Skip to main content
Delphix

Fetching Masking Jobs From the Virtualization Engine Via HTTPS (KBA1457)

 

KBA

KBA#1457

Issue

As part of securing a deployment, the virtualization engine can be configured to communicate over the encrypted and secure HTTPS protocol. 

Prerequisites

You are able to reach the Masking engine UI via HTTPS.
Optional: You have installed a custom HTTPS certificate to the Masking engine

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

How to Fetch Masking Jobs

Accepting the Signed Certificate

In order to fetch and accept a signed certificate, you need to use the sysadmin cli on the Virtualization engine.

To do this, you must query the masking engine at the appropriate port, verify that the provided certificate is the one expected, and accept it.

Note

Note:

From Delphix version 6.0.4.x, the command service certificate changed to service tls caCertificate.

 

bdonohue@Brians-MacBook-Pro[12:15P]:~[1]$ ssh sysadmin@My_VE.dc1.delphix.com

Password:

My_VE.dc1>

My_VE.dc1> service

My_VE.dc1 service> certificate

My_VE.dc1 service certificate> ls

Operations

fetch

My_VE.dc1 service certificate> fetch

My_VE.dc1 service certificate fetch *> set host=<host of masking engine>

My_VE.dc1 service certificate fetch *> set port=<port configured for HTTPS, out of the box is 443>

My_VE.dc1 service certificate fetch *> commit

    type: X509Certificate

    name: (unset)

    accepted: false

    issuedByDN: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

    issuedToDN: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

    md5Fingerprint: 00ee03aed27af68254c940b3b604e152

    namespace: (unset)

    reference: X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60

    serialNumber: 1174249145

    sha1Fingerprint: e94a47724b67a33087e37bafe23d2691a8c26f60

    validFrom: Tue Dec 06 12:10:25 PST 2016

    validTo: Fri Dec 01 12:10:25 PST 2017

My_VE.dc1 service certificate> ls

Objects

REFERENCE                                                 ACCEPTED

X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60  false

 

Operations

fetch

My_VE.dc1 service certificate> select `X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60

My_VE.dc1 service certificate '`X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60'> ls

Properties

    type: X509Certificate

    name: (unset)

    accepted: false

    issuedByDN: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

    issuedToDN: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

    md5Fingerprint: 00ee03aed27af68254c940b3b604e152

    reference: X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60

    serialNumber: 1174249145

    sha1Fingerprint: e94a47724b67a33087e37bafe23d2691a8c26f60

    validFrom: Tue Dec 06 12:10:25 PST 2016

    validTo: Fri Dec 01 12:10:25 PST 2017

 

Operations

delete

accept

My_VE.dc1 service certificate '`X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60'> accept

My_VE.dc1 service certificate '`X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60' accept *> commit

My_VE.dc1 service certificate '`X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60'> cd ..

My_VE.dc1 service certificate> ls

Objects

REFERENCE                                                 ACCEPTED

X509CERTIFICATE-E94A47724B67A33087E37BAFE23D2691A8C26F60  true

 

Operations

fetch

 

Updating the Masking Service Config

Once the certificate has been accepted, we must also update the Masking Service Config in the virtualization engine to use the new port and to communicate only over HTTPS. This is done by updating the port and scheme of the Service Config, logging in as delphix_admin or admin cli:

bdonohue@Brians-MacBook-Pro[12:33P]:~[2]$ ssh delphix_admin@My_VE.dc1.delphix.com

Password:

My_VE.dc1> maskingjob

My_VE.dc1 maskingjob> serviceconfig

My_VE.dc1 maskingjob serviceconfig> ls

Objects

NAME                       SERVER                    PORT  USERNAME       CREDENTIALS  SCHEME

`MASKING_SERVICE_CONFIG-1  <host of masking engine>  8282  delphix_admin  { ... }      HTTP

My_VE.dc1 maskingjob serviceconfig> select `MASKING_SERVICE_CONFIG-1

My_VE.dc1 maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1'> update

My_VE.dc1 maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> set port=<port configured for HTTPS>

My_VE.dc1 maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> set scheme=HTTPS

My_VE.dc1 maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> commit

My_VE.dc1 maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1'> cd ..

My_VE.dc1 maskingjob serviceconfig> ls

Objects

NAME                       SERVER                    PORT                         USERNAME       CREDENTIALS  SCHEME

`MASKING_SERVICE_CONFIG-1  <host of masking engine>  <port configured for HTTPS>  delphix_admin  { ... }      HTTPS

If you log into the virtualization engine, the job that fetches the Masking job should succeed and the Masking jobs should be available to be assigned to the dSources.

More information about this are available at this link: Provision Masked VDBs