Configuring OFSAA and various Web Application Servers with Oracle Wallet

The following are the details to configure OFSAA and various Web Application Servers with Oracle Wallet:

1. Import all the Wallet Certificates from the Oracle Database and Oracle Database Client into the JDK cacert store:
   1. Log in as a UNIX User with the required permission configured to access the cacerts of Java file.
   2. Execute the following command to add the Wallet Certificates to the JDK store of the JRE used in the OFSAA Processing Server:

      /usr/java/jdk1.8.0_161/bin/keytool -importcert -trustcacerts -alias sslorclserver -file

      <locationofservercerts>/server_certs/ dbsrvhostname-certificate.crt -keystore

      /usr/java/jdk1.8.0_161/jre/lib/security/cacerts -storepass changeit

      /usr/java/jdk1.8.0_161/bin/keytool -importcert -trustcacerts -alias ssloraclclient -file

      <locationofclientcerts>/client_certs/ dbclthostname-certificate.crt -keystore

      /usr/java/jdk1.8.0_161/jre/lib/security/cacerts -storepass changeit

      /usr/java/jdk1.8.0_161/bin/keytool -importcert -trustcacerts -alias sslorclcdb -file

      <locationofservercerts>/server_certs/ dbsrvhostname-certificate_xdb.crt -keystore

      /usr/java/jdk1.8.0_161/jre/lib/security/cacerts -storepass changeit

   Note:

   For information on Creation of Certificates, contact your Database Administrator (DBA).

   The alias names – sslorclcdb, ssloraclclient, and sslorclserver are given as reference names and you can choose any other names.

2. Login to the OFSAA Processing Tier with the same user credentials with which the OFSAA processes run.
3. Verify the location of the wallet in the sqlnet.ora file found (location: $TNS_ADMIN) usually in the path

   ORACLE_HOME/network/admin. This file might have entries in the following format:

   WALLET_LOCATION =

   (SOURCE =

   (METHOD = FILE)

   (METHOD_DATA =

   (DIRECTORY = /scratch/ssldbtest/clientwallet)

   )

   )

   SQLNET.WALLET_OVERRIDE = TRUE

   SSL_CLIENT_AUTHENTICATION = FALSE

   SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

4. Modify the tns entry in tnsnames.ora file for connecting the database with secured database connection (TCPS).

   DBAAIB =

   (DESCRIPTION =

   (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)

   (PORT = 2484)

   )

   (CONNECT_DATA =

   (SERVER = DEDICATED)

   (SERVICE_NAME = DBAAIB)

   )

   (security=(ssl_server_cert_dn= "CN=dbsrvhostname"))

   )

   dbtyofsaaatm =

   (DESCRIPTION =

   (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)

   (PORT = 2484)

   )

   (CONNECT_DATA=

   (SERVER = DEDICATED)

   (SERVICE_NAME=DBAAIB)

   )

   (security=(ssl_server_cert_dn= "CN=dbsrvhostname"))

   )

   CONFIG = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)

   (PORT = 2484) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = DBAAIB) )

   (security=(ssl_server_cert_dn= "CN=dbsrvhostname")) )

   SYS = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)

   (PORT = 2484) ) (CONNECT_DATA= (SERVER = DEDICATED) (SERVICE_NAME=DBAAIB) )

   (security=(ssl_server_cert_dn= "CN=dbsrvhostname")) )

5. Enable Java Security Provider as Oracle PKI Provider statically on machines hosting OFSAA and the Web Application Servers, by performing the following step:
   • Since SSO wallets (cwallet.sso) are used, add the OraclePKIProvider at the end of the provider list in the java.security file (this file is part of your JRE install located at $JRE_HOME/jre/lib/security/java.security) which typically looks like:

     Figure 13-1 JRE install located in the Java.Security file

     
     

     

     
     

     For more information, refer the following link:

     https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets#Wallets

6. Connect to the OFSAA database and modify the existing JDBC connect string value in the following columns:
   • Update the JDBC_CONN_STR values in the AAI_DB_PROPERTY and DB_MASTER tables from the Configuration Schema as shown in the following example:

     Syntax: jdbc:oracle:thin:@<tns entry DBserver points to tcps>

     Example: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME=DBAAIB)) (security=(ssl_server_cert_dn=CN=dbsrvhostname)))

   • Update V_PRMVALUE for the parameter V_PRMVKEY=DEFAULT_CONNECTION_URL in the table AAI_DYN_SVCS_PARAMS.
7. Modify DEFAULT_CONNECTION_URL in the $FIC_HOME/conf/DynamicServices.xml file from the Configuration Schema as follows:
   Syntax: jdbc:oracle:thin:@< tns entry DBServer points to tcps>
   Example: jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrvhostname.in.oracle.com)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = DBAAIB)) (security=(ssl_server_cert_dn=CN=dbsrvhostname)))
8. Add or modify the environment variables wallet_loc and X_ARGS_GEN in .profile of OFSAA user and web server user. Add -Doracle.net.tns_admin, -Doracle.net.ssl_server_dn_match, -Djavax.net.ssl.trustStoreType -Djavax.net.ssl.trustStore, -Doracle.net.ssl_version and -Doracle.net.wallet_location locations as given below:
   wallet_loc="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/scratch/ssldbtest/clientwallet)))" export wallet_loc
   X_ARGS_GEN="-Doracle.net.tns_admin=$TNS_ADMIN -Doracle.net.wallet_location=$wallet_loc
   -Doracle.net.ssl_server_dn_match=true
   -Djavax.net.ssl.trustStoreType=SSO
   -Djavax.net.ssl.trustStore=cwallet.sso
   -Doracle.net.ssl_version=1.2" export X_ARGS_GEN
9. Update the variables to append X_ARGS_GEN value in X_ARGS_APP and other X_ARGS property in .profile of the OFSAA user as shown in the following:
   X_ARGS_APP="-Xms200m -Xmx8g -XX:+UseAdaptiveSizePolicy -XX:MaxPermSize=1024M -XX:+UseParallelOldGC -XX:+DisableExplicitGC $X_ARGS_GEN"
   export X_ARGS_APP
   X_ARGS_OBJMIG="-Xms256m -Xmx512m -XX:+UseAdaptiveSizePolicy -XX:MaxPermSize=1024M -XX:+UseParallelOldGC -XX:+DisableExplicitGC $X_ARGS_GEN"
   export X_ARGS_OBJMIG
   X_ARGS_RLEXE="-Xms512m -Xmx1024m -XX:+UseAdaptiveSizePolicy -XX:MaxPermSize=1024M -XX:+UseParallelOldGC -XX:+DisableExplicitGC $X_ARGS_GEN"
   export X_ARGS_RLEXE
   X_ARGS_RNEXE="-Xms256m -Xmx512m -XX:+UseAdaptiveSizePolicy -XX:MaxPermSize=1024M -XX:+UseParallelOldGC -XX:+DisableExplicitGC $X_ARGS_GEN"
   export X_ARGS_RNEXE
   X_ARGS_WSEXE="-Xms256m -Xmx512m -XX:+UseAdaptiveSizePolicy -XX:MaxPermSize=1024M -XX:+UseParallelOldGC -XX:+DisableExplicitGC $X_ARGS_GEN"
   export X_ARGS_WSEXE
10. 10. Execute the .profile and restart OFSAA Services.