Using Custom Certificates

Owned by Jan Klinke
Last updated: Jan 25, 2023
8 min read

Dbvisit Standby Multiplatform (v11) uses two types of certificates which ensure that communication is secured:

  1. Controlcenter Webserver Certificate (this is a certificate which is provided to your browser whenever you login and work with controlcenter)

  2. Dbvagentmanager and Controlcenter communication Certificates (these are internal certificates used for internal Dbvisit communication)

Out of the box there’s no need for you modify the certificates in any way, but you can replace both certificates with your own custom certificate if you wish to do so.

 

To replace any Dbvisit existing certificate with our own, you have to perform these high level steps:

a. Have an existing Certification Authority (CA) for signing certificates. This can be your existing company CA, or any publicly trusted CA. You can even create your own CA.

b. Generate private key for your server

c. Generate certificate sign request

d. Sign the certificate sign request by available CA

e. Replace the existing Dbvisit certificate files with your own custom ones

In the examples below we will guide you through the steps on a Linux system. The steps below are just a generic example. There can be different parameters for certificate generation complexity. If not sure about certificate strength, cosult with your security team.

Creating your own CA

For signing any certificate you will need some CA. In this example we will be using our own generated CA which is very straightforward. You only need a Linux system with “openssl” binary installed. To create your own CA, you first need to generate private key:

$ openssl genrsa -out ca_priv.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..........................................................................+++++ ...................................................+++++ e is 65537 (0x010001) $ ls -l ca_priv.key -rw-------. 1 oracle oinstall 1675 Jan 19 13:24 ca_priv.key

This Private key (ca_priv.key) is needed for signing any certificate sign request with your CA and should never be shared with anybody nor copied to different servers.

Then you will need to create root CA certificate using this private key:

$ openssl req -x509 -new -nodes -key ca_priv.key -days 3650 -out ca_root.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cz State or Province Name (full name) []:cz Locality Name (eg, city) [Default City]:Prague Organization Name (eg, company) [Default Company Ltd]:Dbvisit Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: $ ls -l ca_root.crt -rw-r--r--. 1 oracle oinstall 1224 Jan 19 13:28 ca_root.crt

The CA root certificate (ca_root.crt) needs to be located on every server / machine which use certificates signed by this CA in order to trust custom generated and signed certificates.

Fell free to fill in / omit the inidividual properties as you like.

In case you intend to use any other existing CA (whether your official company CA or publicly trusted CA) of course skip this whole step

Replacing Controlcenter Webserver Certificate

To replace your Dbvisit Controlcenter webserver certificate you need to perform the high level steps outlined in the beggining of this page.

a. Generate private key for your server

On the dbvcontrol server run (replace string czlin0212 with your server hostname):

mkdir ~/cert cd ~/cert $ openssl genrsa -out czlin0212_priv.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .............................................................+++++ ..................+++++ e is 65537 (0x010001) $ ls -l czlin0212_priv.key -rw-------. 1 oracle oinstall 1675 Jan 19 14:22 czlin0212_priv.key

b. On the dbvcontrol server Generate certificate sign request

Fell free to fill in / omit the inidividual properties as you like. File czlin0212_request.csr will be then needed to be signed by the CA

d. Sign the certificate sign request by available CA

In this example we will use our own custom CA to sign the request. In other cases you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.

You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0212_request.csr) on that server. So you will need to copy czlin0212_request.csr to the CA server and after signing copy resulting czlin0212_cert.crt back to dbvcontrol host.

Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.

e. Replace the existing Dbvisit certificate files with your own custom ones

The last step is to replace existing dbvcontrol certificates with the signed certificate. You will need to copy your CA root certificate ca_root.crt to the dbvcontrol host (not the CA private key!)

Consider backing up directory /usr/dbvisit/standbymp/certificates before any changes

First of all, stop dbvcontrol. Then proceed with Overwrite the existing files (all our custom certificates are in ~/cert):

Now start dbvcontrol and verify in browser the new certificate is correctly used:

 

 

Replacing Dbvagentmanager Certificates

Replacing dbvagentmanager certificates is completely independent on webserver certificate. You need to replace certificates on the specific dbvagentmanager host as well as on dbvcontol host - otherwise your dbvagentmanagers wouldn’t be able to connect to dbvcontrol correctly. In this example, we have following structure:

  • server czlin0211 with installed dbvagentmanager as primary server

  • server czlin0212 as our standby server

  • server czlin0192 where we installed dbvcontrol.

There are three types of certificates to replace:

  • primary dbvagentmanager client & server certificate

  • standby dbvagentmanager client & server certificate

  • dbvcontrol client & server certificate (these are different from webserver certificate)

All of these certificates must be signed by the same certificate authority (CA) !!!

a. Generate private key for your primary dbvagentmanager server

On the dbvagentmanager primary server run (replace string czlin0211 with your server hostname):

b. On the dbvagentmanager primary server Generate certificate sign request

Fell free to fill in / omit the inidividual properties as you like. File czlin0211_request.csr will be then needed to be signed by the CA

c. Sign the certificate sign request by available CA

We will use our own custom CA to sign the request (see top of the page examle example how to create own CA). Alternatively you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.

You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0211_dbva_request.csr) on that server - so you will need to copy file czlin0211_dbva_request.csr there and after signing copy czlin0211_dbva_cert.crt to your primary server. Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.

d. Perform the steps a,b,c on your standby dbvagentmanager server

Do exactly the same steps on the other server, in our case the other server was czlin0212. The commands used were:

Use the same CA to sign czlin0212_dbva_request.csr as you used for signing czlin0211_dbva_request.csr

e. Perform the steps a,b,c on your dbvcontrol server

Run exactly same commands as in previous step:

Again, use the same CA to sign czlin0192_dbva_request.csr as you used for signing czlin0211_dbva_request.csr and czlin0212_dbva_request.csr

f. Replace all certificates on primary, standby and dbvcontrol servers

You need to first stop all dbvagentmanagers and also dbvcontrol. No dbvisit process should remain running.

Copy the certificate in correct place on primary:

Copy the certificate in correct place on standby:

Copy the certificate in correct place on dbvcontrol host:

All is done - last step is to startup all dbvisit processes (dbvagentmanagers and dbvcontrol) on primary and standby server.

Verify that in controlcenter both dbvagentmanagers are reachable: