Few days back I was looking into how to enable SSL in datasource and database.I didn’t find any good document with step by step instruction, however at last I was able to configure it successfully after reading a whitepaper at http://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf.
NOTE :SSL can not be configured in XE database.In this blog I mentioned the path as per my system , you need to configure accordingly.
Enabling SSL in DB:
First create a directory under C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\BIN\owm\wallets\test where I'll place ewallet.p12.
orapki wallet create -wallet C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\BIN\owm\wallets\Shreekanta -auto_login
that will create ewallet.p12.Open OWM and wallet,
Just need to add a cert here,
Now basically you need to export CSR and submit to CA.
For my case I've used free CA available over net at http://www.getacert.com/signacert.html. Upon submitting CSR it will give CAcert and test cert.so here is my directory structure,[refer http://shrikworld.blogspot.in/2011/07/securing-soa-11g-environment.html]
Now we need to enter CA into trust store of wallet and test cert into certificate branch like below,
After that wallet should show cert as ready, save and exit the same.
Now we need to modify the following files accordingly,
listener.ora
# listener.ora Network Configuration File: C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\network\admin\listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\shrik\Oracle\Database\product\11.2.0\dbhome_1)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\bin\oraclr11.dll")
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2490))
)
)
ADR_BASE_LISTENER = C:\shrik\Oracle\Database
WALLET_LOCATION = (SOURCE = (METHOD=file) (METHOD_DATA=(DIRECTORY=C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\BIN\owm\wallets\Shreekanta)))
SSL_CLIENT_AUTHENTICATION=FALSE
tnsnames.ora
# tnsnames.ora Network Configuration File: C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.
LISTENER_ORCL =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
)
)
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
SSL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2490))
)
(CONNECT_DATA =
(SERVICE_NAME = orcl)
)
(SECURITY=(SSL_SERVER_CERT_DN=\"CN=test,C=IN\"))
)
sqlnet.ora
# sqlnet.ora Network Configuration File: C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
WALLET_LOCATION = (SOURCE = (METHOD=file) (METHOD_DATA=(DIRECTORY=C:\shrik\Oracle\Database\product\11.2.0\dbhome_1\BIN\owm\wallets\Shreekanta)))
SSL_CLIENT_AUTHENTICATION=FALSE
Then restart the DB and listener and your database is now SSL enabled over TCPS.
Configuring SSL in DataSource of FMW:
Add the certs that you generated in above steps in weblogic trust store.[please refer http://shrikworld.blogspot.in/2011/07/securing-soa-11g-environment.html]
restart weblogic server.Go to the datasource,
Click on connection pool, add the url as below,
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost)(PORT=2490)))(CONNECT_DATA=(SERVICE_NAME=orcl))(SECURITY=(SSL_SERVER_CERT_DN="CN=test,C=IN")))
In the properties section add the below property accordingly and test
javax.net.ssl.trustStorePassword=Password
user=DEV_MDS
javax.net.ssl.trustStore=C:\shrik\Oracle\fmw11.1.1.5\wlserver_10.3\server\lib\shrikTrust.jks
javax.net.ssl.trustStoreType=JKS
Test the same.
Now the datasource is SSL enabled.
