Managing SSL/TLS over JDBC for containerized masking

On the VM instance, we use the Virtualization Engine's Setup App to manage certificates and trust stores for SSL/TLS needs. Since Containerized Masking Engine runs alone - we need to provide another way of creating the truststore and storing the SSL certificate. There are multiple options of establishing truststore on linux container. Below is an example of using Kubernetes for this purpose.

  • uploading the saved certificate to configmap

  • mounting that configmap as volume

  • creating a truststore and uploading there the configured certificates

Prerequisites

Database is configured with SSL listener. To establish the SSL/TLS connection over JDBC we should know:

  • database URL,

  • SID,

  • SSL listener port,

  • SERVICE_NAME (for database service where SSL listener is enabled)

  • SSL_SERVER_CERT_DN (SSL server certificate distinguished name) - could be found from the generated certificate, for example by using the openssl utility:

openssl x509 -in ssl_cert.crt -text

Here ssl_cert.crt is a name of the file containing the desired certificate (the one that was copied from the Database).

Create configmap entry based on database provided SSL/TLS certificate

  1. save SSL/TLS certificate as .crt file.

  2. use Kubernetes command to create a configmap, for example:

kubectl configmap ora-18 --from-file=ssl_cert.crt

Here ora-18 is the name of the created configmap entry, ssl_cert.crt file contains the SSL/TLS certificate. To verify that configmap entry is added to the pod instance run the following command:

kubectl get configmap

Mount the configured configmap as volume

Add configmap entry as a volume to the pod instance in it's config .yaml file.  If you already have other volumes defined that new entry can go under the existing volumes section.  If not create a volumes: section as shown below:

volumes:
        - name: ora-ssl-cert-volume
          configMap:
            name: ora-18

Here ora-ssl-cert-volume is a name for the provided volume, ora-18 is the name of the previously created configmap entry.

Now we are ready to mount that volume to app container.  Under the containers: section of the pod's config .yaml file, find the app container and add another entry to its volumeMounts: as shown below:

- name: ora-ssl-cert-volume
              mountPath: /var/delphix/ssl/ssl_cert.crt
              subPath: ssl_cert.crt

Here ora-ssl-cert-volume is a pod level provided volume, ssl_cert.crt is a name of the certificate file (originally provided by the configured configmap).

If using multiple SSL/TLS certificates - the above steps to be repeated for each certificate. 

Attention!

The used mountPath /var/delphix/ssl/ is a preconfigured location on the app container where certificates should be stored! That's where the truststore will look for customer provided certificates.

Create trust store and upload all mounted SSL/TLS certificates

We suggest using Kubernetes's lifecycle postStart hook to create the truststore and load the certificates:

In the pod's config .yaml file in the containers: section, find the app container and add to a lifecycle section to contain a postStart: hook as shown below

name: app
          lifecycle:
            postStart:
              exec:
                command: ["/bin/bash", "-c", "for filename in /var/delphix/ssl/*.crt; do keytool -import -trustcacerts -keystore /var/delphix/ssl/.masking_certs -storepass changeit -noprompt -alias $(basename \"$filename\" .crt) -file \"$filename\"; done"]

Here we use the keytool utility to create the truststore/var/delphix/ssl/.masking_certs and to load all the mounted certificates found in the/var/delphix/ssl/ directory.

Configure SSL/TLS over JDBC connector

Now any required SSL/TLS certificates are uploaded to the truststore on Containerized Masking Engine. We can use them to establish the JDBC connection. In the connector settings for the advanced Oracle database connector the URL to be configured as following:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<your oracle DB URL>)(PORT=<port where SSL listener is configured>))(CONNECT_DATA=(SERVICE_NAME=<service name>))(SECURITY=(SSL_SERVER_CERT_DN="<distinguished name of the SSL sertificate>")))

SSL/TLS over JDBC troubleshooting

  1. verify the file contains the exact SSL/TLS certificate (copied from the DB). It should look like:

-----BEGIN CERTIFICATE-----
 MIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZiYmRoY3AwHhcNMjIwOTAxMDA0
 ...
 uVWk84o=
-----END CERTIFICATE-----

  1. verify the certificate is mounted under the correct /var/delphix/ssl/ directory.

  2. verify the certificate is uploaded to the truststore by logging into the bash on the app container and checking truststore exists and how many certificates are loaded:

keytool -list -keystore /var/delphix/ssl/.masking_certs -v

  1. if app container didn't start - most probably the mount was not configured correctly. Check the pod description for errors:

kubectl describe pod delphix-masking-0

Particularly check for indentation issues in the YAML entries because Kubernetes is very sensitive to indention.