Pas Apicella and Frances Zhao
Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity.
By using Oracle Advanced Security SSL functionality to secure communications between JDBC Thin clients and servers, you can:
The following how to is an example of JDBC/THIN SSL setup using the 220.127.116.11 JDBC driver against an 18.104.22.168 Oracle Database Server. It demonstrates, creates a self signed oracle wallet for the server and client and then using this to create a data source with Oracle WebLogic 10.3. In this example, we used OraclePKI to create our keys to generate certificates.
For an example on how to create the server.client keys/certificates see the following metalink note.
Article-ID: Note 762286.1
Title: End To End Examples of using SSL With Oracle's JDBC THIN Driver
1. Firstly copy over rthe required oracle JAR files for SSL. Those jar files are shown below. In this exmaple we place them in our domain directory within a sub directory called " oraclelibs"
[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/oraclelibs]$ d
2. Add the JAR files into the domains classpath. Edit the file setDomainEnv.sh
# SET THE CLASSPATH
Note: We don't add ojdbc6.jar as that comes with Oracle Weblogic 10.3 out of the box.
3. Copy the client/server wallets over to the domain home, in this demo we only require the client wallets
[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/wallets]$ ls -lRt
4. Create a WebLogic Startup class as follows
5. Create a JAR file which we will add to the classpath , you can use the zip below which contains a JAR file which can be used here. This JAR file contains the class above which will work on any WebLogic server which requires the use of OraclePKI.
6. Add the JAR file extracted from the ZIP below into your domains classpath by edting setDomainEnv.sh
# SET THE CLASSPATH
7. Log into console as follows
8. Navigate within the "Domain Structure" window on the left hand side to "Environment" -> "Startup & Shutdown Classes"
9. Click the New button
10. Ensure that the radio option "Startup Class" is selected and click next
11. Specify the following Startup Class Properties
Name - Oracle JDBC Startup Class
Class Name - pas.au.wls.JDBCStartupClass
12. Click Next
13. Target this to the your managed server and also the "AdminServer". In our case our managed server is called "apple" as shown below. We target this to the AdminServer as the JDBC resoures are created when we start WebLogic which requires us to have enabled Oracle PKI provider which the startup class will do for us.
14. Click Next
15. Click Finish
16. Edit your new Startup class
17. Select the checkbox " Run Before Application Deployments" to ensure this startup class runs before any services are created. This will ensure
the connection pool will be able to create without a runtime error at container startup.
18. Press the "Save" button
At this point you should stop WebLogic and start it up agian as shown. As you can see our startup class successfully runs as it will do for the AdminServer and our managed server "apple". You should see the message as follows " JDBCSSLSetup startup class: OraclePKIProvider has been successfully instantiated" when either the AdminServer starts up or our managed server "apple"
[oracle@@papicell-au2 /u01/bea103/user_projects/domains/jdbcssl/bin]$ ./startWebLogic.sh
1. Log into console as follows
2. Navigate to "Services" -> "JDBC" -> "Data Sources"
3. Click new
4. Enter in details as shown below.
5. Click next
6. Click next
7. Enter in database connection details, and click next
8. At this point we want to make sure we connect using TCPS which we do as follows by altering the URL as shown below.
9. Enter in the following JDBC driver properties, along with the property for the current user
10. Click Next
11. Target this to your managed server in this case "apple".
12. Click Finish
13. Click on the data source " jdbc/scottSSLDS"
14. Click on the tab "Connection Pool"
15. Scroll down to the bottom of the page and click the "Advance" link to expand it.
16. Check the option "Test Connections On Reserve".
17. Press the Save button
18. Click on the "Monitoring"" tab
19. Click on the "Testing" tab
20. Select the server the data source is targeted for, in our case "apple"
21. Press the "Test Data Source" button
Verify you have succesfully setup the data source to use JDBC/THIN with SSL