SSL Connection Over JDBC for Oracle
Create Certificate
The steps demonstrated here are performed on Linux machine. The same steps are applicable for Windows machine.
Navigate to the home directory and create a directory. For this demonstration, we will create a directory named Wallets.
cd /home/oracle/ mkdir WalletsCreate a certificate and self-sign it.
cd Wallets/Server -------- orapki wallet create -wallet ./server_wallet -auto_login -pwd changeit orapki wallet add -wallet ./server_wallet -dn "CN=server" -keysize 1024 -self_signed -validity 365 -pwd server@123 orapki wallet display -wallet ./server_wallet orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt orapki wallet display -wallet ./server_walletConfigure the database to use TCP with the server key.
Configure the
listener.orafile.a. Launch the Net manager tool using cmd netmgr.
b. Expand Local > Listeners and click the Listener directory.
c. Click Add Address and select TCP/IP with SSL as the protocol. Enter hostname (IP address) of the machine and port (default port is 2484).
d. Click File > Save Network Configuration.
Configure the
sqlnet.orafile.a. Click Profile. From the drop-down list select Network Security.
b. Select SSL and select server from the options.
c. In the Wallet directory field, browse to the wallet path.
The Revocation Check should be set to None, required SSL version should be Any, and the Require Client Authentication check-box should not be selected.
d. Click File > Save Network Configuration.
Configure the
tnsnames.orafile.a. Click Service Naming.
b. Click on Edit and then click Create to generate a new service.
c. Specify NET Service Name as orcl/pdb1
d. Select TCP/IP with SSL as the protocol. Specify Service Name as orclssl.
e. In the hostname field, specify IP address of the machine.
f. Enter Port Number as 2484.
g. Click File > Save Network Configuration.
h. Click File > Exit.
Restart the listener.
lsnrctl stop lsnrctl startAdd certificate to the keystore.
Login to keystore as a root user. You can login through putty.
a. Press
cto enter config mode.b. Run the following command.
pdb upload ssl certificateWhen prompted, upload the cert.txt file.
Open the keystore and add connection using the following details:
a. Protocol: SSL,
b. Port: 2484
c: SID/Service Name: orcl/orsclssl
Upload Certificate
The CA certificate can be uploaded either using REST interface or the CipherTrust Manager's GUI.
CipherTrust Manager's UI
Log on to the CipherTrust Manager GUI.
Click Database Protection to open the application. The Databases screen displays the list of existing database connections, if any.
In the left pane, click Database Certificates and enter the following details.
Field Description Name Unique name for certificate. Certificate Content of the cert.txtfile in .PEM format.Click Upload.
The SSL setup is complete. You can now create database connection over SSL.
CipherTrust Manager's Rest interface
Open the CipherTrust Manager URL in a browser. The login page is displayed.
On the login page, click the API & CLI Documentation link. The API playground is displayed in the right.
Click Authenticate.
Enter username, password, domain, and click POST. The default domain is
root.In the left pane, click CDP > Database.
Click Upload - post. The Upload - post section is displayed on the right.
In the body field, paste the CA certificate in the
.pemformat as shown below.{ "name":"myCertCh", "cert":"-----BEGIN CERTIFICATE-----\nMIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZzZXJ2ZXIwHhcNMTkwNzMwMDQy\nODUyWhcNMjAwNzI5MDQyODUyWjARMQ8wDQYDVQQDEwZzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQAD\ngY0AMIGJAoGBAMPJ9L0IanR5XxajKiLjEns2geFzYjCdOpIcqiHTH78D7N1nIm/XMWTbo7Bebi0V\nrirWM1LUakhHxUSV9L+nb1IMaAuk01/pmJaSbU8EPzcmujWoA66gKg2K0phExoT1RQ+QE+6pLBPl\nftSB8VLNiPcXx4GMQcUq9Kiw4CMmozvBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjxmFBnkkxp1K\n2gkDsfvz5Uq7bGvXwdO8M/j5Ryz812f4pzyCXbb8p4rkf9l27WJAJ6Ero9U07K7Rd8NqBJmReobq\nDcPQnp2y4dzsPI7/oMHfk69DkGIa4PHhEYcXWz37L33CBrxnASpqM6yc/thjARt73Ejs80foBkAf\nOG6//Cs=\n-----END CERTIFICATE-----" }Click POST.
Select SSL
On the Oracle Database Configuration page, select the Protocol as SSL.
