Skip to main content
Delphix

How to Disable HTTP Traffic for the Delphix Engine and Masking Engine (KBA1317)

 

Applicable Delphix Versions

  • 5.1
  • 5.0

Issue

This article describes how HTTP traffic can be disabled for the Delphix Engine (above release 4.0) and Masking Engine (above release 5.0). 

WARNING: HTTP must not be disabled when using Mission Control. 

Procedure

WARNING: This procedure must be reapplied after an upgrade.

  1. Install the current version of certificate_manager.sh to the Delphix Engine.
  2. Run certificate_manager.sh and select option [S] to toggle HTTP off for both the Delphix Engine and Masking Engine together. Both the Management stack and Masking stack processes will be restarted automatically.
What do you want to do?
  (updates affect BOTH the Delphix Engine and Masking Engine)
  
        [0] Just add an existing Java keystore/truststore file to the repository.
        [1] Create a new keystore/truststore with a self-signed certificate.
        [2] Create a new keystore/truststore with a Certificate Signing Request
            file (CSR).
        [3] Import a signed certificate and CA certificate (and intermediate
            certificates if any) to an existing keystore/trsuststore as PEM or DER.
        [4] Create a new keystore/truststore from customer supplied set of CA
            certificate, CA signed certificate, private key (and intermediate
            certificates if any) as PEM or DER.
        [5] Import a PKCS#12 keystore/trustore.
        [6] Switch active keystore or truststore.
        [7] View certificate validity periods and domains.
        [8] Delete a keystore/trustore.
        [9] Restore keystore/trustore config to factory default.
        [10] Generate a bulk PEM/DER certificate file report. Iterates through
            all files in a directory and analysises them for x509 readibility
            and outputs a list of all in chain order (if it can build one).
            Optionally, PKCS#7, PKCS#12, and compound PEM/DER files are usable.
        [11] Remove public certificates from a truststore

        [J] Enable JDBC over TLS.
        [V] Turn on verbose output
        [S] Disable plain HTTP.
        [X] EXIT

Option: s

Be WARNED that HTTP should not be disabled if either of the following is true:
        * Delphix Engine is used together with a separate Masking Engine host
          unless the Masking API port is reassigned in the CLI away from port 80.
        * Delphix Engine is used with Mission Control.
Both the Maksing Engine and Mission Control communicate with the Delphix Engine over regular HTTP protocol.
Disable HTTP and restart the Delphix Management stack? [Y/N]: y

Shutting down Delphix Management stack................................complete
Waiting for Management stack to enter disabled state..................complete
Shutting down Delphix Masking stack...................................complete
Waiting for Masking stack to enter disabled state.....................complete
Starting Delphix Management stack.....................................complete
Waiting for Management stack to enter enabled state...................complete
Starting Delphix Masking stack........................................complete
Waiting for Masking stack to enter enabled state......................complete

Additional Information

There are other ways to disable HTTP for the Delphix Engine using just a couple shell commands and there are also ways to make persistent upgrade safe changes to the Masking Engine HTTP configuration via its properties file. These should be avoided. The method applied by the certificate_manager.sh tool provides the following benefits:

  • Each change to the HTTP configuration is added to /etc/hotfix as a reminder of changes.
  • The keystore used by the Delphix Engine is applied to the Masking Engine. They should use the same keystore and certifiates.
  • Only the web UI HTTP port 80 is deactivated for the Masking Engine. API ports which must run on regular HTTP are left open. If these are closed, clustered masking could break.To meet customer security requirements, it is important that web access to HTTP be blocked without breaking functionality.
  • Not allowing the user of the tool to set their own ports is intentional. We do not allow this for the Delphix Engine. The tool enforces this for the Masking Engine as a matter of policy.
  • There is a detailed audit trail in the certicates.log

 

Conditional content (Pro member)