Configure Secure Connections for an Oracle Database

If the Oracle database server requires a secure connection, complete the following steps (if the Oracle database does not require a secure connection, you can omit these steps):

Note If you have configured CSA to be compliant with FIPS 140-2, you cannot configure a secure connection for the Oracle database. If you configure a secure connection for the Oracle database, you cannot configure CSA to be compliant with FIPS 140-2.

  1. Complete one of the following tasks:

    • If you do not want to configure CSA to check the database DN, do the following:

      1. Open CSA_HOME/jboss‑as/standalone/configuration/standalone.xml in a text editor.

      2. Add the following to the Oracle datasource:

        <connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL = TCPS)(HOST = <host>)(PORT = 1521)))(CONNECT_DATA =(SERVICE_NAME = ORCL)))</connection-url>

        where <host> is the name of the system on which the Oracle database server is installed.

      3. Save and close the file.
      4. Import the Oracle database server Certificate Authority's root certificate into the Java truststore of CSA.

        1. Copy the Oracle database server Certificate Authority's root certificate to the CSA system. If necessary, contact your database administrator to obtain the Oracle database server certificate.
        2. On the CSA system, open a command prompt and run the keytool utility with the following options to create a local trusted certificate entry for the Oracle database server.

          Windows:

          "CSA_JRE_HOME\bin\keytool" -importcert -trustcacerts
          -alias oracledb
          -keystore "CSA_JRE_HOME\lib\security\cacerts"
          -file <c:\certfile_name.cer> -storepass changeit

          Linux:

          CSA_JRE_HOME/bin/keytool -importcert -trustcacerts
          -alias oracledb
          -keystore CSA_JRE_HOME/lib/security/cacerts
          -file </tmp/certfile_name.cer> -storepass changeit

          where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed and <c:\certfile_name.cer> on Windows or </tmp/certfile_name.cer> on Linux is the path and name of the Certificate Authority's root certificate for the Oracle database server. The file extension may be .crt rather than .cer. You can also use a different value for -alias.

        3. At the prompt to import the certificate, type Yes.
        4. Press Enter.
        5. Restart CSA.

          See Restart CSA for instructions.

    • If you want to configure CSA to check the database DN, do the following:

      1. Open CSA_HOME/jboss‑as/standalone/configuration/standalone.xml in a text editor.

      2. Add the following to the Oracle datasource:

        <connection-url>jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = <host>)(PORT = 1521)))(CONNECT_DATA = (SERVICE_NAME = ORCL))(SECURITY=(SSL_SERVER_CERT_DN="CN=abc,OU=dbserver,O=xyz,L=Sunnyvale,ST=CA,C=US")))</connection-url>

        where <host> is the name of the system on which the Oracle database server is installed and the values for SSL_SERVER_CERT_DN are for the DN of the Oracle database server.

      3. Add the following to the system-properties element:

        <property name="oracle.net.ssl_server_dn_match" value="true" />

      4. Save and close the file.
      5. Import the Oracle database server Certificate Authority's root certificate into the Java truststore of CSA.

        1. Copy the Oracle database server Certificate Authority's root certificate to the CSA system. If necessary, contact your database administrator to obtain the Oracle database server certificate.
        2. On the CSA system, open a command prompt and run the keytool utility with the following options to create a local trusted certificate entry for the Oracle database server.

          Windows:

          "CSA_JRE_HOME\bin\keytool" -importcert -trustcacerts
          -alias oracledb
          -keystore "CSA_JRE_HOME\lib\security\cacerts"
          -file <c:\certfile_name.cer> -storepass changeit

          Linux:

          CSA_JRE_HOME/bin/keytool -importcert -trustcacerts
          -alias oracledb
          -keystore CSA_JRE_HOME/lib/security/cacerts
          -file </tmp/certfile_name.cer> -storepass changeit

          where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed and <c:\certfile_name.cer> on Windows or </tmp/certfile_name.cer> on Linux is the path and name of the Certificate Authority's root certificate for the Oracle database server. The file extension may be .crt rather than .cer. You can also use a different value for -alias.

        3. At the prompt to import the certificate, type Yes.
        4. Press Enter.
        5. Restart CSA.

          See Restart CSA for instructions.

  2. If client authentication is enabled on the Oracle database server, do the following:

    1. Open CSA_HOME/jboss‑as/standalone/configuration/standalone.xml in a text editor.

    2. Add the following to the system-properties element:

      <property name="javax.net.ssl.keyStore" value="<certificate_key_file>" />
      <property name="javax.net.ssl.keyStorePassword" value="<certificate_key_file_password>" />
      <property name="javax.net.ssl.keyStoreType" value="<certificate_key_file_type>" />

      where <certificate_key_file> is the same keystore file defined by the certificate-key-file attribute in the ssl element (for example,
      CSA_HOME/jboss‑as/standalone/configuration/.keystore), <certificate_key_file_password> is the password to the keystore file (for example, changeit), and <certificate_key_file_type> is the keystore type (for example, JKS or PKCS12).

    3. Save and close the file.
    4. Use Oracle's wallet manager to import CSA's certificate into the Oracle database server's wallet as a trusted certificate.