Replacing self-signed certificates on the Delphix connector

The Delphix Connector relies on a Java Keystore with a self-signed X.509 certificate in order to instantiate SSL. If this certificate does not conform to the customer's business standards, it is possible to run a PowerShell script (ReplaceConnectorKeystore.ps1) to replace the self-signed certificate with a certificate that is signed by a Certificate Authority of their choice (for example Verisign).

This script should only be used to replace the self-signed certificate in the Delphix Connector's Java Keystore with a signed certificate. Upon execution, the script will do the following:

  1. Validate that a PrivateKeyEntry exists within the input keystore

  2. Stop the DelphixConnector service

  3. Rename the existing DelphixConnector keystore

  4. Import the new keystore

  5. Start the DelphixConnector service

Prerequisites:

  1. The Delphix Connector is installed

  2. The DelphixConnector.jks file exists at  <Drive>:\<path to DelphixConnector>\connector\DelphixConnector.jks

  3. The DelphixConnector.properties file exists at <Drive>:\<path to DelphixConnector>\connector\DelphixConnector.properties and has not been tampered with (STOREPASS, KEYPASS, UUID are present)

  4. The Java Keytool utility exists at <Drive>:\ <path to DelphixConnector>\jre\bin\keytool.exe

  5. The script, ReplaceConnectorKeystore.ps1 exists at <Drive>:\<path to DelphixConnector>\connector\ReplaceConnectorKeystore.ps1

User inputs:

  1. A JKS/PKCS#12 formatted keystore containing a PrivateKeyEntry with a signed certificate

  2. The alias of the PrivateKeyEntry in the new keystore

  3.  The password for the new JKS/PKCS#12 keystore

  4.  The password for the private key in the new JKS/PKCS#12 keystore

Running the script:

Open up a PowerShell console, and do the following:

  1. Navigate to where ReplaceConnectorKeystore.ps1 lives

  2. Run .\ReplaceConnectorKeystore.ps1

  3. Enter the full path to the new JKS/PKCS#12 keystore

  4. Enter the alias of the PrivateKeyEntry in the input keystore

  5. Enter the password for the input keystore

  6. Enter the password for the private key in the input keystore

How to check if your Java keystore contains a privateKeyEntry:

Copy 
PS C:\Program Files\Delphix\DelphixConnector\jre\bin> .\keytool.exe -list -keystore ..\..\connector\DelphixConnector.jks
-storepass <STOREPASS from DelphixConnector.properties file>Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
delphixconnector-4ef488a8-85df-4418-b56d-1e61b25c0aa2, Jul 28, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 67:79:DA:E2:64:7A:74:42:62:CA:13:66:29:16:81:0A:B9:7E:4A:60

Example of a successful keystore replacement:

Copy 
PS C:\Users\dtully\Documents> .\ReplaceConnectorKeyStore.ps1
Enter the full path to a JKS/PKCS#12 keystore: C:\Program Files\Delphix\DelphixConnector\jre\bin\test.jks
Enter alias: leaf
Enter keystore password: ********
Enter private key password: ********
Verifying that a PrivateKeyEntry exists in C:\Program Files\Delphix\DelphixConnector\jre\bin\test.jks
Stopping the Delphix Connector service
Renaming C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks to C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks.old
Importing the keystore into DelphixConnector.jks
[Storing C:\Program Files\Delphix\DelphixConnector\connector\DelphixConnector.jks]
Starting the Delphix Connector service