In real production environments when using Web UI it is highly recommended to configure SSL between server and client. We have installed Goldengate Veridata server and installed Agent and in this blog we will go through how to enable End to End SSL confgiruation.
The prerequisite to do this, in both client and server the JDK version should be 17. When starting the agent using agent properties with ssl enabled parameter, you will face below error.
[oracle@ggate2 deployment]$ ./agent.sh start agent.properties
[oracle@ggate2 deployment]$
[2026-01-07T11:06:49.757+03:00] [veridata] [NOTIFICATION] [OGGV-60150] [oracle.veridata.agent] [tid: 1] [ecid: 0000PiNVcIxAHR^pxSg8yW1dNXGP000001,0] Configuring logging.
[2026-01-07T11:06:49.799+03:00] [veridata] [NOTIFICATION] [OGGV-60151] [oracle.veridata.agent] [tid: 1] [ecid: 0000PiNVcIxAHR^pxSg8yW1dNXGP000001,0] Config file for logger is /u01/ggma23/deployment/config/odl.xml
[2026-01-07T11:06:50.474+03:00] [veridata] [INCIDENT_ERROR] [] [oracle.veridata.agent] [tid: 1] [ecid: 0000PiNVcIxAHR^pxSg8yW1dNXGP000001,0] Exception stack trace[[
java.io.FileNotFoundException: ./config/certs/vdtAgentKeystore.p12 (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111)
at com.goldengate.veridata.ipc.IPCSocketBuilderNextGen.buildSSLContext(IPCSocketBuilderNextGen.java:125)
at com.goldengate.veridata.ipc.IPCSocketBuilderNextGen.buildIPCSocketNextGen(IPCSocketBuilderNextGen.java:63)
at com.goldengate.veridata.ipc.IPCSocketBuilderNextGen.<init>(IPCSocketBuilderNextGen.java:53)
at com.goldengate.veridata.agent.VeridataAgentNextGen.main(VeridataAgentNextGen.java:510)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at com.goldengate.veridata.agent.BootstrapNextGen.boot(BootstrapNextGen.java:215)
at com.goldengate.veridata.agent.BootstrapNextGen.main(BootstrapNextGen.java:88)
]]When starting the agent, it is expecting for the keystore availability which is not exist and not configured. Now we will configure the end to end ssl between server and client.
Generating Agent Keystore and Certificate
[oracle@ggate2 certs]$ /u01/ggma23/veridata_agent/jdk/bin/keytool -genkeypair -keyalg RSA -keystore vdtAgentKeystore.p12 -storepass oggadmin123
What is your first and last name?
[Unknown]: CKPT
What is the name of your organizational unit?
[Unknown]: oracle-ckpt.com
What is the name of your organization?
[Unknown]: oracle-ckpt
What is the name of your City or Locality?
[Unknown]: Riyadh
What is the name of your State or Province?
[Unknown]: Riyadh
What is the two-letter country code for this unit?
[Unknown]: SA
Is CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA correct?
[no]: yes
[oracle@ggate2 certs]$ ls -ltr
total 12
-rw-r-----. 1 oracle oinstall 890 Jan 6 18:01 serverTrust.jks
-rw-r-----. 1 oracle oinstall 2177 Jan 6 18:01 serverIdentity.jks
-rw-r--r--. 1 oracle oinstall 2742 Jan 7 11:13 vdtAgentKeystore.p12
[oracle@ggate2 certs]$
Now the agent key store generated, we will export the key using below command
[oracle@ggate2 certs]$ /u01/ggma23/veridata_agent/jdk/bin/keytool -exportcert -keystore vdtAgentKeystore.p12 -storepass oggadmin123 -file vdtagent.crt
Certificate stored in file <vdtagent.crt>
[oracle@ggate2 certs]$
Generating Server keystore and certificate
[oracle@ggate2 config]$ /u01/ggma23/veridata/jdk/bin/keytool -genkeypair -keyalg RSA -keystore vdtServerKeystore.p12 -storepass oggadmin123
What is your first and last name?
[Unknown]: CKPT
What is the name of your organizational unit?
[Unknown]: oracle-ckpt.com
What is the name of your organization?
[Unknown]: oracle-ckpt
What is the name of your City or Locality?
[Unknown]: Riyadh
What is the name of your State or Province?
[Unknown]: Riyadh
What is the two-letter country code for this unit?
[Unknown]: SA
Is CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA correct?
[no]: yes
[oracle@ggate2 config]$ ls
application.yaml cwallet.sso jps-config-jse.xml logging-schema-migration.xml oggvdt_cainput.properties self_signed_ssl_config.properties vdtServerKeystore.p12 veridata
configure_server_ssl.sh cwallet.sso.lck logging.properties MsgBundle.properties repo_schema_sql sign-jwk.json vdtWebKeystore.p12 verify-jwk.json
[oracle@ggate2 config]$ ls -ltr vdtServerKeystore.p12
-rw-r--r--. 1 oracle oinstall 2742 Jan 7 11:19 vdtServerKeystore.p12
[oracle@ggate2 config]$
Now the server keystore is ready to export.
[oracle@ggate2 config]$ /u01/ggma23/veridata/jdk/bin/keytool -exportcert -keystore vdtServerKeystore.p12 -storepass oggadmin123 -file vdtServer.crt
Certificate stored in file <vdtServer.crt>
[oracle@ggate2 config]$ ls -ltr vdtServer.crt
-rw-r--r--. 1 oracle oinstall 897 Jan 7 11:21 vdtServer.crt
[oracle@ggate2 config]$
Importing Agent certificate to Server Truststore
[oracle@ggate2 certs]$ scp vdtagent.crt ggate2.oracle-ckpt.com:/u01/ggma23/veridata/config/
Unauthorized use of this system is prohibited
Password:
vdtagent.crt 100% 897 1.0MB/s 00:00
[oracle@ggate2 certs]$
[oracle@ggate2 config]$ /u01/ggma23/veridata/jdk/bin/keytool -importcert -file vdtagent.crt -alias vdtagent.crt.target -keystore vdtServerTruststore.p12 -storepass oggadmin123
Owner: CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA
Issuer: CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA
Serial number: 19d3af98
Valid from: Wed Jan 07 11:13:45 AST 2026 until: Tue Apr 07 11:13:45 AST 2026
Certificate fingerprints:
SHA1: F1:63:58:71:87:43:CC:ED:E3:34:99:C2:AB:22:09:33:ED:EC:D6:DE
SHA256: 2F:24:B3:59:C1:F3:42:E4:80:61:54:D1:F2:D1:B3:D9:3A:3E:11:03:95:DC:6B:0C:70:2A:73:BF:04:69:29:F1
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4B 0E 5E FE 4A 0F 71 6A CD F5 A1 57 23 EA F0 BF
0010: D5 F1 1F E3
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
[oracle@ggate2 config]$
Saving Server keystore/truststore into Server wallet
[oracle@ggate2 config]$ export JAVA_HOME=/usr
[oracle@ggate2 config]$ export PATH=$JAVA_HOME/bin:$PATH
[oracle@ggate2 config]$ which java
/usr/bin/java
[oracle@ggate2 config]$ ./configure_server_ssl.sh
Jan 07, 2026 11:29:58 AM oracle.security.jps.internal.config.xml.XmlConfigurationFactory validateFileLocation
INFO: JPS Config: /u01/ggma23/veridata/config/jps-config-jse.xml
Jan 07, 2026 11:29:59 AM oracle.security.jps.JpsStartup startWithRetry
INFO: Jps initializing.
Jan 07, 2026 11:29:59 AM oracle.security.jps.JpsStartup startWithRetry
INFO: Jps started.
OGGV-80056: Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
OGGV-80057: Veridata Server SSL Configuration Utility
OGGV-80058: Notes:
OGGV-80059: This utility allows Veridata to access keystore and truststore. When entering the passwords below, unlock password should match the one used in keytool -storepass option.
[OGGV-80060: Enter Server Keystore unlock password:]
[OGGV-80062: Enter Server Truststore unlock password:]
OGGV-80063: SSL Configuration of Veridata Server is successful.
[oracle@ggate2 config]$
Importing server certificate to Agent Truststore
[oracle@ggate2 config]$ ls -ltr vdtServer*
-rw-r--r--. 1 oracle oinstall 2742 Jan 7 11:19 vdtServerKeystore.p12
-rw-r--r--. 1 oracle oinstall 897 Jan 7 11:21 vdtServer.crt
-rw-r--r--. 1 oracle oinstall 1302 Jan 7 11:27 vdtServerTruststore.p12
[oracle@ggate2 config]$ scp vdtServer.crt ggate2:/u01/ggma23/deployment/config/certs/
Unauthorized use of this system is prohibited
Password:
vdtServer.crt 100% 897 575.3KB/s 00:00
[oracle@ggate2 config]$
importing server certificate to agent truststore.
[oracle@ggate2 certs]$ pwd
/u01/ggma23/deployment/config/certs
[oracle@ggate2 certs]$ ls -ltr
total 20
-rw-r-----. 1 oracle oinstall 890 Jan 6 18:01 serverTrust.jks
-rw-r-----. 1 oracle oinstall 2177 Jan 6 18:01 serverIdentity.jks
-rw-r--r--. 1 oracle oinstall 2742 Jan 7 11:13 vdtAgentKeystore.p12
-rw-r--r--. 1 oracle oinstall 897 Jan 7 11:15 vdtagent.crt
-rw-r-----. 1 oracle oinstall 897 Jan 7 11:32 vdtServer.crt
[oracle@ggate2 certs]$ /u01/ggma23/veridata_agent/jdk/bin/keytool -importcert -file vdtServer.crt -alias vdtServer.crt.hub -keystore vdtAgentTruststore.p12 -storepass oggadmin123
Owner: CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA
Issuer: CN=CKPT, OU=oracle-ckpt.com, O=oracle-ckpt, L=Riyadh, ST=Riyadh, C=SA
Serial number: 1f858bc4
Valid from: Wed Jan 07 11:19:32 AST 2026 until: Tue Apr 07 11:19:32 AST 2026
Certificate fingerprints:
SHA1: 61:AC:9F:43:34:5D:7F:33:07:45:3D:9D:82:7A:72:A8:5C:12:45:54
SHA256: 25:8A:A2:49:75:BA:D4:C5:DC:89:9A:55:86:7C:67:6C:00:78:3D:58:2C:28:2A:3C:E9:44:18:3C:EE:20:37:47
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 DD 5B 2F 1B F4 0D C7 0B 30 1C 2E 6A EB 58 B4
0010: E4 AA D3 76
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
[oracle@ggate2 certs]$
Saving agent keystore/truststore password to agent wallet
[oracle@ggate2 deployment]$ ls -ltr
total 32
-rw-r-----. 1 oracle oinstall 76 Jan 6 18:01 VAOH.sh
-rw-r-----. 1 oracle oinstall 172 Jan 6 18:01 ReadMe.txt
-rwxr-----. 1 oracle oinstall 304 Jan 6 18:01 agent.sh
-rwxr-----. 1 oracle oinstall 261 Jan 6 18:01 configure_agent_ssl.sh
-rw-r-----. 1 oracle oinstall 4794 Jan 6 18:01 agent.properties.sample
-rw-r-----. 1 oracle oinstall 4853 Jan 7 11:01 agent.properties
drwxr-x---. 3 oracle oinstall 104 Jan 7 11:02 config
drwxr-----. 2 oracle oinstall 57 Jan 7 11:07 logs
[oracle@ggate2 deployment]$ ./configure_agent_ssl.sh agent.properties
OGGV-80028: Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
OGGV-80029: Veridata Agent SSL Configuration Utility
OGGV-80030: Notes:
OGGV-80032: This utility allows Veridata to access keystore and truststore. When entering the passwords below, unlock password should match the one used in keytool -storepass option.
[OGGV-80022: Enter Agent Keystore unlock password:]
[OGGV-80024: Enter Agent Truststore unlock password:]
OGGV-80037: SSL Configuration of Veridata Agent is successful.
[oracle@ggate2 deployment]$
Start the agent with properties file
[oracle@ggate2 deployment]$ ./agent.sh start agent.properties
[oracle@ggate2 deployment]$
[oracle@ggate2 deployment]$ ps -ef | grep agent | grep veridata
oracle 2722241 1 6 11:39 pts/2 00:00:04 /usr/bin/java -Djava.util.logging.config.class=oracle.core.ojdl.logging.LoggingConfiguration -Doracle.core.ojdl.logging.config.file=/u01/ggma23/deployment/config/odl.xml -Dhome=/u01/ggma23/veridata_agent/agent -DagentHome=/u01/ggma23/deployment -XX:+UseParallelGC -Xmx1024M -Xms1024M -Dagent-manifest.jar=/u01/ggma23/veridata_agent/agent/agent-manifest.jar -jar /u01/ggma23/veridata_agent/agent/JavaAgent.jar agent.properties
[oracle@ggate2 deployment]$
With this we have generated keys and exported keys into self server and self client and then we have enabled trust between server and client by merging each keys to others.
Now access the veridata server Web UI and configure the connection with the preferred SSL settings, the test was successful and server able to handshake and reachable with the client.
