Docker is the prefered way of running Oracle DB, but if you need to do it manually, here’s how. This was valid at the end of 2019. If you are reading this in the future, it ma no longer be valid.
- Create an Oracle DB certificate wallet
- Oracle Wallet Manager
- Configure Oracle DB networking
- Create client app.truststore.jks
- Create client app.keystore.jks
- Configure the connection
Configuring Oracle DB for TLS connections is fortunately a relatively simple process. We can use industry standard tools like OpenSSL to create and manage our certificates. The only specialized tool is the Oracle Wallet Manager (OWM), which is simply a store for certificates. OWM can import and export PEM format certificates which can be manipulated by OpenSSL natively.
More info: https://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1006526
Either go through the installation process or practice with a container:
docker volume create oracle-db docker run -d --name oracle-db \ -p 1521:1521 \ -p 2484:2484 \ -e DB_SID=ORCL \ -e DB_PDB=STL \ -e DB_DOMAIN=STELLIRIN \ --mount source=oracle-db,target=/ORCL \ store/oracle/database-enterprise:188.8.131.52
The rest of the commands assume you are in the DB environment, so be sure to exec into the running container.
Start by creating an empty wallet at
/ORCL/wallet. This is simply to skip the ‘new wallet’ wizard in Oracle Wallet Manager, which will set some bad defaults if you are not careful.
mkdir -p /ORCL/wallet orapki wallet create -wallet '/ORCL/wallet' -pwd 'stellirin' -auto_login_local
In Oracle Wallet Manager:
- Open the wallet at
- Import a CA public certificate
- Use you own Certificate Authority
- Add then export a certificate request to
- Create a signed certificate from the certificate request
- Import the new certificate to the wallet by using the Operations menu and Import User Certificate
- Set the wallet to auto login and save
Everything in the three files below can be configured with the ‘Oracle Net Manager’. However the GUI can be somewhat confusing as many of the options are not interesting for basic setups. The file locations given are valid for the standard Oracle DB Docker container. Other installations may differ.
For convenience while debugging, the below configurations add the encrypted TCP/IP with SSL connections and keep the existing default unencrypted TCP/IP connections.
# tnsnames.ora Network Configuration File. STL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = STL.STELIRIN) ) ) ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.STELLIRIN) ) )
# sqlnet.ora Network Configuration File. # Root for the Automatic Diagnostic Repository ADR_BASE = /u01/app/oracle # Allow both OS (BEQ) Authentication and TLS (TCPS) Authentication SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS) # Allow TLSv1.0, TLSv1.1, and TLSv1.2 SSL_VERSION = (1.2 or 1.1 or 1.0) # We use DB Client Authentication so we mustn't use TLS Client Authentication SSL_CLIENT_AUTHENTICATION = FALSE # Our wallet with our encryption keys WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /ORCL/wallet) ) ) # The cipher suites allowed. # Please ensure no insecure cyphers are added here. SSL_CIPHER_SUITES = ( SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256 ) # Time interval (in minutes) to check that client connections are active. SQLNET.EXPIRE_TIME = 10
# listener.ora Network Configuration File. # Root for the Automatic Diagnostic Repository ADR_BASE_LISTENER = /u01/app/oracle # Allow TLSv1.0, TLSv1.1, and TLSv1.2 SSL_VERSION = (1.2 or 1.1 or 1.0) # We use DB Client Authentication so we mustn't use TLS Client Authentication SSL_CLIENT_AUTHENTICATION = FALSE # Our wallet with our encryption keys WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /ORCL/wallet) ) ) # Our listeners LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484)) ) )
We identify the Oracle DB server by its public certificate. This certificate should be imported to its own trust store.
The trust store needs the full chain of trust; the server certificate and the CA certificate. Follow the steps in Truststores to create it.
Hint: The Oracle DB server certificate is just the one which you imported into the Oracle Wallet.
A private key & public certificate pair should be generated (New Keys & Certificates) and imported to Java keystores according to Keystores. Configure the app to connect to Oracle over TLS.
The Connection Descriptor should look like this:
If the app doesn’t provide a place to configure the keystores try:
-Djavax.net.ssl.trustStore=/path/to/app.truststore.jks -Djavax.net.ssl.trustStorePassword=stellirin -Djavax.net.ssl.keyStore=/path/to/app.keystore.jks -Djavax.net.ssl.keyStorePassword=stellirin