Shared files and the key location for standalone deployment
Hybrid Data Pipeline requires the specification of a key location during installation. For a standalone deployment, if you use the default key location, the installation program writes the shared files used in the operation of the data access service to the local keystore directory (<install_dir>/ddcloud/keystore). If you specify a different location as the key location, the installation program writes the shared files to two separate locations. The files necessary for connecting to the system database are stored in the specified location, while files tied to the Hybrid Data Pipeline server are stored in the local keystore directory (<install_dir>/ddcloud/keystore).
In a production environment, the files used to connect to the system database should be secured on a machine separate from the machines hosting the Hybrid Data Pipeline service and the system database. Therefore, a separate location should be specified for the key location.
Whether located in a single directory or two separate directories, all shared files should be backed up as a matter of best practices. In the case of system failure, these backups can be used to restore the service.
Note: During installation of the Hybrid Data Pipeline server, four configuration and certificate files are generated. These files are used in the installation of components, including the ODBC driver, the JDBC driver, and the On-Premises Connector. In a standalone node installation, the location of these files is independent of the shared location. These files are written to the <install_dir>/redist directory.
Shared files
The following files are used to connect to the system database. When the default location is used for the key location, these files are stored in the local keystore directory (<install_dir>/ddcloud/keystore). When a non-default location is used, these files are stored in the location specified during installation.
.backup: A backup copy of the contents of the install directory from the previous install. This is used to restore the contents of the directory if there is an error during an upgrade.
key: Reference to the file containing the encryption key for the Hybrid Data Pipeline database.
key00: Encryption key for the system database. This key is used to encrypt sensitive information such as data source user IDs and passwords, security tokens, access tokens and other user or data source identifying information. If this is not present, or was over written during the installation, then you will not be able decrypt any of the encrypted information in the system database.
key-cred: Encryption key for credentials contained in Hybrid Data Pipeline configuration files. Examples of credentials in the config files include the user ID and password information for the system database.
db/*: Encrypted information about the system database. The contents of these files are encrypted using the key-cred key. Used by the installer when performing an upgrade or installing on an additional node. If these are not present, or do not have valid encoding, the installation or upgrade will fail.
dddrivers/*: A directory of internally supported drivers that have been updated after a product upgrade.
drivers/*: The directory used for integrating third party drivers with Hybrid Data Pipeline.
plugins/*: JAR files for external authentication plugins
The following files are tied to the Hybrid Data Pipeline server. They are stored in the local keystore directory (<install_dir>/ddcloud/keystore) whether or not the default key location is specified during installation.
authKey: Authentication key for the On-Premises Connector. This key is used to encrypt the user ID and password information in the On-Premises Connector configuration file. The key in this file is encrypted using a key built into the On-Premises Connector. This encrypted key is included in the OnPremise.properties configuration file distributed with the On-Premises Connector. If this is overwritten or incorrect, the On-Premises Connector will not be able to authenticate with Hybrid Data Pipeline.
ddcloud.jks: Sun SSL keystore. This keystore contains the Hybrid Data Pipeline server SSL certificate if the SSL termination is done at the Hybrid Data Pipeline server.
ddcloud.bks: Bouncy Castle SSL keystore. This keystore contains the same SSL certificate as the ddcloud.jks keystore. This keystore is in the Bouncy Castle keystore format and is used when the server is configured to run in FIPS compliant mode. Should only be present with FIPS enabled.
ddcloudTrustStore.jks: Sun SSL truststore. This trustore contains the root CA certificate needed to validate the server SSL certificate. This truststore is distributed with the On-Premises Connector and with the ODBC and JDBC drivers, allowing these components to validate the Hybrid Data Pipeline server certificate.
ddcloudTrustStore.bks: Bouncy Castle SSL truststore. Should only be present with FIPS enabled. This truststore contains the root CA certificate needed to validate the server SSL certificate in the Bouncy Castle keystore format. The Bouncy Castle SSL library does not use the default Java cacerts file, so this truststore is populated with the contents of the default cacerts file and the root certificate needed to validate the Hybrid Data Pipeline server certificate. Should only be present with FIPS enabled.
key-opc: Contains the unencrypted encryption key. The authKey above contains the encrypted version of this key. This key is not shipped with the On-Premises Connector.