Forum Stats

  • 3,838,970 Users
  • 2,262,432 Discussions
  • 7,900,825 Comments

Discussions

Certificates used by OUD for Replication

Hi,

I wonder what's the best way to replace the self-signed certificate OUD uses to encrypt replication data. My client feels uneasy with the fact that OUD creates its own certificates for replication, and even if we leave them as-is you'd still have an issue because you have to keep track of the expiration date. There's an article in Oracle Support that explains in detail how to force OUD to generate a new self-signed certificate (1619734.1) but I'd like to know if I can insert my own certificate.

Thanks,

Tagged:

Answers

  • Sylvain Duloutre-Oracle
    Sylvain Duloutre-Oracle Member Posts: 507
    edited Mar 9, 2015 11:06AM

    Hi,

    In R2PS2, this is quite complex to manage as key/trust stores must be modified and corresponding pieces of information stored in cn=admin data must be updated as well.

    I'm not allowed to elaborate more on that yet, but expect significant progresses in Certificate management for replication in the coming OUD version (R2PS3).

    -Sylvain

    Please mark the response as helpful or correct when appropriate to make it easier for others to find it

  • 2724917
    2724917 Member Posts: 6
    edited May 16, 2015 2:02PM

    Sylvain,

    I just read through the release notes for OUD 11gR2PS3 but I do not see anything with regards to Certificate Management for replication.  Can you elaborate on the improvements in this release, or were those improvements pushed off to a future release?  I have managed to successfully replace the replication certificates but as you alluded to earlier, it is not exactly a clean process and doesn't seem supported.  Our upgrade/migrations are being held up by many issues with OUD, and this is one of the big ones.  Until there is a documented and supported means of changing this self-signed certificate I cannot proceed with moving to OUD.

    Edit:  I read through some more of the documentation and now see the new "Replication Certificate Management" management sub command of the dsreplication command.

    By the way, your responses here and on your blog are extremely helpful and appreciated.

  • 1034777
    1034777 Member Posts: 8
    edited May 28, 2015 11:59AM

    We've tested the commands in our sandbox and they look good. Looking forward to upgrade the certificates in production once we get all the instances patched to 11.1.2.3.0.

This discussion has been closed.