Secured path over reverse proxy with GoldenGate MA

I'm doing a PoC of GoldenGate MA 21.3 with two installations. Despite the confusing/incorrect documentation at
https://docs.oracle.com/en/middleware/goldengate/core/21.3/ggmas/configure-deployment.html
(partially corrected in MOS 2789070.1), I have a secured test setup done,
with a secured path between the "local" distribution service and the "remote" receiver service using a certificate over wss. I also have an nginx reverse proxy for the GG services.

But now I'm trying to use nginx between the source distribution and the target receiver as well, to get all traffic over port 443. Instead of using a self-signed cert for nginx, which doesn't contain the proper host name, I created a cert on the target server and signed it with a local CA I created. Similar to the steps outlined at https://docs.oracle.com/en/middleware/goldengate/core/21.3/ggmas/configure-deployment.html#GUID-F2702C52-E284-4487-BCB8-4A168E2A1F6A I've added the cert to the client on the source along with the root cert in the CA area, attempting both what is listed in the docs as well as the MOS article above. My floundering attempts produce an OGG-08515/OGG-10390 when starting the path over the reverse proxy.

The doc also mentions that the correct wallet to add the certs to for the distribution service is listed in the deploymentConfiguration.dat file under etc/conf in the deployment home, but my file does not list that, even with a working (secured?) path that does not use the reverse proxy.

I'm obviously doing something wrong. But even the docs don't know where to go, as there are several "unresolvable-reference.html" links in the doc
("#unique" in the PDF), which is super helpful.

Thoughts?

Thanks,
Rich

--
http://www.freelists.org/webpage/oracle-l