Configuring Oracle GoldenGate Monitor for HTTPS

There is no shortage of information regarding how to install Oracle GoldenGate Monitor both in the Administrator’s Guide and on various websites. If you want a see screenshots of the GUI installation then Michael Verzijl has a step-by-step on his blog. However, when I came to perform my first installation I didn’t find complete instructions on how to set up HTTPS. If you’re a Java person then I imagine that the information provided in the instructions is sufficient, but if you’re not and have found yourself responsible for setting up Oracle GoldenGate Monitor because: 1) It’s called “Oracle…” and you know Oracle; and 2) Other people aren’t interested it doing it, then I hope you’ll find the information below useful.

You are going to need to use keytool and the steps below cover creating a “self-signed” certificate because in my case I simply want SSL/HTTPS rather than any guarantee that the site is what it claims to be.

Creating a Self-Signed Certificate

The suggested command is:

$ keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass <password> -keysize 2048

Sample output:

$ keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass easy_password -keysize 2048
What is your first and last name?
  [Unknown]:  GoldenGate Monitor
What is the name of your organizational unit?
  [Unknown]:  GoldenGate Support
What is the name of your organization?
  [Unknown]:  ORAsavon Limited
What is the name of your City or Locality?
  [Unknown]:  Leeds
What is the name of your State or Province?
  [Unknown]:  West Yorkshire
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=GoldenGate Monitor, OU=GoldenGate Support, O=ORAsavon Limited, L=Leeds, ST=West Yorkshire, C=GB correct?
  [no]:  yes

Enter key password for <selfsigned>
        (RETURN if same as keystore password):
$

At this point you will have a file name keystore.jks in your current directory and you are ready to install Oracle GoldenGate Monitor and configure it to only use SSL/HTTPS.

HTTPS Option During Installation

During the GUI installation you will get to a screen were you can select HTTP and/or HTTPS as well as the corresponding port number (see this image from Michael Verzijl’s step-by-step)

If you’re using the command line install (via -c option) then you’ll see the output below:

Enter ports for use by Oracle GoldenGate Monitor











      Select HTTP or HTTPS or both, and enter the ports that Oracle GoldenGate
      Monitor will listen on




Configure Monitor HTTP server?
Yes [y, Enter], No [n]
n
Configure Monitor HTTPS(secured) server?
Yes [y], No [n, Enter]
y
HTTPS port:
[5505]

Shutdown port:
[5501]

Please select the valid keystore you want use for Monitor server
To enable SSL, please use the java keystore utility to create a keystore, and then import the SSL certificate to the keystore. The installer copies the keystore to the Tomcat conf directory. Tomcat uses it for SSL authentication.
Keystore file:
[/<path to where you unpacked the installer>/Oracle_GoldenGate_Monitor_solaris_sparc_11_1_1_1_0.sh.29202.dir]
/<path to where you created the keystore>/keystore.jks

After this carry on with the installation, but at the end deselect “Start Oracle GoldenGate Monitor”.

If you’re using the GUI installer then it’s on this screen at this point in Michael Verzijl’s step-by-step.

If you’re using the command line install then the output below applies:

      To start Oracle GoldenGate Monitor manually, deselect Start Oracle
      GoldenGate Monitor, or accept the default to allow automatic startup.
      (Optional)




Start Oracle GoldenGate Monitor?
Yes [y, Enter], No [n]
n
Launch Oracle GoldenGate Monitor Web?
Yes [y], No [n, Enter]
n
View Readme?
Yes [y], No [n, Enter]
n
Finishing installation...

Setting Keystore Password in Tomcat Configuration

Once the installation has completed you need to modify server.xml (/tomcat/conf/server.xml) to add “keystorePass” to the following line:

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="${catalina.base}/conf/monitor.jks" maxThreads="150" port="5505" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

Becomes:

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="${catalina.base}/conf/monitor.jks" keystorePass="<java keystore password>" maxThreads="150" port="5505" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

After this you will/should be able to start Oracle GoldenGate Monitor with it only listening on HTTPS using:

$ <installation directory>/bin/monitor.sh start
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s