Skip to main content
Version: 1.18.1

Configuring the Hive Migrator service

The Hive Migrator service is responsible for migrating metadata and communication between agents.

Find details here for configuring the Hive Migrator service.

Security#

Basic authentication#

important

When basic authentication is enabled on Hive Migrator, update the LiveData UI with the credentials to maintain functionality.

Edit application.yaml#

Follow these steps to enable basic authentication on the Hive Migrator REST API:

  1. Open /etc/wandisco/hivemigrator/application.yaml.

  2. In the security section, ensure enabled: is set to "true". For example,

    Ensure the enabled parameter is true
    micronaut:
      security:    enabled: true
  3. Save and close the file.

Edit hive-migrator.yaml#

Apply these steps if basic authentication is enabled on the LiveData Migrator REST API

  1. Open /etc/wandisco/hivemigrator/hive-migrator.yaml.

  2. In the LiveDataMigrator block, add username and password. Both credentials should match those used for LiveData Migrator core.

    Example
      integration:  liveDataMigrator:   port: 18080   useSsl: false   username: "admin"   password: "password"
  3. Add the username, and password properties to the integration section.

    Don't indent: these are top-level properties. Use your LiveData Migrator username so you only need to authenticate once when connecting with the CLI.

    The password string needs to be encrypted using a bcrypt generator that provides a "2a" prefix at the beginning of the encrypted password.

    Example
    integration:liveDataMigrator: port: 18080 useSsl: false username: "admin" password: "password"storagePath: /opt/wandisco/hivemigrator/hivemigrator.dbusername: "admin"password: "$2a$10$3gc/9QTnGQQj51e0YRAK.OAplbj4A9S4sx7rRpMSOSpb5UrLW2p/."
  4. Restart the Hive Migrator service to enable the new configuration:

    service hivemigrator restart
    tip

    The username and password values can be changed without having to restart the Hive Migrator service. They will become active when you save the file.

Connect to Hive Migrator with basic authentication#

note

Follow these steps if you used different credentials for LiveData Migrator and Hive Migrator, or if basic authentication isn't enabled on LiveData Migrator.

If you have used the same credentials for both services, this step isn't required.

When basic authentication is enabled, enter the username and password when prompted to connect to Hive Migrator with the CLI:

Example
  connect hivemigrator localhost: trying to connect...Username: adminPassword: ***********Connected to hivemigrator v1.2.1-428 on http://localhost:6780.

The username and password will also be required when accessing the HiveMigrator REST API directly.

TLS certificates#

When deploying a remote agent (for example, Azure SQL or AWS Glue), a TLS connection is established by default between Hive Migrator and the remote agent.

Certificates (and keys) are automatically generated for this connection for both Hive Migrator and the remote agent. These are placed in the following directories:

HiveMigrator - Client and Root CA certificates
/etc/wandisco/hivemigrator/client-key.pem/etc/wandisco/hivemigrator/client-cert.pem/etc/wandisco/hivemigrator/ca-cert.pem/etc/wandisco/hivemigrator/ca-key.pem/etc/wandisco/hivemigrator/ca-cert.srl
Remote agent - Server and Root CA certificates
/etc/wandisco/hivemigrator-remote-server/server-key.pem/etc/wandisco/hivemigrator-remote-server/server-cert.pem/etc/wandisco/hivemigrator-remote-server/ca-cert.pem

You can generate new certificates at any time or upload your own.

Generate new certificates#

important

Generate new certificates for Hive Migrator and all remote agents that are connected.

Generating certificates for just one of these components breaks existing connections.

Generate new certificates and keys by using the following Hive Migrator REST API endpoints:

Hive Migrator
POST ​/config​/certificates​/generate
Remote agent
POST ​/agents/{name}/certificates/generate

The remote agent service restarts automatically when you generate new certificates this way. You don't need to restart the Hive Migrator service to use the new certificates.

SSL authentication and encryption#

We support SSL for remote agents. SSL for remote agents is enabled by default. To use SSL for authentication and encryption, complete the following steps:

  1. Enable SSL by manually setting the following parameter value: sslEnabled = true in the configuration file application.yaml for Hive Migrator and for the Hive Migrator remote agent.

    agentType: HIVEremoteAgentConfig:host: hostport: 5052sslEnabled: true
  2. Generate self-signed certificates for Hive Migrator as the client and Hive Migrator remote agent as the server.
    Use the following files names:

    ca-cert.pem,client-cert.pem,client-key.pem,server-cert.pem,server-key.pem
  3. Copy the following files to the Hive Migrator directory /etc/wandisco/hivemigrator/:

    • ca-cert.pem
    • client-cert.pem
    • client-key.pem
  4. Copy the following files to the Hive Migrator remote server directory /etc/wandisco/hivemigrator-remote-server:

    • ca-cert.pem
    • server-cert.pem
    • server-key.pem
  5. Restart the service for the Hive Migrator remote server by running the command:

    service hivemigrator-remote-server restart

Configure a truststore#

View and update the truststore used by LiveData Migrator through the REST API.

View a truststore#

View the existing truststore parameters with a GET query sent to /config/ldm.

For example:

Example
curl http://localhost:6780/config/ldm/

Update a truststore#

Change the existing truststore parameters with a POST query sent to /config/ldm.

For example:

Example
curl -X POST http://localhost:6780/config/ldm -H 'Content-Type: application/json' -d '{ "port":911,"useSsl":"true","username":"name@host.domain","password":"examplepassword1532","trust-store":{"path":"/ssl/path","password":"keypassword","type":"JKS"}}'

Using default truststore/keystore with generated certificates#

To use SSL for authentication and encryption, complete the following steps:

  1. Generate self-signed certificates, assigning Hive Migrator as the client and the Hive Migrator remote agent as the server.

    Use the following file names:

    ca-cert.pem,client-cert.pem,client-key.pem,server-cert.pem,server-key.pem
  2. Copy the following files to the Hive Migrator directory /etc/wandisco/hivemigrator/:

    • ca-cert.pem
    • client-cert.pem
    • client-key.pem
  3. Copy the following files to the Hive Migrator remote server directory /etc/wandisco/hivemigrator-remote-server:

    • ca-cert.pem
    • server-cert.pem
    • server-key.pem
  4. Restart the service for the Hive Migrator remote server by running the command:

    service hivemigrator-remote-server restart

Using a custom truststore (CLI)#

Use the following steps to create a custom truststore in the CLI. This will secure connections between Hive Migrator and LiveData Migrator.

  1. Create a new truststore for the CLI containing the certificates for LiveData Migrator and HiveMigrator.

  2. Create a new vars.env file for the LiveData Migrator CLI.

    vi /opt/wandisco/livedata-migrator-cli/vars.env
  3. Add the following line to the vars.env file:

    LIVEDATA_MIGRATOR_OPTS="-Djavax.net.ssl.trustStore=/path/to/trust/store -Djavax.net.ssl.trustStorePassword=password"
  4. Save the change.

  5. Open /opt/wandisco/livedata-migrator-cli/bin/livedata-migrator in a text editor.

  6. Add the line: source /opt/wandisco/livedata-migrator-cli/vars.env.

    For example:

    Example edit
    #!/usr/bin/env sh
    ##################################################################################  livedata-migrator start up script for UN*X################################################################################
    source /opt/wandisco/livedata-migrator-cli/vars.env
    # Attempt to set APP_HOME
    important

    After you upgrade LiveData Migrator, check the change is still in place and reapply it if necessary.

  7. Run the CLI.

    livedata-migrator

Using a custom truststore (UI)#

The default SSL keystore configuration for the LiveData UI is stored in /etc/wandisco/ui/application-prod.properties:

server.ssl.port=8443server.ssl.enabled=trueserver.ssl.key-store=/etc/wandisco/ui/tls/keystore.p12server.ssl.key-store-password=passwordserver.ssl.key-store-type=PKCS12server.ssl.key-alias=livedata-ui
note

If you define a custom keystore using these configuration parameters, the truststore will still default to the one in the JAVA home directory.

For more information, see Transport Layer Security (TLS).

Use the following steps to enter a custom truststore:

  1. Open /etc/wandisco/ui/vars.env in a text editor.

  2. Add the following line:

    LDUI_EXTRA_JVM_ARGS="-Djavax.net.ssl.trustStore=/etc/wandisco/ui/tls/keystore.p12 -Djavax.net.ssl.trustStorePassword=password

    This LiveData UI extra JAVA argument adds the following:

    • Djavax.net.ssl.trustStore - Path to the custom truststore file.
    • Djavax.net.ssl.trustStorePassword - The custom truststore password.
  3. Save the change.

  4. Restart the Hive Migrator service using the command:

    service hivemigrator restart

Upload your own certificates#

important

Make sure the correct certificates and keys are uploaded for Hive Migrator and all remote agents that are connected.

Existing connections will break if the trust relationship isn't established between Hive Migrator and remote agents.

Upload certificates and keys by using the following Hive Migrator REST API endpoints:

Hive Migrator
POST ​/config​/certificates​/upload
Remote agent
POST ​/agents/{name}/certificates/upload

The remote agent service restarts automatically when new certificates are uploaded this way. The Hive Migrator service doesn't require a restart to start using new certificates.

Directory structure#

The following directories are used for Hive Migrator:

LocationContent
/var/log/wandisco/hivemigratorLogs
/etc/wandisco/hivemigratorConfiguration files
/opt/wandisco/hivemigratorJava archive files
/var/run/hivemigratorRuntime files

Remote servers#

The following directories are used for Hive Migrator remote servers (remote agents):

LocationContent
/var/log/wandisco/hivemigrator-remote-serverLogs
/etc/wandisco/hivemigrator-remote-serverConfiguration files
/opt/wandisco/hivemigrator-remote-serverJava archive files
/var/run/hivemigrator-remote-serverRuntime files