Regenerating self-signed end-entity and CA certificates
In many environments, the replacement of HTTPS and/or DSP may be unnecessary.
DSP certificate is only relevant if Custom Authorizations have been configured in Network Security settings, as discussed in the Configuring Network Security Settings page. If these checkboxes are not applied, this means the DSP certificate is not being used.
HTTPS certificate replacement is only necessary if HTTPS connections are used for web browser access.
The following process will leverage Java keytool
utility. This is commonly available in most Java JDK installations, including those installed in the Delphix Toolkit for Unix, Linux, and Windows Environments under <toolkit directory> /*host/java/jdk/bin/. In the following example, /work
is the toolkit directory. The subdirectory naming conventions from 5.3.x and 6.0.x are illustrated as:
$ find /work -name keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/jre/bin/keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/jre/bin/keytool
By the end of this process, a PKCS#12 KeyStore file is generated containing the CA certificate, DSP, stunnel server, HTTPS certificate. This file will be used for upload twice in the System Setup interface.
Other notes:
The recommended KeyStore password, changeit, is used.
For
<domain>
, replace this string with the Engine FQDN in every command. This is used as the CN (Common Name). For instance,-dname 'CN=Engine <domain> ca,="" c="">>"=
would be replaced with-dname 'CN=Engine example.delphix.com CA, C=US'
.The certificate aliases to be used are
tomcat
for HTTPS anddsp
for DSP.The existing Delphix CA certificate in the truststore cannot be removed. Faults related to this certificate should be ignored.
Linux Version
Generate a new Delphix CA Certificate.
CODEexport PASSWORD_ENV='changeit' keytool -genkeypair -noprompt -alias delphixca -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext bc=ca:true -ext ku=kCS,cRLS -sigalg SHA256withRSA -storepass:env PASSWORD_ENV -storetype pkcs12 -startdate -10000M -dname 'CN=Engine <domain> CA, C=US' -keypass:env PASSWORD_ENV -storetype pkcs12 -keystore keystore
Generate the HTTPS/TLS certificate
CODEkeytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Generate the DSP certificate
CODEkeytool -genkeypair -alias dsp -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Generate the STUNNEL-SERVER certificate
CODEkeytool -genkeypair -alias stunnel-server -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Sign the HTTP/TLS certificate
CODEkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.csr keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile tomcat.csr -outfile tomcat.p12 keytool -importcert -alias tomcat -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.p12
Sign the DSP Certificate
CODEkeytool -certreq -alias dsp -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file dsp.csr keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile dsp.csr -outfile dsp.p12 keytool -importcert -alias dsp -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file dsp.p12
Windows version
Generate a new Delphix CA Certificate.
CODE$ENV:PASSWORD_ENV='changeit' .\keytool -genkeypair -noprompt -alias delphixca -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext bc=ca:true -ext ku=kCS,cRLS -sigalg SHA256withRSA -storepass:env PASSWORD_ENV -storetype pkcs12 -startdate -10000M -dname 'CN=Engine <domain> CA, C=US' -keypass:env PASSWORD_ENV -storetype pkcs12 -keystore keystore
Generate the HTTPS/TLS certificate
CODE.\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Generate the DSP certificate
CODE.\keytool -genkeypair -alias dsp -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Sign the HTTP/TLS certificate
CODE.\keytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.csr .\keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile tomcat.csr -outfile tomcat.p12 .\keytool -importcert -alias tomcat -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.p12
Sign the DSP Certificate
CODE.\keytool -certreq -alias dsp -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file dsp.csr .\keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile dsp.csr -outfile dsp.p12 .\keytool -importcert -alias dsp -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file dsp.p12
At this point, the certificates can be installed by following the Customer Provided Key Pair method described in the User provided key pair configuration page.
The same KeyStore generated will be uploaded twice, once using alias 'dsp' and once using alias 'tomcat', to replace DSP and HTTPS certificates, respectively.
If this error occurs, Failed to read file with error "Invalid KeyStore format”, ensure the Upload certificate from a PKCS#12 KeyStore radio button is selected.
Windows keytool distinctions
Given the Delphix Connector installation directory C:\Program Files\Delphix\DelphixConnector, the keytool.exe executable can be found at C:\Program Files\Delphix\DelphixConnector\jre\bin\keytool.exe.
PowerShell set environment variable with:
$ENV:PASSWORD_ENV='changeit'
Similar to the comment above with path assumption, on Windows, change ./keytool to .\keytool.exe if located in the jre\bin subdirectory.