Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Dbvisit Standby Multiplatform (v11) uses two types of certificates which ensure that communication is secured:

  1. Controlcenter Webserver Certificate (this is a certificate which is provided to your browser whenever you login and work with controlcenter)

  2. Dbvagentmanager Certificates (these are internal certificates used for internal Dbvisit communication)

Out of the box there’s no need for you modify the certificates in any way, but you can replace both certificates with your own custom certificate if you wish to do so.

To replace any Dbvisit existing certificate with our own, you have to perform these high level steps:

a. Have an existing Certification Authority (CA) for signing certificates. This can be your existing company CA, or any publicly trusted CA. You can even create your own CA.

b. Generate private key for your server

c. Generate certificate sign request

d. Sign the certificate sign request by available CA

e. Replace the existing Dbvisit certificate files with your own custom ones

In the examples below we will guide you through the steps on a Linux system. The steps below are just a generic example. There can be different parameters for certificate generation complexity. If not sure about certificate strength, cosult with your security team.

Creating your own CA

For signing any certificate you will need some CA. In this example we will be using our own generated CA which is very straightforward. You only need a Linux system with “openssl” binary installed. To create your own CA, you first need to generate private key:

$ openssl genrsa -out ca_priv.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................................................+++++
...................................................+++++
e is 65537 (0x010001)

$ ls -l ca_priv.key
-rw-------. 1 oracle oinstall 1675 Jan 19 13:24 ca_priv.key

This Private key (ca_priv.key) is needed for signing any certificate sign request with your CA and should never be shared with anybody nor copied to different servers.

Then you will need to create root CA certificate using this private key:

$ openssl req -x509 -new -nodes -key ca_priv.key -days 3650 -out ca_root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cz
State or Province Name (full name) []:cz
Locality Name (eg, city) [Default City]:Prague
Organization Name (eg, company) [Default Company Ltd]:Dbvisit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

$ ls -l ca_root.crt
-rw-r--r--. 1 oracle oinstall 1224 Jan 19 13:28 ca_root.crt

The CA root certificate (ca_root.crt) needs to be located on every server / machine which use certificates signed by this CA in order to trust custom generated and signed certificates.

Fell free to fill in / omit the inidividual properties as you like.

In case you intend to use any other existing CA (whether your official company CA or publicly trusted CA) of course skip this whole step

Replacing Controlcenter Webserver Certificate

To replace your Dbvisit Controlcenter webserver certificate you need to perform the high level steps outlined in the beggining of this page.

a. Generate private key for your server

On the dbvcontrol server run (replace string czlin0212 with your server hostname):

mkdir ~/cert
cd ~/cert

$ openssl genrsa -out czlin0212_priv.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................+++++
..................+++++
e is 65537 (0x010001)

$ ls -l czlin0212_priv.key
-rw-------. 1 oracle oinstall 1675 Jan 19 14:22 czlin0212_priv.key

b. On the dbvcontrol server Generate certificate sign request

$ openssl req -new -key czlin0212_priv.key -out czlin0212_request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cz
State or Province Name (full name) []:cz
Locality Name (eg, city) [Default City]:Prague
Organization Name (eg, company) [Default Company Ltd]:Dbvisit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:czlin0212
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ ls -l czlin0212_request.csr
-rw-r--r--. 1 oracle oinstall 972 Jan 19 14:25 czlin0212_request.csr

Fell free to fill in / omit the inidividual properties as you like. File czlin0212_request.csr will be then needed to be signed by the CA

d. Sign the certificate sign request by available CA

In this example we will use our own custom CA to sign the request. In other cases you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.

$ openssl x509 -req -in czlin0212_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0212_cert.crt -days 3650
Signature ok
subject=C = cz, ST = cz, L = Prague, O = Dbvisit, CN = czlin0212
Getting CA Private Key

$ ls -l czlin0212_cert.crt
-rw-r--r--. 1 oracle oinstall 1180 Jan 19 14:29 czlin0212_cert.crt

You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0212_request.csr) on that server. So you will need to copy czlin0212_request.csr to the CA server and after signing copy resulting czlin0212_cert.crt back to dbvcontrol host.

Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.

e. Replace the existing Dbvisit certificate files with your own custom ones

The last step is to replace existing dbvcontrol certificates with the signed certificate. You will need to copy your CA root certificate ca_root.crt to the dbvcontrol host (not the CA private key!)

First of all, stop dbvcontrol. Then proceed with Overwrite the existing files (all our custom certificates are in ~/cert):

$ cd /usr/dbvisit/standbymp/certificates
$ cp ~/cert/ca_root.crt www_ca.pem
$ cp ~/cert/czlin0212_cert.crt www_cert.pem
$ cp ~/cert/czlin0212_priv.key www_prikey.pem

Consider backing up directory /usr/dbvisit/standbymp/certificates before any changes

Now start dbvcontrol and verify in browser the new certificate is correctly used:

Replacing Dbvagentmanager Certificates

Replacing dbvagentmanager certificates is completely independent on webserver certificate. You need to replace certificates on the specific dbvagentmanager host as well as on dbvcontol host - otherwise your dbvagentmanagers wouldn’t be able to connect to dbvcontrol correctly. In this example, we have following structure:

  • server czlin0211 with installed dbvagentmanager as primary server

  • server czlin0212 as our standby server

  • server czlin0192 where we installed dbvcontrol.

There are three types of certificates to replace:

  • primary dbvagentmanager client & server certificate

  • standby dbvagentmanager client & server certificate

  • dbvcontrol client & server certificate (these are different from webserver certificate)

All of these certificates must be signed by the same certificate authority (CA) !!!

a. Generate private key for your primary dbvagentmanager server

On the dbvagentmanager primary server run (replace string czlin0211 with your server hostname):

$ mkdir ~/cert
$ cd ~/cert

$ openssl genrsa -out czlin0211_dbva_priv.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................++
..................+++++
e is 65537 (0x010001)

b. On the dbvagentmanager primary server Generate certificate sign request

$ openssl req -new -key czlin0211_dbva_priv.key -out czlin0211_dbva_request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cz
State or Province Name (full name) []:cz
Locality Name (eg, city) [Default City]:Prague
Organization Name (eg, company) [Default Company Ltd]:Dbvisit
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:czlin0211
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ ls -l czlin0211_dbva_request.csr
-rw-r--r--. 1 oracle oinstall 972 Jan 19 14:55 czlin0211_dbva_request.csr

Fell free to fill in / omit the inidividual properties as you like. File czlin0211_request.csr will be then needed to be signed by the CA

c. Sign the certificate sign request by available CA

We will use our own custom CA to sign the request (see top of the page examle example how to create own CA). Alternatively you would request your company CA owner to sign this certificate request, or you would send this request to publicly trusted CA.

$ openssl x509 -req -in czlin0211_dbva_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0211_dbva_cert.crt -days 3650
Signature ok
subject=C = cz, ST = cz, L = Prague, O = Dbvisit, CN = czlin0211
Getting CA Private Key

You will need the CA root certificate as well as the CA private key to sign the request. If you created the CA on different server, you need to sign your request (czlin0211_dbva_request.csr) on that server - so you will need to copy file czlin0211_dbva_request.csr there and after signing copy czlin0211_dbva_cert.crt to your primary server. Copying CA root certificate together with the CA private key to dbvcontrol host is of course possible, but conceptually incorrect from security point of view.

d. Perform the steps a,b,c on your standby dbvagentmanager server

Do exactly the same steps on the other server, in our case the other server was czlin0212. The commands used were:

$ mkdir ~/cert
$ cd ~/cert
$ openssl genrsa -out czlin0212_dbva_priv.key 2048
$ openssl req -new -key czlin0212_dbva_priv.key -out czlin0212_dbva_request.csr
$ openssl x509 -req -in czlin0212_dbva_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0212_dbva_cert.crt -days 3650 #this command should be run on server where you setup your own CA

Use the same CA to sign czlin0212_dbva_request.csr as you used for signing czlin0211_dbva_request.csr

e. Perform the steps a,b,c on your dbvcontrol server

Run exactly same commands as in previous step:

$ mkdir ~/cert
$ cd ~/cert
$ openssl genrsa -out czlin0192_cc_priv.key 2048
$ openssl req -new -key czlin0192_cc_priv.key -out czlin0192_cc_request.csr
$ openssl x509 -req -in czlin0192_cc_request.csr -CA ca_root.crt -CAkey ca_priv.key -CAcreateserial -out czlin0192_cc_cert.crt -days 3650 #this command should be run on server where you setup your own CA

Again, use the same CA to sign czlin0192_dbva_request.csr as you used for signing czlin0211_dbva_request.csr and czlin0212_dbva_request.csr

f. Replace all certificates on primary, standby and dbvcontrol servers

You need to first stop all dbvagentmanagers and also dbvcontrol. No dbvisit process should remain running.

Consider backing up directory /usr/dbvisit/standbymp/certificates before any changes on all servers

file ~/cert/ca_root.crt should be copied from your CA server and needs to be identical on all servers

Copy the certificate in correct place on primary:

$ cd /usr/dbvisit/standbymp/certificates
$ cp ~/cert/ca_root.crt client_ca.pem
$ cp ~/cert/czlin0211_dbva_cert.crt client_cert.pem
$ cp ~/cert/czlin0211_dbva_priv.key client_prikey.pem
$ cp ~/cert/ca_root.crt server_ca.pem
$ cp ~/cert/czlin0211_dbva_cert.crt server_cert.pem
$ cp ~/cert/czlin0211_dbva_priv.key server_prikey.pem

Copy the certificate in correct place on standby:

$ cd /usr/dbvisit/standbymp/certificates
$ cp ~/cert/ca_root.crt client_ca.pem
$ cp ~/cert/czlin0212_dbva_cert.crt client_cert.pem
$ cp ~/cert/czlin0212_dbva_priv.key client_prikey.pem
$ cp ~/cert/ca_root.crt server_ca.pem
$ cp ~/cert/czlin0212_dbva_cert.crt server_cert.pem
$ cp ~/cert/czlin0212_dbva_priv.key server_prikey.pem

Copy the certificate in correct place on dbvcontrol host:

$ cd /usr/dbvisit/standbymp/certificates
$ cp ~/cert/ca_root.crt client_ca.pem
$ cp ~/cert/czlin0192_cc_cert.crt clien_cert.pem
$ cp ~/cert/czlin0192_cc_priv.key client_prikey.pem
$ cp ~/cert/ca_root.crt server_ca.pem
$ cp ~/cert/czlin0192_cc_cert.crt server_cert.pem
$ cp ~/cert/czlin0192_cc_priv.key server_prikey.pem

All is done - last step is to startup all dbvisit processes (dbvagentmanagers and dbvcontrol) on primary and standby server.

Verify that in controlcenter both dbvagentmanagers are reachable:

  • No labels