Adding an encryption profile on the command-line (UNIX and Linux)

You must create an encryption profile before or during the creation of an instance of the CDC Replication engine.

About this task

If you are configuring the first instance of CDC Replication after installation, you can proceed to Step 3 after you reach the Encryption profile selection.

Procedure

  1. At the command prompt, start the configuration tool by issuing the following command: 
     /CDC_Replication_installation_directory/bin/dmconfigurets
  2. Type the number that corresponds with the Manage encryption profiles option and press Enter.
  3. Type 1 and press Enter to add a new encryption profile.
  4. Enter a unique profile name and press Enter.
    Note: If you name the profile 'Default,' then exporting and importing the replication configuration automatically re-creates an encryption profile with default settings (no encryption). In this case, you must use the default keystores and truststores without encryption.
  5. Select the required option for Encryption:
    • Enabled: Encryption is enabled for the instance. TLS is used when Enabled or Required is specified on the other instance.
    • Disabled: Encryption is disabled for the instance. TLS is not supported. Unencrypted communication is supported when Enabled or Disabled is specified for the other instance.
    • Required Encryption is required to communicate with this instance. The other side must not specify Disabled or the connection fails.
    • Always: TLS is always used without negotiation. The other side must also specify Always.

    Specify Enabled or Required on both the source and target instances to use TLS encryption.

    To enable encryption, a private keystore is required.

  6. Select the required option for authentication:
    • Mutual: Clients authenticate this server's certificate and this server authenticates the client's certificate.
    • Server: Clients authenticate this server's certificate.
    Note: Skip this step if the Encryption is Disabled.
  7. Enter the path to the private keystore file and press Enter.
    A private keystore is only required unless engine-to-engine encryption is enabled, so the path can be left blank. You are not prompted for a private keystore password or a private keystore type if you leave the path blank.
  8. Enter the password of the private keystore file and the keys that are contained within it and press Enter.
  9. Select the keystore type of the private keystore file and press Enter.
  10. Enter the path to the truststore file and press Enter.
  11. Enter the password for the truststore file and press Enter.
  12. Select the keystore type of the truststore file and press Enter.