Product: | Syniti Data Replication, DBMoto |
Version: | Syniti Data Replication 9.6 and above, DBMoto 9 and above |
ID: | 3011 |
Summary: | Setting up security in Syniti DR/DBMoto, then creating and managing certificates for secure authentication |
Syniti Data Replication/DBMoto security is paramount when:
- Multiple users with different access needs are using the same Syniti DR/DBMoto installation
- Security risks are present because Syniti DR/DBMoto is being used in a client-server environment where data travelling between a Syniti DR/DBMoto client such as a remote Management Center. In this case, communications can be encrypted and accessed using certificates.
Multiple users with Different Access Needs
Syniti DR/DBMoto offers two approaches to setting up security for individual Syniti DR/DBMoto accounts:
- Windows Authentication
Using existing Windows login IDs, an administrator can set up Syniti DR/DBMoto user profiles for each user, controlling access to various features of the product. This is the recommended approach unless your environment requires the additional step of certificate authentication that is offered by setting up Syniti DR/DBMoto Authentication. For more information on user profiles, see the Syniti DR/DBMoto Help.
- Syniti DR/DBMoto Authentication
An administrator establishes user IDs and passwords specific to Syniti DR/DBMoto. Syniti DR/DBMoto authentication also requires the installation of a X.509 security certificate for additional security. If you do not want to deal with generating and managing certificates, use Windows Authentication. See below for more detail regarding certificates.
If you decide to set up Syniti DR/DBMoto Authentication, first generate and install the certificate(s) then set up users in the Management Center.
In addition, it is possible to set up security using certificates (Certificate Authentication) without individual user accounts and permissions. See below for more information.
Protecting DBMoto Data Using Certificates
In cases where the Syniti DR/DBMoto Server Agent and the Syniti DR/DBMoto client application (either a remote Management Center or a custom application using the Syniti DR/DBMoto API) run on different servers over the internet, securing the communication between client and server is important. Communication occurs over a firewall and messages may be redirected over open channels. For this type of Syniti DR/DBMoto environment, the recommended authentication modes are Syniti DR/DBMoto Authentication or Certificate Authentication, using the HTTP protocol to cross the firewall. Both these authentication modes require the installation of a X.509 security certificate. See below for more detail regarding certificates.
If you decide to set up Certificate Authentication, first generate and install the certificate(s) then manage access in the Management Center.
Certificate Use in Syniti DR/DBMoto
When setting up authentication in your Syniti DR/DBMoto environment, two types of authentication require the installation of X.509 security certificates:
- Syniti DR/DBMoto Authentication, with user IDs and passwords specific to Syniti DR/DBMoto. Syniti DR/DBMoto authentication requires the installation of a X.509 security certificate on the system where the Server Agent is installed.
- Certificate Authentication, which requires the installation of a X.509 security certificate in both the client and server environments. This is typically used when a second Management Center client or a custom client application using the Syniti DR/DBMoto API is accessing Syniti DR/DBMoto over the internet.
NOTE: If you set up Syniti DR/DBMoto Authentication, or Certificate Authentication, you will not be able to use Syniti DR/DBMoto until the certificate is correctly installed. Generate and install the certificate before setting up authentication.
For security reasons, certificates should be obtained from a trusted external commercial certificate authority (CA). Most organizations are very specific about their security requirements and you should follow directions in your organization on obtaining and using certificates. However, Syniti DR/DBMoto allows you to use certificates:
- Signed by a an external CA (highly recommended)
- Self-signed using any tool that can generate a certificate compatible with X.509 standards
Syniti DR/DBMoto Certificate Requirements
The certificate must be compatible with X.509 standards. The certificate's Common Name component (CN) in the Subject must be set as ‘DBMoto’.
Certificates should be placed in the Windows Trusted People certificate store on the system running Syniti DR/DBMoto where Syniti DR/DBMoto will be able to find and recognize them. See below for details.
Certificate Installation
The steps below are also in the Syniti DR/DBMoto Help topic "Installing a DBMoto Certificate" with screenshots of the Windows MMC tool.
Installing a Certificate for DBMoto Authentication
- On the system where the Syniti DR/DBMoto Server Agent is running, open a Microsoft Management Console (MMC) from the Windows Command tool by typing mmc.exe at the command line.
- In the MMC console, from the File menu, select Add/Remove Snap In.
- In the Add or Remove Snap-ins dialog, select Certificates in the left column.
- Click Add.
- In the Certificates Snap-in step, select Computer account.
- Click Next.
- In the Select Computer step, select Local Computer.
- Click Finish.
- Click OK in the Add or Remove Snap-ins dialog.
- In the MMC Console, expand the Certificates node under Console Root.
- Expand the Trusted People node.
- Select Certificates and, from the right mouse button menu, choose All Tasks then Import.
- In the Certificate Import Wizard, select the X.509 certificate file you generated for Syniti DR/DBMoto.
- Click Next.
- Enter the password for the certificate.
- Click Next.
- As needed, select the certificate store location.
- Click Finish to complete the wizard.
- To view the certificates installed, expand the Certificates node in the MMC and expand the Trusted People node.
Installing Certificates for Certificate Authentication
- On the system where the Syniti DR/DBMoto Server Agent is running, open a Microsoft Management Console (MMC) from the Windows Command tool by typing mmc.exe at the command line.
- In the MMC console, from the File menu, select Add/Remove Snap In.
- In the Add or Remove Snap-ins dialog, select Certificates in the left column.
- Click Add.
- In the Certificates Snap-in step, select Computer account.
- Click Next.
- In the Select Computer step, select Local Computer.
- Click Finish.
- Click OK to close the Add or Remove Snap-ins dialog.
- In the MMC Console, expand the Certificates node under Console Root.
- Expand the Trusted People node.
- Select Certificates and, from the right mouse button menu, choose All Tasks then Import.
- In the Certificate Import Wizard, select the X.509 certificate file you generated for Syniti DR/DBMoto.
- Click Next.
- Enter the password for the certificate.
- Click Next.
- As needed, select the certificate store location.
- Click Finish to complete the wizard.
- To view the installed certificate, expand the Certificates node in the MMC and expand the Trusted People node.
- On the system where the Syniti DR/DBMoto Client (Management Center or custom application) is running, open a Microsoft Management Console (MMC) from the Windows Command tool by typing mmc.exe at the command line.
- In the MMC console, from the File menu, select Add/Remove Snap In.
- In the Add or Remove Snap-ins dialog, select Certificates in the left column.
- Click Add.
- In the Certificates Snap-in step, select My user account.
- Click Finish.
- Click OK to close the Add or Remove Snap-ins dialog.
- In the MMC Console, expand the Certificates node under Console Root.
- Expand the Trusted People node.
- Select Certificates and, from the right mouse button menu, choose All Tasks then Import.
- In the Certificate Import Wizard, select the X.509 certificate file you generated for Syniti DR/DBMoto.
- Click Next.
- Enter the password for the certificate.
- Click Next.
- As needed, select the certificate store location.
- Click Finish to complete the wizard.
- To view the installed certificate, expand the Certificates node in the MMC and expand the Trusted People node.
Setting Up Authentication in Syniti DR/DBMoto
After installing the certificate(s), you can set up your preferred authentication in Syniti DR/DBMoto.
- In the Management Center Metadata Explorer, select the server for which you want to set up authentication (local if using the default local server), and, from the right mouse button menu, choose Manage Users....
- In the User Settings dialog, select the type of security you want to use: Syniti DR/DBMoto Authentication or Certificate Authentication.
- Select the type of Binding Protocol to use. Choose TCP/IP for intranet environments or HTTP for situations where Syniti DR/DBMoto is being used across the Internet.
- Click Add.
At this point, the dialog checks if a valid certificate is installed under the default location (Trusted People). If a certificate is not found, a message is displayed asking you to install a certificate. If you have followed the steps above and installed a certificate, this means that the certificate does not match the Syniti DR/DBMoto requirements in some way. Submit a request in the Help Center describing how you generated/obtained the certificate. - If using Syniti DR/DBMoto Authentication, in the dialog User Definition tab, check Syniti DR/DBMoto Authentication.
- Set up user roles and permissions. See the Help for more detail.