2 years ago

#53792

test-img

user3470887

Oracle database with SSL using Java Keystore

I'm looking for guidance on steps to configure an Oracle 12c database to use SSL with JKS. I found a tutorial which was very clear on steps, however, this ended up being for oracle wallets which my client side does not support.

This is simply a test environment so making it simple I'm trying to just use self signed certs. I was able to create a keystore and export a certificate using these commands.

keytool -genkey -alias oraclekeystore -keyalg RSA -keypass xxx -storepass xxx -keystore KeyStore.jks -keysize 2048 -validity 1461

keytool -export -keystore KeyStore.jks -alias oraclekeystore -file client.cer

And I would use a command similar to below to import on client side with the exception the keystore may already exist but this is the command I found to do the import

sudo keytool -import -trustcacerts -keystore "/usr/lib/jvm/java-8-openjdk-i386/jre/lib/security/cacerts" -storepass xxx -noprompt -alias oraclekeystore -file "client.cer"

Now the next part on how to configure the database to accept connections using TLS with this keystore/cert is where I'm stuck. I see when using a wallet we would add some configs to sqlnet.ora file

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u01/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

And set the listener up by stopping the listener, updating listener.ora and starting it again.

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/wallet)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = ol7-121.localdomain)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = ol7-121.localdomain)(PORT = 2484))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

However, I'm unsure how to do this using a JKS and self signed cert without Oracle wallets. Does anyone have experience with this or have set up this scenario? Or any resources which may help to configure the server in this scenario?

Thank you!

oracle

ssl

oracle12c

jks

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs