Dbvisit Standby Multiplatform (v11) uses two types of certificates which ensure that communication is secured:
Controlcenter Webserver Certificate (this is a certificate which is provided to your browser whenever you login and work with controlcenter)
Dbvagentmanager Certificates (these are internal certificates used for internal Dbvisit communication)
Out of the box there’s no need for you modify the certificates in any way, but you can replace both certificates with your own custom certificate if you wish to do so.
To replace any Dbvisit existing certificate with our own, you have to perform these high level steps:
a. Have an existing Certification Authority (CA) for signing certificates. This can be your existing company CA, or any publicly trusted CA. You can even create your own CA.
b. Generate private key for your server
c. Generate certificate sign request
d. Sign the certificate sign request by available CA
e. Replace the existing Dbvisit certificate files with your own custom ones
In the examples below we will guide you through the steps on a Linux system. The steps below are just a generic example. There can be different parameters for certificate generation complexity. If not sure about certificate strength, cosult with your security team.
Creating your own CA
For signing any certificate you will need some CA. In this example we will be using our own generated CA which is very straightforward. You only need a Linux system with “openssl” binary installed. To create your own CA, you first need to generate private key:
$ openssl genrsa -out ca_priv.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..........................................................................+++++ ...................................................+++++ e is 65537 (0x010001) $ ls -l ca_priv.key -rw-------. 1 oracle oinstall 1675 Jan 19 13:24 ca_priv.key
This Private key (ca_priv.key) is needed for signing any certificate sign request with your CA and should never be shared with anybody nor copied to different servers.
Then you will need to create root CA certificate using this private key:
$ openssl req -x509 -new -nodes -key ca_priv.key -days 3650 -out ca_root.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cz State or Province Name (full name) []:cz Locality Name (eg, city) [Default City]:Prague Organization Name (eg, company) [Default Company Ltd]:Dbvisit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: $ ls -l ca_root.crt -rw-r--r--. 1 oracle oinstall 1224 Jan 19 13:28 ca_root.crt
The CA root certificate (ca_root.crt) needs to be located on every server / machine which use certificates signed by this CA in order to trust custom generated and signed certificates.
Fell free to fill in / omit the inidividual properties as you like.
In case you intend to use any other existing CA (whether your official company CA or publicly trusted CA) of course skip this whole step
Replacing Controlcenter Webserver Certificate
To replace your Dbvisit Controlcenter webserver certificate you need to perform the high level steps outlined in the beggining of this page.
a. Generate private key for your server
On the dbvcontrol server run (replace string czlin0212 with your server hostname):
mkdir ~/cert cd ~/cert $ openssl genrsa -out czlin0212_priv.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .............................................................+++++ ..................+++++ e is 65537 (0x010001) $ ls -l czlin0212_priv.key -rw-------. 1 oracle oinstall 1675 Jan 19 14:22 czlin0212_priv.key
b. On the dbvcontrol server Generate certificate sign request
$ openssl req -new -key czlin0212_priv.key -out czlin0212_request.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cz State or Province Name (full name) []:cz Locality Name (eg, city) [Default City]:Prague Organization Name (eg, company) [Default Company Ltd]:Dbvisit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:czlin0212 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ ls -l czlin0212_request.csr -rw-r--r--. 1 oracle oinstall 972 Jan 19 14:25 czlin0212_request.csr
Fell free to fill in / omit the inidividual properties as you like. File czlin0212_request.csr will be then needed to be signed by the CA
d. Sign the certificate sign request by available CA
In this example we will use our own custom CA to sign the request. In other cases you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.
$ openssl x509 -req -in czlin0212_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0212_cert.crt -days 3650 Signature ok subject=C = cz, ST = cz, L = Prague, O = Dbvisit, CN = czlin0212 Getting CA Private Key $ ls -l czlin0212_cert.crt -rw-r--r--. 1 oracle oinstall 1180 Jan 19 14:29 czlin0212_cert.crt
You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0212_request.csr) on that server. So you will need to copy czlin0212_request.csr to the CA server and after signing copy resulting czlin0212_cert.crt back to dbvcontrol host.
Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.
e. Replace the existing Dbvisit certificate files with your own custom ones
The last step is to replace existing dbvcontrol certificates with the signed certificate. You will need to copy your CA root certificate ca_root.crt to the dbvcontrol host (not the CA private key!)
First of all, stop dbvcontrol. Then proceed with Overwrite the existing files (all our custom certificates are in ~/cert):
$ cd /usr/dbvisit/standbymp/certificates $ cp ~/cert/ca_root.crt www_ca.pem $ cp ~/cert/czlin0212_cert.crt www_cert.pem $ cp ~/cert/czlin0212_priv.key www_prikey.pem
Consider backing up directory /usr/dbvisit/standbymp/certificates
before any changes
Now start dbvcontrol and verify in browser the new certificate is correctly used:
Replacing Dbvagentmanager Certificates
Replacing dbvagentmanager certificates is completely independent on webserver certificate. You need to replace certificates on the specific dbvagentmanager host as well as on dbvcontol host - otherwise your dbvagentmanagers wouldn’t be able to connect to dbvcontrol correctly. In this example, we have following structure:
server czlin0211 with installed dbvagentmanager as primary server
server czlin0212 as our standby server where we installed dbvagentmanager as well as dbvcontrol.
There are three certificates to replace: primary dbvagentmanager client certificate, standby dbvagentmanager client certificate and dbvcontrol dbvagentmanager server certificate
All of these three certificates must be signed by the same certificate authority (CA) !!!
a. Generate private key for your primary dbvagentmanager server
On the dbvagentmanager primary server run (replace string czlin0211 with your server hostname):
$ mkdir ~/cert $ cd ~/cert $ openssl genrsa -out czlin0211_dbva_priv.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...................................................++ ..................+++++ e is 65537 (0x010001)
b. On the dbvagentmanager primary server Generate certificate sign request
$ openssl req -new -key czlin0211_dbva_priv.key -out czlin0211_dbva_request.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cz State or Province Name (full name) []:cz Locality Name (eg, city) [Default City]:Prague Organization Name (eg, company) [Default Company Ltd]:Dbvisit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:czlin0211 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ ls -l czlin0211_dbva_request.csr -rw-r--r--. 1 oracle oinstall 972 Jan 19 14:55 czlin0211_dbva_request.csr
Fell free to fill in / omit the inidividual properties as you like. File czlin0211_request.csr will be then needed to be signed by the CA
c. Sign the certificate sign request by available CA
We will use our own custom CA to sign the request (see top of the page examle example how to create own CA). Alternatively you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.
$ openssl x509 -req -in czlin0211_dbva_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0211_dbva_cert.crt -days 3650 Signature ok subject=C = cz, ST = cz, L = Prague, O = Dbvisit, CN = czlin0211 Getting CA Private Key
You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0211_dbva_request.csr) on that server - so you will need to copy file czlin0211_dbva_request.csr there and after signing copy czlin0211_dbva_cert.crt to your primary server. Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.
d. Perform the steps a,b,c on your standby dbvagentmanager server
Do exactly the same steps on the other server, in our case the other server was czlin0212. The commands used were:
$ mkdir ~/cert $ cd ~/cert $ openssl genrsa -out czlin0212_dbva_priv.key 2048 $ openssl req -new -key czlin0212_dbva_priv.key -out czlin0212_dbva_request.csr $ openssl x509 -req -in czlin0212_dbva_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0212_dbva_cert.crt -days 3650 #this command should be run on server where you setup your own CA
Use the same CA to sign czlin0212_dbva_request.csr as you used for signing czlin0211_dbva_request.csr
e. Generate certificate for dbvcontrol server for dbvagentmanagers
Run exactly same commands as in previous step:
$ mkdir ~/cert $ cd ~/cert $ openssl genrsa -out czlin0212_dbva_server_priv.key 2048 $ openssl req -new -key czlin0212_dbva_server_priv.key -out czlin0212_dbva_server_request.csr $ openssl x509 -req -in czlin0212_dbva_server_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0212_dbva_server_cert.crt -days 3650 #this command should be run on server where you setup your own CA
In our example dbvcontrol is on standby server so we run these commands on standby server. If you have dbvcontrol on separate server than primary and standby, run the commands there.
f. Replace all certificates on primary and standby servers (and dbvcontrol server if separated from primary and standby)
You need to first stop all dbvagentmanagers and also dbvcontrol. No dbvisit process should remain running.
Consider backing up directory /usr/dbvisit/standbymp/certificates
before any changes on all servers
file ~/cert/ca_root.crt
should be copied from your CA server and needs to be identical on both servers
Copy the certificate in correct place on primary:
$ cd /usr/dbvisit/standbymp/certificates $ cp ~/cert/ca_root.crt client_ca.pem $ cp ~/cert/czlin0211_dbva_cert.crt client_cert.pem $ cp ~/cert/czlin0211_dbva_priv.key client_prikey.pem
Copy the certificate in correct place on standby:
$ cd /usr/dbvisit/standbymp/certificates $ cp ~/cert/ca_root.crt client_ca.pem $ cp ~/cert/czlin0212_dbva_cert.crt client_cert.pem $ cp ~/cert/czlin0212_dbva_priv.key client_prikey.pem
Copy the dbvcontrol server certificate on standby (or dedicated dbvcontrol host):
$ cd /usr/dbvisit/standbymp/certificates $ cp ~/cert/ca_root.crt server_ca.pem $ cp ~/cert/czlin0212_dbva_server_cert.crt server_cert.pem $ cp ~/cert/czlin0212_dbva_server_priv.key server_prikey.pem
All is done - last step is to startup all dbvisit processes (dbvagentmanagers and dbvcontrol) on primary and standby server.
Verify that in controlcenter both dbvagentmanagers are reachable: