Replacing self-signed certificates on the Delphix connector
The Delphix Connector relies on a Java Keystore with a self-signed X.509 certificate in order to instantiate SSL. If this certificate does not conform to the customer's business standards, it is possible to run a PowerShell script (ReplaceConnectorKeystore.ps1) to replace the self-signed certificate with a certificate that is signed by a Certificate Authority of their choice (i.e. Verisign).
This script should only be used to replace the self-signed certificate in the Delphix Connector's Java Keystore with a signed certificate. Upon execution, the script will do the following:
Validate that a PrivateKeyEntry exists within the input keystore
Stop the DelphixConnector service
Rename the existing DelphixConnector keystore
Import the new keystore
Start the DelphixConnector service
Prerequisites:
The Delphix Connector is installed
The DelphixConnector.jks file exists at <Drive>:\<path to DelphixConnector>\connector\DelphixConnector.jks
The DelphixConnector.properties file exists at <Drive>:\<path to DelphixConnector>\connector\DelphixConnector.properties and has not been tampered with (STOREPASS, KEYPASS, UUID are present)
The Java Keytool utility exists at <Drive>:\ <path to DelphixConnector>\jre\bin\keytool.exe
The script, ReplaceConnectorKeystore.ps1 exists at <Drive>:\<path to DelphixConnector>\connector\ReplaceConnectorKeystore.ps1
User inputs:
A JKS/PKCS#12 formatted keystore containing a PrivateKeyEntry with a signed certificate
The alias of the PrivateKeyEntry in the new keystore
The password for the new JKS/PKCS#12 keystore
The password for the private key in the new JKS/PKCS#12 keystore
Running the script:
Open up a PowerShell console, and do the following:
Navigate to where ReplaceConnectorKeystore.ps1 lives
Run .\ReplaceConnectorKeystore.ps1
Enter the full path to the new JKS/PKCS#12 keystore
Enter the alias of the PrivateKeyEntry in the input keystore
Enter the password for the input keystore
Enter the password for the private key in the input keystore
How to check if your Java keystore contains a privateKeyEntry:
PS C:\Program Files\Delphix\DelphixConnector\jre\bin> .\keytool.exe -list -keystore ..\..\connector\DelphixConnector.jks
-storepass <STOREPASS from DelphixConnector.properties file>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
delphixconnector-4ef488a8-85df-4418-b56d-1e61b25c0aa2, Jul 28, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 67:79:DA:E2:64:7A:74:42:62:CA:13:66:29:16:81:0A:B9:7E:4A:60
Example of a successful keystore replacement:
PS C:\Users\dtully\Documents> .\ReplaceConnectorKeyStore.ps1
Enter the full path to a JKS/PKCS#12 keystore: C:\Program Files\Delphix\DelphixConnector\jre\bin\test.jks
Enter alias: leaf
Enter keystore password: ********
Enter private key password: ********
Verifying that a PrivateKeyEntry exists in C:\Program Files\Delphix\DelphixConnector\jre\bin\test.jks
Stopping the Delphix Connector service
Renaming C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks to C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks.old
Importing the keystore into DelphixConnector.jks
[Storing C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks]
Starting the Delphix Connector service