In the course of testing the DBMS_CLOUD functionality against OCI object storage on ZFS, I have wanted to perform debugging by looking at the packets sent to the Web Listener on my ZFS.
Unfortunately for debugging purposes, DBMS_CLOUD requires all calls to object storage to be HTTPS calls which are encrypted.
In this blog post, I will go through the architecture below to show you how I was able to use a Load Balancer in OCI on port 443 (HTTPS traffic) to send the requests to my ZFS using Port 80 (HTTP traffic).
By doing this I was able to see all the packets going to ZFS.
You can use this same process to debug network traffic, while leaving the application interface encrypted.
Below are the steps in the OCI console, but I am not going to include the policies that need to be configured.
1) Create a vault
You can find create Vault under "Identity & Security" --> "Key Management & Secret Management".
Click on "Create Vault" and all you need to do is to give the vault a name, and choose the compartment to store the vault.
Once you fill them in click on "Create Vault" to have the vault created.
2) Create a Master Encryption Key
Once the Vault is created, click on the vault name, and this will bring up the window where you can enter a Master Encryption Key to be created within the vault.
Click on "Create Key" and enter the information to create a new Key in this vault. Note that
- The key MUST be an HSM key, you cannot use a software key
- The key must be asymmentric. The default is symmetric and must be changed.
3) Create a Certificate Authority
Under "Identity & Security" --> "Certificates" you will see "Certificate Authorities". We need to create a new one.
Click on "Create Certificate Authority", and in this case we are creating a Root Certificate Authority. You need to give it a "Name" and "Description" and click on the 'Next" button in the lower left corner.
Then on the next window give it a "Common Name" and click on Next.
On the next window, you must choose a "not valid before". In my case, I chose today.
Then you must enter the Vault and the Encryption key that you had created previously.
Then click on 'Next"
Then set the expiry rule and click on "next". I left the defaults.
On the next window I changed "Revocation Configuration" to "skip" and I clicked on "Next"
Then on the "Summary" window I clicked on "Create Certificate Authority" to create the Certificate Authority.
4) Create a Load Balancer
This can be found under "Networking" --> "Load balancers". Click on Load Balancer.
Once here, click on the "Create Load balancer" button.
Give the load balancer a name (if you want) to make it easier to find.
You then need to scroll down to the bottom of the screen to choose your network and subnet for the Load balancer.
Once you fill these in Click on "NEXT".
After clicking on Next, I left everything defaulted. This will do a health check on the ZFS using port 80. Then I clicked on "Next" again.
In this window, I changed from HTTPS to HTTP. This allows me to create the Load Balancer without having a Certificate yet.
I left the logging off, and clicked on "Submit" to create the Load Balancer.
5) Determine the Public IP for the Load Balancer
Once the load balancer is created, I go to the list of of load balancers under Networking--> Load balancers --> Load Balancer and it shows me the public IP for the Load Balancer that was created. The overall Health is showing "incomplete" since I haven't added any backend hosts yet.
6) Create the certificate
Now that I know the Public IP address (129.146.220.252) I can create a certificate for it in my Certificate Authority.
I go back to "Identity & Security" --> Certificates and click on "certificates"
I click on "Create Certificate" and I enter the name and description and Click on "next"
I give the "Common Name" my IP address so that the Certificate Name matches the URL I am going to use to connect. Then I click on "Next".
In the next window I fill in the "not valid before" and click on "next".
I leave the rules default for the certificate and click on "next"
Then when I get to the "Summary" window I click on "Create Certificate".
7) Create a Backend set for the load balancer
I now go back to Networking --> Load Balancers --> Load Balancer and choose the Load Balancer I had previously created.
On the left hand side of the window I click on "Backend Sets" to list the existing Backend sets. By default a backend set was created for me, but it has no members.
I click on the default Backend set to bring up the window to add members.
This will bring up a window showing that the backend set is "incomplete"
From here I click on "Backends(0)" on left hand side of the window.
This brings up a window with an "Add backends" button. Click on this button to bring up the window to enter backends.
On the window above I entered the IP address of the HTTP interface I am using ZFS, leaving the port as 80 so that the traffic will be unencrypted, and click on "ADD" to add it to the backend list.
8) Change the Health Check to TCP
On the Backends window I changed the "Update Health Check" to use TCP protocol from HTTP protocol and clicked on "Save Changes".
9) Change the Load Balancer to HTTPS
I now go back to Networking --> Load Balancers --> Load Balancer and choose the Load Balancer I had previously created.
From the left had side, I click on "Listeners" and then I click on "Create Listener".
In the window that comes up, I want to make this a HTTPS listener, I change the protocol to HTTPS, and I choose the certificate I created in the previous step. This allows the load balancer to encrypted receive traffic with a registered certificate.
In this step, I also need to ensure it is using the Backend set I just updated. Once complete choose "Create Listener".
That's all there is to it.
Now I can access the Object storage on ZFS using the "Public IP" using DBMS_CLOUD (which is encrypted) and it will be passed on to the ZFS as HTTP traffic.