Engine:
Execute the below command to generate the PEM file for the Delphix Connector (provided or self-signed)Java KeyStore file. Also, input the store password from the
DelphixConnector.properties
when prompted.CODEkeytool -exportcert -alias DelphixConnector-{UUID_From_DelphixConnector.properties} -keystore "{Installation_Dir}\connector\DelphixConnector.jks" -rfc -file {Custom_PEM_File_Name}
Copy the PEM’s file content and paste it while adding the certificate into the Delphix Engine.
Add the certificate to Delphix engine using the sysadmin login and select Network Security.
Select Add Certificate and upload the certificate.
Once the certificate is added, enable
validateWindowsConnectorCertificate
from the Delphix engine CLI. This will restart the Delphix engine.