Configure TLS in Oracle with IT Analytics on Windows in split architecture
In a split architecture, database and portal are on different systems.
Step 1: Configure Oracle wallet for server side.
- Create a directory on the server machine to store the server wallet in the
C:\opt\oracle\network\folder.mkdir C:\opt\oracle\network\server_wallet
- Create an empty wallet for the Oracle server with auto login enabled.
orapki wallet create -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -auto_login
- Add a self-signed certificate in the wallet (a new pair of private/public keys is created).
orapki wallet add -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
- Check the contents of the wallet. Notice the self-signed certificate is both a user and trusted certificate.
orapki wallet display -wallet "C:\opt\oracle\network\server_wallet" -pwd <password>
- Check whether the certificate has been exported to the above directory.
- Make sure the oracle service user can access the wallet file
cwallet.sso(READ permission).
Step 2: Configure Oracle wallet for client application.
- Create a directory on the client machine to store the client wallet. Call it
client_wallet. Create it under theC:\opt\oracle\networkfolder.mkdir C:\opt\oracle\network\client_wallet
- Create a wallet for the Oracle client. Create an empty wallet with auto login enabled.
orapki wallet create -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -auto_login
- Add a self-signed certificate in the wallet (a new pair of private/public keys is created).
orapki wallet add -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
- Check the contents of the wallet. Note that the self-signed certificate is both a user and a trusted certificate.
orapki wallet display -wallet "C:\opt\oracle\network\client_wallet" -pwd <password>
- Export the certificate, so it can be loaded into the server wallet later.
orapki wallet export -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -cert C:\opt\oracle\network\client_wallet\<client-certificate-name>.crt
- Check whether the certificate is exported to the above directory.
Step 3: Perform client-server exchange certificate process. These instructions are for the exchange server and client public keys.
- Repeat these steps on each of the database client systems.
Copy
<server-certificate-name>.crtfrom the server system to the client system/opt/aptare/oracle/network/client_walletfolder.Copy
<client-certificate-name>.crtfrom the client system to the server system/opt/aptare/oracle/network/server_walletfolder.
- Load the server certificate into the client wallet.
orapki wallet add -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -trusted_cert -cert C:\opt\oracle\network\client_wallet\<server-certificate-name>.crt
- Check the contents of the client wallet. Note that the server certificate is now included in the list of trusted certificates.
orapki wallet display -wallet "C:\opt\oracle\network\client_wallet" -pwd <password>
- Load the client certificate into the server wallet.
orapki wallet add -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -trusted_cert -cert C:\opt\oracle\network\server_wallet\<client-certificate-name>.crt
- Check the contents of the server wallet. Note that the client certificate is now included in the list of trusted certificates.
orapki wallet display -wallet "C:\opt\oracle\network\server_wallet" -pwd <password>
Step 4: Configure the Oracle database to listen for TCPS connection (Server/Oracle system). In the steps below, host is Oracle server IP address and C:\opt\oracle\network\server_wallet is the server wallet location.
- Stop the Oracle listener.
lsnrctl stop
- Modify the
listener.ora(C:\opt\oracle\network\admin\listener.ora)LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484)) ) )Append the below line at the end of the file.
SSL_CLIENT_AUTHENTICATION = FALSE SECURE_PROTOCOL_LISTENER=(IPC) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\opt\oracle\network\server_wallet) ) ) C:\opt\oracle\network\server_wallet - Modify the
sqlnet.orafile (C:\opt\oracle\network\admin\sqlnet.ora)SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\opt\oracle\network\server_wallet) ) ) SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE - Modify the
tnsnames.orafile (C:\opt\oracle\network\admin\tnsnames.ora)SCDB = (DESCRIPTION = (ADDRESS= (PROTOCOL=TCPS) (HOST=xx.xx.xx.xx) (PORT=2484) ) (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) ) - Start the Oracle service.
lsnrctl start
- Check the listener status.
lsnrctl status
- Test Oracle connection using sqlplus.
sqlplus username/password@service_name
Step 5: Configure the Oracle database to listen for TCPS connection on the client system. Configure the listener.ora and sqlnet.ora files on the database server using the following steps. In the procedure below, host is Oracle server IP address and C:\opt\oracle\network\server_wallet is the server wallet location.
- Modify the
listener.ora(C:\opt\oracle\network\admin\listener.ora) and add the below contents.LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484)) ) )Add below line at the end of file:
SSL_CLIENT_AUTHENTICATION = FALSE SECURE_PROTOCOL_LISTENER=(IPC) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\opt\oracle\network\client_wallet) ) ) C:\opt\oracle\network\client_wallet - Modify the
sqlnet.orafile (C:\opt\oracle\network\admin\sqlnet.ora).SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\opt\oracle\network\client_wallet) ) ) SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE - Modify the
tnsnames.ora(C:\opt\oracle\network\admin\tnsnames.ora)SCDB = (DESCRIPTION = (ADDRESS= (PROTOCOL=TCPS) (HOST=xx.xx.xx.xx) (PORT=2484) ) (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) )
Step 6: Load Oracle server wallet certificate to the portal and upgrader Java KeyStore.
- Login as a root user.
- Add server certificate in portal java.
cd C:\opt\jre\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore C:\opt\jre\lib\security\cacerts cd C:\opt\jdk\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore C:\opt\jdk\lib\security\cacerts password: changeit
- Add server certificate in upgrader Java.
cd C:\opt\aptare\upgrade\jre\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore C:\opt\aptare\upgrade\jre\lib\security\cacerts password: changeit
Step 7: Modify connection URL in the portal and receiver property file.
- Stop portal and agent services.
- Modify database URL in
/opt/aptare/portalconf/portal.properties.db.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS) (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))
- Modify database URL in
/opt/aptare/datarcvrconf/datrarcvrproperties.xml.<URL>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS) (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB))</URL>
- Start portal and agent services.