Adding an encryption profile with the graphical user interface

You must create an encryption profile before or during the creation of an instance of the CDC Replication engine.

Procedure

  1. At the command prompt, start the configuration tool by issuing one of these commands as needed:
    Windows
     \CDC_Replication_installation_directory\bin\dmconfigurets.exe
    Linux, UNIX
     /CDC_Replication_installation_directory/bin/dmconfigurets
  2. In the Encryption Profiles area, click Manage and then click Add.
  3. On the Encryption Profile window, specify a unique profile name.
    Note: If you name the profile 'Default,' then exporting and importing the replication configuration automatically re-creates an encryption profile with default settings (no encryption). In this case, you must use the default keystores and truststores without encryption.
  4. Configure these options in the Engine-to-Engine Communication area:
    Encryption
    Select one of these options:
    • Enabled: Encryption is enabled for the instance. TLS is used when Enabled or Required is specified on the other instance.
    • Disabled: Encryption is disabled for the instance. TLS is not supported. Unencrypted communication is supported when Enabled or Disabled is specified for the other instance.
    • Required: Encryption is required to communicate with this instance. The other side must not specify Disabled or the connection fails.
    • Always: TLS is always used without negotiation. The other side must also specify Always.

    Specify Enabled or Required on both the source and target instances to use TLS encryption.

    To enable encryption, the Private keystore area is required.

    Authentication
    Select one of these options:
    • Mutual: Clients authenticate this server's certificate and this server authenticates the client's certificate.
    • Server: Clients authenticate this server's certificate.
    Note: The authentication option is not applicable when Encryption is Disabled.
  5. Configure the following options in the Private keystore area:
    Path
    Enter the location of a private keystore file or click Browse to select a file.
    Password
    Enter the password for the private keystore file and the private keys that it contains.
    Type
    Select the keystore type of private keystore file.

    A private keystore is required only when engine-to-engine encryption is enabled. If encryption is disabled, you can leave the path and password fields blank.

  6. In the truststore area, configure these options:
    Path
    Enter the location of a truststore file or click Browse to select a file.
    Password
    Enter the password for the truststore file.
    Type
    Select the keystore type of truststore file.