DB Services via TCPS: ServiceManager side (part 2) Follow
This document describes the required steps on the ServiceManager side in order to connect to a DB via a secure TCPS connection.
Notice that these are Unix/Linux instructions (Windows version is available internally here).
Prerequisites
-
First, configure the DB side as described in part 1.
-
Enviroment Variables on the ServiceManager server: JAVA_HOME must be defined, PATH must contain ${JAVA_HOME}\bin
-
Oracle Wallet Manager (orapki) must be installed on the ServiceManager server - the tool comes as part of the Oracle Fusion Middleware installation, or can be acquired by installing Oracle JDeveloper.
Default location: /app/oracle/product/ords_home/oracle_common/bin/orapki.bat
Create a ServiceManager-side wallet
-
Create a new create_sm_side_wallet.sh file and add the lines bellow.
- Update the constants to your environment:
-
WALLET_PATH - a path by your choice to store the wallet.
-
WALLET_HOST - the computer name (as displayed in Computer > System Properties > Computer Name), or the IP (if it’s a local machine).
-
ServerCertificate - the filename of the DB server certificate we exported in part 1.
-
- Put create_sm_side_wallet.sh, COMPUTER.DBHOST.com-certificate.crt in the same folder.
- Run the script.
echo "Configuring constants..."
export WALLET_PATH="/home/fmw/wallet/crt"
export WALLET_HOST="`hostname`"
export WALLET_PASSWORD="MyPassword"
export ORAPKI="/app/oracle/product/ords_home/oracle_common/bin/orapki"
export ServerCertificate="COMPUTER.DBHOST.com-certificate.crt"
echo "Creating wallet..."
${ORAPKI} wallet create -wallet ${WALLET_PATH} -pwd ${WALLET_PASSWORD} -auto_login_local
echo "Adding the self-signed certificate to the wallet..."
${ORAPKI} wallet add -wallet ${WALLET_PATH} -pwd ${WALLET_PASSWORD} -dn \
"CN=${WALLET_HOST}" -keysize 1024 -self_signed -sign_alg sha256 -validity 3650
echo "Adding the DB server certificate to the wallet..."
${ORAPKI} wallet add -wallet ${WALLET_PATH} -pwd ${WALLET_PASSWORD} \
-trusted_cert -cert ${ServerCertificate}
echo "Converting the Oracle pkcs12 wallet to a Java jks wallet..."
${ORAPKI} wallet pkcs12_to_jks -wallet ${WALLET_PATH} -pwd ${WALLET_PASSWORD} -jksKeyStoreLoc \
${WALLET_PATH}/key_store.jks -jksKeyStorepwd ${WALLET_PASSWORD} -jksTrustStoreLoc \
${WALLET_PATH}/trust_store.jsk -jksTrustStorepwd ${WALLET_PASSWORD}
echo "Done."
Note: the backslashes break long lines.
Sanity checks / troubleshooting (optional)
After steps C and D, you may run the following command to display the contents of the wallet:
${ORAPKI} wallet display -wallet ${WALLET_PATH} -pwd ${WALLET_PASSWORD}
keytool -list -keystore ${WALLET_PATH}\ewallet.p12 -storepass ${WALLET_PASSWORD}
ServiceManager configuration
Set the following in Admin > System Preferences:
(choose one based on the Java runtime version on the ServiceManager server):
DB_TRUSTSTORE_PATH = /home/fmw/wallet/crt/trust_store.jks
DB_TRUSTSTORE_TYPE = JKS
DB_TRUSTSTORE_PASSWORD = MyPassword
You may test the connection via DB service using port 2484, running the query:
SELECT sysdate FROM dual
References:
Oracle's full instructions:
https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
Comments
0 comments
Please sign in to leave a comment.