While deploying the OGG Hub, to enhance the security for the Hub Web UI it allows you to configure SSL/TLS at both client and server. Enabling the SSL/TLS option is not sufficient. Before deployment we have to create the keys for the client and server and we will go through with these steps in this blog post.
Export the environment variables – we use orapki utility to create the keys. The binary can be used whether it belongs to ORACLE_HOME or OGG_HOME
[oracle@gghubbin]$
export ORACLE_HOME=/u01/app/oracle/product/dbexport PATH=$ORACLE_HOME/bin:$PATH
cd /u01/app/oracle/product/db/bin
Create the directories for the wallets
[oracle@gghub bin]$ mkdir -p /u01/ggma21/wallets
[oracle@gghub bin]$ mkdir -p /u01/ggma21/wallets
[oracle@gghub bin]$Create the Server Wallet
[oracle@gghub bin]$ ./orapki wallet create -wallet /u01/ggma21/wallets/sm_wallet -auto_login -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@gghub bin]$Add the Wallet
[oracle@gghub bin]$ ./orapki wallet add -wallet /u01/ggma21/wallets/sm_wallet -dn "CN=gghub, O=Neoleap, C=SA" -keysize 2048 -self_signed -validity 3650 -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@gghub bin]$Create the Client Wallet
[oracle@gghub bin]$ ./orapki wallet create -wallet /u01/ggma21/wallets/client_wallet -auto_login -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@gghub bin]$Add the wallet to the client
[oracle@gghub bin]$ ./orapki wallet add -wallet /u01/ggma21/wallets/client_wallet -trusted_cert -cert /u01/ggma21/wallets/sm_wallet/cert.pem -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Unable to read certificate at /u01/ggma21/wallets/sm_wallet/cert.pem
[oracle@gghub bin]$Let’s list the the wallet files we created with above steps
[oracle@gghub bin]$ cd /u01/ggma21/wallets
[oracle@gghub wallets]$ ls -l
total 0
drwx------. 2 oracle oinstall 90 Nov 12 20:56 client_wallet
drwx------. 2 oracle oinstall 90 Nov 12 20:54 sm_wallet
[oracle@gghub wallets]$
[oracle@gghub wallets]$ cd sm_wallet
[oracle@gghub sm_wallet]$
[oracle@gghub sm_wallet]$
[oracle@gghub sm_wallet]$ ls -l
total 12
-rw-------. 1 oracle oinstall 4123 Nov 12 20:54 cwallet.sso
-rw-------. 1 oracle oinstall 0 Nov 12 20:54 cwallet.sso.lck
-rw-------. 1 oracle oinstall 4078 Nov 12 20:54 ewallet.p12
-rw-------. 1 oracle oinstall 0 Nov 12 20:54 ewallet.p12.lck
[oracle@gghub sm_wallet]$ cd ../client_wallet/
[oracle@gghub client_wallet]$ ls -l
total 8
-rw-------. 1 oracle oinstall 270 Nov 12 20:56 cwallet.sso
-rw-------. 1 oracle oinstall 0 Nov 12 20:56 cwallet.sso.lck
-rw-------. 1 oracle oinstall 225 Nov 12 20:56 ewallet.p12
-rw-------. 1 oracle oinstall 0 Nov 12 20:56 ewallet.p12.lck
[oracle@gghub client_wallet]$The created wallets we can also view using orapki
[oracle@gghub bin]$ orapki wallet display -wallet /u01/ggma21/wallets/sm_wallet
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=gghub,O=localhost,C=SA
Trusted Certificates:
Subject: CN=gghub,O=localhost,C=SA
[oracle@gghub bin]$Let’s also try export the wallet
[oracle@gghub bin]$ ./orapki wallet export -wallet /u01/ggma21/wallets/sm_wallet \
> -dn "CN=gghub,O=localhost,C=SA" \
> -cert /u01/ggma21/wallets/sm_wallet/cert.pem \
> -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@gghub bin]$
[oracle@gghub bin]$
[oracle@gghub bin]$ ls -l /u01/ggma21/wallets/sm_wallet/cert.pem
-rw-------. 1 oracle oinstall 1110 Nov 12 21:03 /u01/ggma21/wallets/sm_wallet/cert.pem
[oracle@gghub bin]$Let’s add the exported certificate to the client wallet
[oracle@gghub bin]$ ./orapki wallet add -wallet /u01/ggma21/wallets/client_wallet \
> -trusted_cert -cert /u01/ggma21/wallets/sm_wallet/cert.pem \
> -pwd Welcome#123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[oracle@gghub bin]$This will create handshake between client and server wallets.
After all the above steps, we can proceed for the deployment. in WebUI after checking SSL/TLS we need to provide the server and client wallet locations so that OGG can link with them.
After the deployment the OracleGoldenGate.Service wil be created with symbolic link, after that we can able to see all the services should be running as below.
[oracle@gghub bin]$ netstat -tulnp | egrep '9000|9001|9002|9003|9004|9005'
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 4628/ServiceManager
tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN 3650/adminsrvr
tcp 0 0 0.0.0.0:9002 0.0.0.0:* LISTEN 3653/distsrvr
tcp 0 0 0.0.0.0:9003 0.0.0.0:* LISTEN 3658/recvsrvr
tcp 0 0 0.0.0.0:9004 0.0.0.0:* LISTEN 3663/pmsrvr
tcp6 0 0 :::9000 :::* LISTEN 4628/ServiceManager
tcp6 0 0 :::9001 :::* LISTEN 3650/adminsrvr
tcp6 0 0 :::9002 :::* LISTEN 3653/distsrvr
tcp6 0 0 :::9003 :::* LISTEN 3658/recvsrvr
tcp6 0 0 :::9004 :::* LISTEN 3663/pmsrvr
udp 0 0 0.0.0.0:9003 0.0.0.0:* 3658/recvsrvr
[oracle@gghub bin]$
