Enabling TLS encryption for communication between source and target
You can configure CDC Replication to either negotiate encryption through STARTTLS or to always encrypt communication with TLS. CDC Replication can only communicate with other sources and targets that are configured the same way.
CDC Replication uses TLS encryption between the source and target systems when both systems have an appropriate private key store and both systems have the same type of encryption enabled.
CDC Replication uses mutual authentication between the source and target systems, so both systems must have a private key and a public certificate that is signed by a trusted certificate authority (CA). If both source and target have TLS encryption enabled, each side must trust the certificate of the other side. When either side cannot validate the certificate on the other side, the connection fails. To avoid downtime, plan to replace certificates before they expire.
- STARTTLS
- You can configure CDC Replication to use the
same port for both encrypted and unencrypted communication. To start using TLS encryption, CDC Replication uses STARTTLS over an unencrypted
connection. The first few bytes that are sent in each direction are not encrypted. Those first few
bytes do not include any customer data.
If only the source or only the target has TLS encryption enabled, CDC Replication does not encrypt the communication between them.
- TLS
- You can configure CDC Replication to always use TLS encryption without negotiation.