How-To Configure and Use Oracle JDBC Driver SSL with Oracle WebLogic Server

April 2009
Pas Apicella and Frances Zhao

Introduction

 Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity.

 By using Oracle Advanced Security SSL functionality to secure communications between JDBC Thin clients and servers, you can:

  • Encrypt the connection between clients and servers.
  • Authenticate the network client tier: the Database server only accepts connections from clients, such as Oracle Application Server, which have a certificate signed by a trusted authority. Any connection attempt from a client tier or an application that the Database doesn’t trust will fail.
  • Authenticate the Database tier: the JDBC Thin driver can be configured to validate the Database’s certificate. If it hasn’t been signed by a trusted authority, the connection will fail. From the application standpoint, you have proof that the Database can be trusted.
  • Use SSL as an Authenticate Service on the server (starting in 11.1.0.6 for the JDBC Thin driver): the Database user, as opposed to the network client tier, is authenticated through SSL. In this case each Database user has his certificate.

The following how to is an example of JDBC/THIN SSL setup using the 11.1.0.6 JDBC driver against an 11.1.0.6 Oracle Database Server. It demonstrates, creates a self signed oracle wallet for the server and client and then using this to create a data source with Oracle WebLogic 10.3. In this example, we used OraclePKI to create our keys to generate certificates.

What you should know?

  • You should be familiar with these products: Oracle Database JDBC Driver, Oracle WebLogic Server

How to Configure and Use Oracle JDBC Driver SSL with Oracle WebLogic Server

Create the wallets

For an example on how to create the server.client keys/certificates see the following metalink note.

                                 
Article-ID:         Note 762286.1
                                
                                   
Title:              End To End Examples of using SSL With Oracle's JDBC THIN Driver

Setup WebLogic to use JDBC/THIN with SSL

1. Firstly copy over rthe required oracle JAR files for SSL. Those jar files are shown below. In this exmaple we place them in our domain directory within a sub directory called " oraclelibs"

[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/oraclelibs]$ d
total 2868
-rw-r--r--   1 oracle oinstall  473050 Apr 27  2007 osdt_core.jar
-rw-r--r--   1 oracle oinstall  260444 Apr 27  2007 osdt_cert.jar
-rw-r--r--   1 oracle oinstall  158342 Sep 20  2007 oraclepki.jar
-rw-r--r--   1 oracle oinstall 1988051 Aug 28 18:16 ojdbc6.jar
drwxr-xr-x  11 oracle oinstall    4096 Feb 11 11:27 ../
drwxr-xr-x   2 oracle oinstall    4096 Feb 11 11:29 ./
[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/oraclelibs]

2. Add the JAR files into the domains classpath. Edit the file setDomainEnv.sh

# SET THE CLASSPATH

CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WEBLOGIC_CLASSPATH}${CLASSPATHSEP}
${POST_CLASSPATH}${CLASSPATHSEP}${WLP_POST_CLASSPATH}
/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/oraclepki.jar
:/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/osdt_core.jar
:/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/osdt_cert.jar"
export CLASSPATH

Note: We don't add ojdbc6.jar as that comes with Oracle Weblogic 10.3 out of the box.

3. Copy the client/server wallets over to the domain  home, in this demo we only  require the client wallets

[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/wallets]$ ls -lRt
.:
total 16
drwxr-xr-x  2 oracle oinstall 4096 Jan 16 17:17 client
drwxr-xr-x  2 oracle oinstall 4096 Jan 16 16:43 server

./client:
total 40
-rw-------  1 oracle oinstall 9116 Jan 16 17:22 cwallet.sso
-rw-------  1 oracle oinstall 9088 Jan 16 17:22 ewallet.p12
-rw-------  1 oracle oinstall  414 Jan 16 17:17 client_ca.cert

./server:
total 40
-rw-------  1 oracle oinstall 9140 Jan 16 17:21 cwallet.sso
-rw-------  1 oracle oinstall 9112 Jan 16 17:21 ewallet.p12
-rw-------  1 oracle oinstall  438 Jan 16 16:43 server_ca.cert
[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/wallets]$

4. Create a WebLogic Startup class as follows

package pas.au.wls;

import weblogic.common.T3StartupDef;
import weblogic.common.T3ServicesDef;
import java.util.Hashtable;
import java.security.Security;
import oracle.security.pki.OraclePKIProvider;

public class JDBCStartupClass implements T3StartupDef
{
  public String startup(String name, Hashtable ht)
  {
    // instantiate OraclePKIProvider and put it into provider slot #3
    Security.insertProviderAt(new OraclePKIProvider(), 3);
    System.out.println("JDBCSSLSetup startup class: OraclePKIProvider has been successfully instantiated");

     return name;
  }

  public void setServices(T3ServicesDef serv)
  {
  }
}

5. Create a JAR file which we will add to the classpath , you can use the zip below which contains a JAR file which can be used here. This JAR file contains the class above which will work on any WebLogic server which requires the use of OraclePKI.

wls103startup.zip

6. Add the JAR file extracted from the ZIP below into your domains classpath by edting setDomainEnv.sh

# SET THE CLASSPATH

CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WEBLOGIC_CLASSPATH}${CLASSPATHSEP}
${POST_CLASSPATH}${CLASSPATHSEP}${WLP_POST_CLASSPATH}
/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/oraclepki.jar
:/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/osdt_core.jar
:/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/osdt_cert.jar
: /u01/bea103/user_projects/domains/jdbcssl/wls103startup.jar"
export CLASSPATH

7. Log into console as follows

http://<server>:<port>/console

8.  Navigate within the "Domain Structure" window on the left hand side to "Environment" -> "Startup & Shutdown Classes"
9. Click the New button
10. Ensure that the radio option "Startup Class" is selected and click next
11. Specify the following Startup Class Properties

Name - Oracle JDBC Startup Class
Class Name - pas.au.wls.JDBCStartupClass


12. Click Next
13. Target this to the your managed server and also the "AdminServer". In our case our managed server is called "apple" as shown below. We target this to the AdminServer as the JDBC resoures are created when we start WebLogic which requires us to have enabled Oracle PKI provider which the startup class will do for us.

IMG1

14. Click Next
15. Click Finish
16. Edit your new Startup class
17.  Select the checkbox " Run Before Application Deployments" to ensure this startup class runs before any services are created. This will ensure
the connection pool will be able to create without a runtime error at container startup.
18. Press the "Save" button

At this point you should stop WebLogic and start it up agian as shown. As you can see our startup class successfully runs as it will do for the AdminServer and our managed server "apple". You should see the message as follows " JDBCSSLSetup startup class: OraclePKIProvider has been successfully instantiated" when either the AdminServer starts up or our managed server "apple"

[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/bin]$ ./startWebLogic.sh
.
.
JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m  -XX:MaxPermSize=128m
.
WLS Start Mode=Development
.
CLASSPATH=:/u01/bea103/patch_wlw1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/bea103/patch_wls1030/profiles/default/
sys_manifest_classpath/weblogic_patch.jar:/u01/bea103/patch_jdev1111/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/bea103/
patch_cie660/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/bea103/jdk160_05/lib/tools.jar:/u01/bea103/wlserver_10.3/server/lib/
weblogic_sp.jar:/u01/bea103/wlserver_10.3/server/lib/weblogic.jar:/u01/bea103/modules/features/weblogic.server.modules_10.3.0.0.jar:/u01/bea103/
wlserver_10.3/server/lib/webservices.jar:/u01/bea103/modules/org.apache.ant_1.6.5/lib/ant-all.jar:/u01/bea103/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/
ant-contrib.jar::/u01/bea103/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/u01/bea103/wlserver_10.3/server/lib/xqrl.jar:/u01/bea103/user_projects/
domains/jdbcssl/oraclelibs/oraclepki.jar:/u01/bea103/user_projects/domains/jdbcssl/oraclelibs/osdt_core.jar:/u01/bea103/user_projects/domains/jdbcssl/
oraclelibs/osdt_cert.jar:/u01/bea103/user_projects/domains/jdbcssl/wls103startup.jar:
.
PATH=/u01/bea103/wlserver_10.3/server/bin:/u01/bea103/modules/org.apache.ant_1.6.5/bin:/u01/bea103/jdk160_05/jre/bin:/u01/bea103/jdk160_05/bin:/
u01/bea103/jrockit_160_05/bin:/home/oracle/bin:/home/oracle/pas/scripts:/home/oracle/bin:/bin:/OPatch:/home/oracle/pas/scripts:/usr/kerberos/bin:/usr/local/
bin:/bin:/usr/bin:/usr/X11R6/bin
.
***************************************************
*  To start WebLogic Server, use a username and   *
*  password assigned to an admin-level user.  For *
*  server administration, use the WebLogic Server *
*  console at http://hostname:port/console        *
***************************************************
starting weblogic with Java version:
java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)
Starting WLS with line:
/u01/bea103/jdk160_05/bin/java -client   -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m  -XX:MaxPermSize=128m  -Xverify:none
-da -Dplatform.home=/u01/bea103/wlserver_10.3 -Dwls.home=/u01/bea103/wlserver_10.3/server -Dweblogic.home=/u01/bea103/wlserver_10.3/server 
-Dweblogic.management.discover=true  -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/u01/bea103/
patch_wlw1030/profiles/default/sysext_manifest_classpath:/u01/bea103/patch_wls1030/profiles/default/sysext_manifest_classpath:/u01/bea103/
patch_jdev1111/profiles/default/sysext_manifest_classpath:/u01/bea103/patch_cie660/profiles/default/sysext_manifest_classpath -Dweblogic.Name=
AdminServer -Djava.security.policy=/u01/bea103/wlserver_10.3/server/lib/weblogic.policy   weblogic.Server
<Feb 11, 2009 7:45:27 PM EST> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/u01/bea103/patch_wls1030/profiles/default/sysext_manifest_classpath/weblogic_ext_patch.jar>
<Feb 11, 2009 7:45:27 PM EST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Client VM Version
10.0-b19 from Sun Microsystems Inc.>
<Feb 11, 2009 7:45:28 PM EST> <Info> <Management> <BEA-141107> <Version: WebLogic Server Temporary Patch for CR380042 Thu Sep 11
13:33:40 PDT 2008
WebLogic Server Temporary Patch for 7372756 Fri Sep 12 17:05:44 EDT 2008
WebLogic Server Temporary Patch for CR381265 Wed Oct 08 10:15:58 PDT 2008
WebLogic Server Temporary Patch for CR380913 Wed Oct 15 13:24:22 PDT 2008
WebLogic Server Temporary Patch for CR381739 Tue Oct 21 14:06:14 IST 2008
WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967 >
<Feb 11, 2009 7:45:30 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Feb 11, 2009 7:45:30 PM EST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Feb 11, 2009 7:45:30 PM EST> <Notice> <Log Management> <BEA-170019> <The server log file /u01/bea103/user_projects/domains/jdbcssl/servers/
AdminServer/logs/AdminServer.log is opened. All server side log events will be written to this file.>
<Feb 11, 2009 7:45:33 PM EST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
JDBCSSLSetup startup class: OraclePKIProvider has been successfully instantiated
<Feb 11, 2009 7:45:34 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY>
<Feb 11, 2009 7:45:34 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Log Management> <BEA-170027> <The Server has established connection with the Domain level Diagnostic
Service successfully.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias
DemoIdentity from the jks keystore file /u01/bea103/wlserver_10.3/server/lib/DemoIdentity.jks.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/bea103/wlserver_10.3/
server/lib/DemoTrust.jks.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/bea103/jdk160_05/
jre/lib/security/cacerts.>
<Feb 11, 2009 7:45:35 PM EST> <Warning> <Server> <BEA-002611> <Hostname "localhost.localdomain", maps to multiple IP addresses: 10.187.80.136,
127.0.0.1>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.187.80.136:7002 for protocols iiops,
t3s, ldaps, https.>
<Feb 11, 2009 7:45:35 PM EST> <Warning> <Server> <BEA-002611> <Hostname "papicell-au2.au.oracle.com", maps to multiple IP addresses:
10.187.80.136, 127.0.0.1>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.187.80.136:7001 for protocols iiop, t3,
ldap, snmp, http.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 127.0.0.1:7002 for protocols iiops,
t3s, ldaps, https.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap,
snmp, http.>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "jdbcssl"
running in Development Mode>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Feb 11, 2009 7:45:35 PM EST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

  Create the data Source

1. Log into console as follows

http://<server>:<port>/console

2. Navigate to "Services" -> "JDBC" -> "Data Sources"
3. Click new
4. Enter in details as shown below.

IMG2

5. Click next
6. Click next
7. Enter in database connection details, and click next
8. At this point we want to make sure we connect using TCPS which we do as follows by altering the URL as shown below.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=beast.au.oracle.com)
(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=linux11g)))


9. Enter in the following JDBC driver properties, along with the property for the current user

user=scott
javax.net.ssl.trustStore=/u01/bea103/user_projects/domains/jdbcssl/wallets/client/ewallet.p12
javax.net.ssl.trustStoreType=PKCS12
javax.net.ssl.trustStorePassword=myclient123

10. Click Next
11. Target this to your managed server in this case "apple".
12. Click Finish
13. Click on the data source " jdbc/scottSSLDS"
14. Click on the tab "Connection Pool"
15. Scroll down to the bottom of the page and click the "Advance" link to expand it.
16. Check the option "Test Connections On Reserve".
17. Press the Save button
18. Click on the "Monitoring"" tab
19. Click on the "Testing" tab
20. Select the server the data source is targeted for, in our case "apple"
21. Press the "Test Data Source" button

Verify you have succesfully setup the data source to use JDBC/THIN with SSL

IMG3