Configure TLS in Oracle with IT Analytics on Windows in non-split architecture
In a non-split architecture, the database and portal are on the same system.
Step 1: Configure Oracle wallet on the server side.
- Create a directory on the server system to store the server wallet as
server_wallet. Run the make directory command below atC:\opt\oracle\network\folder.mkdir C:\opt\oracle\network\server_wallet
- Create an empty wallet for the Oracle server with auto login enabled.
orapki wallet create -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -auto_login
- Add a self-signed certificate in the wallet (a new pair of private/public keys is created).
orapki wallet add -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
- Check the contents of the wallet. Notice the self-signed certificate is both a user and trusted certificate.
orapki wallet display -wallet "C:\opt\oracle\network\server_wallet" -pwd <password>
- Export the certificate so it can be loaded into the client wallet later.
orapki wallet export -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -cert C:\opt\oracle\network\client_wallet\<server-certificate-name>.crt
- Check whether the certificate has been exported to the above directory.
- Make sure the Oracle service user can access the wallet file
cwallet.sso(READ permission).
Step 2: Configure Oracle wallet for client application.
- Login as oracle user.
su - aptare
- Create a directory on the client system to store the client wallet. Call it
client _wallet. Create it under the/opt/aptare/oracle/networkfolder.mkdir C:\opt\oracle\network\client_wallet
- Create a wallet of the oracle client. Create an empty wallet with auto login enabled.
orapki wallet create -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -auto_login
Step 3: Load server certificate into the client wallet.
- Load the server certificate into the client wallet
orapki wallet add -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -trusted_cert -cert C:\opt\oracle\network\client_wallet\<server-certificate-name>.crt
- Check the contents of the client wallet. Note that the server certificate is now included in the list of trusted certificates.
orapki wallet display -wallet "C:\opt\oracle\network\client_wallet" -pwd <password>
Step 4: Configure the Oracle database to listen for TCPS connection: Configure the listener.ora, tnsnames.ora, and sqlnet.ora files on the database server using the following steps. In these steps, host is the oracle server IP address and the server wallet location is /opt/aptare/oracle/network/server_wallet.
- Stop the Oracle listener before updating the files.
lsnrctl stop
- Modify the
listener.ora(C:\opt\oracle\network\admin\listener.ora)LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484)) ) )Add below line at the end of file:
SSL_CLIENT_AUTHENTICATION = FALSE SECURE_PROTOCOL_LISTENER=(IPC) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\opt\oracle\network\server_wallet) ) ) C:\opt\oracle\network\server_wallet - Modify the
tnsnames.ora(C:\opt\oracle\network\admin\tnsnames.ora).SCDB = (DESCRIPTION = (ADDRESS= (PROTOCOL=TCPS) (HOST=xx.xx.xx.xx) (PORT=2484) ) (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) ) - Start the Oracle listener.
lsnrctl start
- Check the listener status
lsnrctl status
- Test the Oracle connection using sqlplus.
sqlplus username/password@service_name
Step 5: Load oracle server wallet certificate to the portal and upgrader Java KeyStore.
- Add server certificate in portal Java.
cd C:\opt\jre\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\server_wallet\server-cert-db.crt -keystore C:\opt\jre\lib\security\cacerts cd C:\opt\jdk\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\server_wallet\server-cert-db.crt -keystore C:\opt\jdk\lib\security\cacerts password: changeit
- Add server certificate in upgrader Java
cd C:\opt\aptare\upgrade\jre\bin keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\server_wallet\server-cert-db.crt -keystore C:\opt\aptare\upgrade\jre\lib\security\cacerts password: changeit
Step 6: Modify connection URL in the portal and receiver property file.
- Stop portal and agent services.
- Modify database URL in
C:\opt\aptare\portalconf\portal.properties.db.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS) (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))
- Modify database URL in
C:\opt\aptare\datarcvrconf\datrarcvrproperties.xml.<URL>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS) (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))</URL>
- Start portal and agent services.