Configuring SSL for Migration Toolkit connections v55
Establish secure TCPS (TLS-encrypted) connections using Migration Toolkit (MTK) to ensure your data is secure and remains private during its usage, particularly when migrating sensitive information.
Perform the following configurations after Migration Toolkit is installed, but before you invoke it for a migration. The following sections outline the required configurations for Oracle, or Postgres database types, regardless of whether they are a source or target in your migration.
Prerequisites
Oracle databases:
If you are using Oracle wallet, set up Oracle Wallet and SSL certificates to enable your database server to support SSL/TLS connections.
If you are not using Oracle wallet, ensure the machine where MTK is installed has the
keytoolcommand line.
For all databases:
- If you are using a truststore, ensure you are runnning on JDK 11 or later to fully support the PKCS12 store type.
Oracle database configuration as source or target
Configuring TCPS (SSL/TLS)
You must configure your Migration Toolkit installation to be able to establish a secure TCPS (SSL/TLS) connection. Import the Oracle server's certificate to the machine where Migration Toolkit is installed. Since MTK runs on Java, the environment requires configuration to trust the database server's certificate.
No pre-configuration required here, jump to the next section.
Import the Oracle server's certificate into a Java truststore that MTK can use.
Locate the Oracle server certificate. Its name should be something similar to this:
~/<computername>-certificate.crt
Copy the server certificate to the machine where you have Migration Toolkit installed, to a folder that Migration Toolkit has access to.
Rename the file extension from
.crtto.pem, so the truststore can recognize it.From this folder, execute the
keytoolcommand to import the certificate into a Java truststore:keytool -importcert \ -alias oracle-cert \ -file ~/<computername>-certificate.pem \ -keystore truststore.p12 \ -storetype PKCS12 \ -storepass <store_password>
Replace
<store_password>with a password you want to assign to this specific truststore file.
Configuring JVM options for SSL/TLS
To enable secure SSL/TLS communication, you must define the appropriate Java Virtual Machine (JVM) options in the Migration Toolkit script.
If you are using an Oracle wallet for your SSL certificates, set the oracle.net.wallet_location JVM option to point to your Oracle wallet. For this, modify the runMTK.sh or runMTK.bat script to contain the following information:
runJREApplication $JAVA_HEAP_SIZE \
-Dprop=$base/etc/toolkit.properties \
-Doracle.net.wallet_location=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=<PATH_TO_WALLET>))) \
-cp $base/bin/edb-migrationtoolkit.jar:$base/lib/* \
com.edb.MigrationToolkit "$@"Where <PATH_TO_WALLET> is the specific path to your wallet.
If you are using a truststore for your SSL certificates, configure the following JVM properties in your runMTK.sh or runMTK.bat script:
runJREApplication $JAVA_HEAP_SIZE \ -Dprop=$base/etc/toolkit.properties \ -Djavax.net.ssl.trustStore=<PATH_TO_TRUSTSTORE> \ -Djavax.net.ssl.trustStorePassword=<TRUSTSTORE_PASSWORD> \ -cp $base/bin/edb-migrationtoolkit.jar:$base/lib/* \ com.edb.MigrationToolkit "$@"
Where <PATH_TO_TRUSTSTORE> is the path to the truststore file that contains the SSL certificate, and <TRUSTSTORE_PASSWORD> is the password you assigned to the truststore file.
JDBC URL for Oracle database
To establish a secure TCPS (TLS-encrypted) connection to your Oracle database, you must set the SRC_DB_URL or TARGET_DB_URL property in the Migration Toolkit's configuration file correctly, using the following pattern.
For source Oracle databases:
SRC_DB_URL=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=<DB_HOST>)(PORT=<DB_PORT>))(CONNECT_DATA=(SERVICE_NAME=<DB_SERVICE_NAME>)))
For target Oracle databases:
TARGET_DB_URL=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=<DB_HOST>)(PORT=<DB_PORT>))(CONNECT_DATA=(SERVICE_NAME=<DB_SERVICE_NAME>)))
Postgres database configuration as source or target
Configuring the SSL connection to the server
Before invoking MTK, ensure your PostgreSQL or EDB Postgres Advanced Server is properly set up for SSL/TLS.
JDBC URL for the Postgres server
To establish a secure TCPS (TLS-encrypted) connection to your PostgreSQL, or EDB Postgres Advanced Server database, you must set the SRC_DB_URL or TARGET_DB_URL property in the Migration Toolkit's configuration file correctly, using the following pattern.
For source Postgres databases:
SRC_DB_URL=jdbc:edb://<host>:<port>/<database>?ssl=true&sslmode=require
For target Postgres databases:
TARGET_DB_URL=jdbc:edb://<host>:<port>/<database>?ssl=true&sslmode=require
Note
Optional: If you want to perform server certificate verification (for example, use sslmode=verify-ca or sslmode=verify-full), you must place the server's certificate on the machine where Migration Toolkit is installed.