This appendix has information on setting up and communicating with a secured Oracle 12c R1 database server based on the following assumptions:
Client authentication is not needed.
The Oracle wallet is used as a trust store on the database server.
SSL encryption for Oracle JDBC has been supported in the JDBC-OCI driver since Oracle JDBC 9.2.x, and is supported in the THIN driver starting in 10.2. SSL authentication has been supported in the JDBC-OCI driver since Oracle JDBC 9.2.x. The THIN driver supports Oracle Advanced Security SSL implementation in Oracle Database 12c Release 1 (12.1).
For more information, see the following web sites:
Note the following information:
If you want to have a user interface, run the server administration console.
The wallet you create must support Auto Login. It must be enabled on the new wallet.
The following are the wallet directory defaults:
For UNIX—etc/ORACLE/WALLETS/
<username>
For Windows—%USERPROFILE%\ORACLE\WALLETS
Test server wallet information:
Wallet password: <user-supplied password>
Wallet directory: /u00/example/test
When generating a self-signed certificate, note the following:
Do not use keytool to create a certificate for using Oracle wallets. They are incompatible.
Two wallets are needed to generate a self-signed certificate. One wallet is needed to sign the certificate and another wallet is needed to use the certificate.
For command line wallet access, use orapki
.
For instructions on generating a self-signed certificate, see the following document:
The following are examples of orapki
commands:
To create the wallet:
orapki wallet create -wallet <wallet directory>
To add the self-signed certificate:
orapki wallet add -wallet<wallet directory>
-dn
CN=<certificate name>
,C-US -keysize 2048 -self_signed -validity 3650
To view the wallet:
orapki wallet display -wallet <wallet directory>
Before running the application installer, the root certificate must be imported into the Key Store. For more information, see Appendix E.
The Wallet Manager UI can also be used to import certificates.
The listener.ora
, tnsnames.ora
, and sqlnet.ora
files are found in the
<ORACLE_HOME>/network/admin
directory. If the sqlnet.ora
file does not exist, you need to create it.
To secure the listener on the server:
Add TCPS protocol to the listener.ora
file.
Add TCPS protocol to the tnsnames.ora
file.
Add the Oracle Wallet location to the sqlnet.ora
and listener.ora
files.
Add disabling of client authentication to the sqlnet.ora
and listener.ora
files.
Add encryption-only cipher suites to the sqlnet.ora
file.
Bounce the listener once the file is updated.
Examples of the following network configuration files are shown in this section:
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = dvols48) (ORACLE_HOME = /u00/example/product/12.1.0.1) (SID_NAME = dvols48) ) (SID_DESC = (GLOBAL_DBNAME = dvols36) (ORACLE_HOME = /u00/example/product/12.1.0.1) (SID_NAME = dvols36) ) (SID_DESC = (PROGRAM = extproc) (SID_NAME = extproc) (ORACLE_HOME = /u00/example/product/12.1.0.1) ) ) SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u00/example/test) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = hostname.us.oracle.com)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.us.oracle.com)(PORT = 2484)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = extproc_key_1521)) ) ) ADR_BASE_LISTENER = /u00/example SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER = OFF INBOUND_CONNECT_TIMEOUT_SECURE_LISTENER = 300 CONNECT_TIMEOUT_SECURE_LISTENER = 60
Caution: To generate a trace log, add the following entries to thelistener.ora file:
TRACE_LEVEL_LISTENER = ADMIN TRACE_DIRECTORY_LISTENER = /u01/example/12c/network/trace TRACE_FILE_LISTENER = listener.trc |
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 3.0 SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u00/example/test) ) ) DIAG_ADR_ENABLED = OFF
dvols48 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcp)(host = hostname.us.example.com)(Port = 1521))) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = dvols48))) dvols48_secure = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(host = hostname.us.example.com)(Port = 2484))) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = dvols48)) (SECURITY = (MY_WALLET_DIRECTORY = /u00/example/test)))
Caution: Ensure you are usingojdbc.jar version 10.2.x or later. Version 10.1.x or earlier will not connect over TCPS. |
To secure client access:
Export the self-signed certificate from the server Oracle Wallet and import it into a local trust store.
Use the following URL format for the JDBC connection:
jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS= (PROTOCOL=tcps) (HOST=10.0.0.0) (PORT=2484) ) (CONNECT_DATA= (SERVICE_NAME=SECURDB12C)))
The database connection call requires the following properties to be set, either as system properties or JDBC connection properties:
Property | Value |
---|---|
oracle.net.ssl_cipher_suites | (TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5) |
javax.net.ssl.trustStore | Path and file name of trust store
For example: /DevTools/Testing/Secure12c/truststore/truststore |
javax.net.ssl.trustStoreType | JKS |
javax.net.ssl.trustStorePassword | Password for trust store |
This section has specific configuration information for each application.
To configure Oracle Retail Point-of-Service:
Configure the database server by following the steps in the preceding sections.
Copy the ojdbc6.jar
file from the database server and replace in the pos
library.
Note: Theojdbc6.jar file that comes with the 12.1.0.1 version of the database supports TCPS protocol. |
Update the connection pool that is defined in the following files:
server/pos/config/DefaultDataTechnician.xml
server/pos/config/EnterpriseDataTechnician.xml
Complete the following steps for either application.
As a client, the application server machine needs to have the trusted certificate added to a local trust store. Follow the previous instructions for exporting the known certificate and importing it to a local trust store.
This is not required as the Release 14.1 Oracle Retail Stores applications use Diffie-Hellman anonymous authentication. With Diffie-Hellman anonymous authentication, neither the server nor the client will be authenticated.
To edit the data source definition in data-sources.xml
:
Navigate to domain, services, jdbc, datasources, configuration, and then connection pool.
Update the URL to use the expanded Oracle format:
***(ex. jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS= (PROTOCOL=tcps) (HOST=10.0.0.0) (PORT=2484) ) (CONNECT_DATA= (SERVICE_NAME=SECURDB12C)))
Add the SSL JDBC properties. The following example shows part of the data-sources.xml
file.
Update the properties : User=MyUserName DatabaseName=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.0)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SECURDB12C))) oracle.net.ssl_cipher_suites=(TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5)