Page tree

Skip to end of metadata
Go to start of metadata

The local and remote ETL Engine Servers of TrueSight Capacity Optimization can communicate with the following external databases:

  • Oracle
  • PostgreSQL
  • SQL Server

Info

The connection between Perl and SQL Server database does not support TLS 1.2. Hence, communication from the following Perl-based ETLs to SQL Server is not TLS 1.2 compliant:

  • Generic - Database  Extractor
  • Generic - Columnar database  Extractor
  • Generic – Events SQL extractor
  • Generic – Object Relationship SQL extractor

You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between these components. For details, see the following sections:

Before you begin

Ensure that you use the database versions that support TLS 1.2. For more information, see Software requirements.

For external Oracle database

Before you begin

  • Ensure that the Oracle database is configured in TLS 1.2 mode.
  • Ensure that TLS-compatible ojdbc7.jar  file exists in the  <Oracle client home>/jdbc/lib  directory. If not, you can copy the file from the Oracle Website .

Enable TLS 1.2 with server certificate validation

  1. Procure the Certificate Authority (CA) signed certificate from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, extdatabase.crt.
  2. Save the procured certificate file in the following locations:

    ComponentLocation
    Local ETL Engine Server<Local ETL Engine Server Installation Directory>/secure
    Remote ETL Engine Server<Remote ETL Engine Server Installation Directory>/secure
 

3.  Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

export PATH= <Server Installation Directory>/jre/bin:$PATH

 

4.

Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

Note

Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

The <cotruststorepassword> is the password for cotruststore.ts truststore.

5. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

keytool -importcert -trustcacerts -file <path>/oracle.crt -keystore cotruststore.ts -alias <CertificateName>

Parameter reference

  • oracle.crt is the name of the procured Oracle certificate. If the name of this certificate is different, use the relevant file name in the keytool command.
  • Replace all instances of <CertificateName> by the appropriate certificate name.

 

6. After the message Enter keystore password, enter a password for the truststore.

7. After the message Trust this certificate [no], enter Yes.


The communication between the external Oracle database and the ETL Engine Servers is now TLS 1.2 enabled with server certificate validation.

For external PostgreSQL database

  1. Procure the Certificate Authority (CA) signed certificate from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, extdatabase.crt.
  2. Save the procured certificate file in the following locations:

    ComponentLocation
    Local ETL Engine Server<Local ETL Engine Server Installation Directory>/secure
    Remote ETL Engine Server<Remote ETL Engine Server Installation Directory>/secure

For external SQL Server database

Important: You can configure only Java-based database extractors to be TLS compliant.

  1. Procure the Certificate Authority (CA) signed certificate from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, extdatabase.crt.
  2. Save the procured certificate file in the following locations:

    ComponentLocation
    Local ETL Engine Server<Local ETL Engine Server Installation Directory>/secure
    Remote ETL Engine Server<Remote ETL Engine Server Installation Directory>/secure
  3. Log on to the computer where the Server is installed. The keytool  utility that is used to import the certificates is present in the  <Server Installation Directory>/jre/bin  directory. Add this directory path to the PATH environment variable by running the following command:

    export PATH= <Server Installation Directory>/jre/bin:$PATH
  4. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

    keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

    Note

    Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

    The <cotruststorepassword> is the password for cotruststore.ts truststore.

  5. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file <path>/extdb.crt -keystore cotruststore.ts -alias <CertificateName>

    Parameter reference

    • extdb.crt is the name of the procured SQL Server database certificate. If the name of this certificate is different, use the relevant file name in the keytool command.
    • Replace all instances of <CertificateName> by the appropriate certificate name.
  6. After the message Enter keystore password, enter a password for the truststore.
  7. After the message Trust this certificate [no], enter Yes.

The communication between the external SQL Server database and the ETL Engine Servers is now TLS 1.2 enabled with server certificate validation.

Where to go from here

Adding external database connections