WebLogic JDBC Use of Oracle Wallet for SSL
- by Steve Felts
Introduction
Secure Sockets Layer (SSL) can be used to secure the connection between the middle tier “client”, WebLogic Server (WLS) in this case, and the Oracle database server. Data between WLS and database can be encrypted. The server can be authenticated so you have proof that the database can be trusted by validating a certificate from the server. The client can be authenticated so that the database only accepts connections from clients that it trusts.
Similar to the discussion in an earlier article about using the Oracle wallet for database credentials, the Oracle wallet can also be used with SSL to store the keys and certificates. By using it correctly, clear text passwords can be eliminated from the JDBC configuration and client/server configuration can be simplified by sharing the wallet across multiple datasources.
There is a very good Oracle Technical White Paper on using SSL with the Oracle thin driver at
http://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf [LINK1]. The link http://www.oracle.com/technetwork/middleware/weblogic/index-087556.html [LINK2] describes how to use WebLogic Server with Oracle JDBC Driver SSL.
The information in this article is a guide on what steps need to be taken in the variety of available options; use the links above for details.
SSL from the driver to the database server is basically turned on by specifying a protocol of “tcps” in the URL. However, there is a fair amount of setup needed. Also remember that there is an overhead in performance.
Creating the wallets
The common use cases are
1. “data encryption and server-only authentication”, requiring just a trust store, or
2. “data encryption and authentication of both tiers” (client and server), requiring a trust store and a key store.
It is recommended to use the auto-login wallet type so that clear text passwords are not needed in the datasource configuration to open the wallet. The store type for an auto-login wallet is “SSO” (Single Sign On), not “JKS” or “PKCS12” as in [LINK2]. The file name is “cwallet.sso”.
Wallets are created using the orapki tool. They need to be created based on the usage (encryption and/or authentication). This is discussed in detail in [LINK1] in Appendix B or in the Advanced Security Administrator’s Guide of the Database documentation.
Database Server Configuration
It is necessary to update the sqlnet.ora and listener.ora files with the directory location of the wallet using WALLET_LOCATION. These files also indicate whether or not SSL_CLIENT_AUTHENTICATION is being used (true or false).
The Oracle Listener must also be configured to use the TCPS protocol. The recommended port is 2484.
LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)))
WebLogic Server Classpath
The WebLogic Server CLASSPATH must have three additional security files.
The files that need to be added to the WLS CLASSPATH are
$MW_HOME/modules/com.oracle.osdt_cert_1.0.0.0.jar
$MW_HOME/modules/com.oracle.osdt_core_1.0.0.0.jar
$MW_HOME/modules/com.oracle.oraclepki_1.0.0.0.jar
One way to do this is to add them to PRE_CLASSPATH environment variable for use with the standard WebLogic scripts.
Setting the Oracle Security Provider
It’s necessary to enable the Oracle PKI provider on the client side. This can either be done statically by updating the java.security file under the JRE or dynamically by setting it in a WLS startup class using
java.security.Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider (), 3);
See the full example of the startup class in [LINK2].
Datasource Configuration
When creating a WLS datasource, set the PROTOCOL in the URL to tcps as in the following.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=host)(PORT=port))(CONNECT_DATA=(SERVICE_NAME=myservice)))
For encryption and server authentication, use the datasource connection properties:
- javax.net.ssl.trustStore=location of wallet file on the client
- javax.net.ssl.trustStoreType=”SSO”
For client authentication, use the datasource connection properties:
- javax.net.ssl.keyStore=location of wallet file on the client
- javax.net.ssl.keyStoreType=”SSO”
Note that the driver connection properties for the wallet require a file name, not a directory name.
Active GridLink ONS over SSL
For completeness, there is another SSL usage for WLS datasources. The communication with the Oracle Notification Service (ONS) for load balancing information and node up/down events can use SSL also.
Create an auto-login wallet and use the wallet on the client and server. The following is a sample sequence to create a test wallet for use with ONS.
orapki wallet create -wallet ons -auto_login -pwd ONS_Wallet
orapki wallet add -wallet ons -dn "CN=ons_test,C=US" -keysize 1024 -self_signed -validity 9999 -pwd ONS_Wallet
orapki wallet export -wallet ons -dn "CN=ons_test,C=US" -cert ons/cert.txt -pwd ONS_Wallet
On the database server side, it’s necessary to define the walletfile directory in the file $CRS_HOME/opmn/conf/ons.config and run onsctl stop/start.
When configuring an Active GridLink datasource, the connection to the ONS must be defined. In addition to the host and port, the wallet file directory must be specified. By not giving a password, a SSO wallet is assumed.
Summary
To use SSL with the Oracle thin driver without any clear text passwords, use an SSO Oracle Wallet. SSL support in the Oracle thin driver is available starting in 10g Release 2.
