IBM Support

WebSphere Application Server and Oracle SSL/Oracle Wallet

Technical Blog Post


Abstract

WebSphere Application Server and Oracle SSL/Oracle Wallet

Body

 

The WebSphere Application Server does not contain code that provides for a secure database connection method other than basic userid/password authentication, which is implemented through an authentication alias. However, this does not mean you cannot configure another authentication method. Most of the WebSphere Application Server datasource configuration, with the exception of pool configuration parameters, are properties that are simply passed to a JDBC driver package.

 

For example, if I create a new datasource custom property "NOOP" with a value of 100, a WebSphere Application Server trace shows that the property is passed to the JDBC driver at connect time:

[2/24/15 13:08:31:636 EST] 00000018 DSConfigurati >  testConnectionForGUI Entry
                                 com.ibm.db2.jcc.DB2XADataSource
                                 my_userid
                                 ********
                                 {kerberosServerPrincipal=, description=, maxRetriesForClientReroute=, currentPackagePath=, retrieveMessagesFromServerOnGetMessage=true, loginTimeout=0, beginTranForVendorAPIs=false, dataStoreHelperClass=com.ibm.websphere.rsadapter.DB2UniversalDataStoreHelper, currentSQLID=, useCachedCursor=, validateNewConnectionRetryCount=100, useTransactionRedirect=false, sslConnection=, jmsOnePhaseOptimization=false, traceFile=, databaseName=sample, enableSeamlessFailover=, driverType=4, deferPrepares=true, retryIntervalForClientReroute=, sendDataAsIs=, queryCloseImplicit=, enableMultithreadedAccessDetection=false, useJDBC4ColumnNameAndLabelSemantics=, reauthentication=false, fullyMaterializeInputStreams=, enableSysplexWLB=, serverName=W520, NOOP=100, connectionSharing=1, traceDirectory=, etc.

 

Of course, in my example above, I received an error since the property 'NOOP' does not exist on the DataSource class, but it does demonstrate that since you can pass vendor specific properties directly to a JDBC driver, you are able to configure some alternate security methods, such as Oracles SSL implementation.

 

Configuring WebSphere Application Server for Oracle SSL:

  1. Create a JDBC Provider for Oracle or use an existing one.



  2.  
  3. Create a datasource for the provider, see "Data source minimum required settings for Oracle" in the WebSphere Application Server product documentation.

    The URL must be set up to specify "tcps"as the protocol and the port that is configured for SSL.

    For example: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=oratest1.ibm.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))

    NOTE: When using the admin console datasource wizard, the URL field will not allow this format. Enter a format that is allowed and fill in the rest of the wizard and save the datasource.

    Supply a J2C alias with user/id and password for the datasource as normally done.



  4.  
  5. After the datasource is created, select the datasource for editing.

    You can then update the URL to the necessary format above. Select Apply to save this change.

    When configuring the JDBC driver in the WebSphere Application Server, the documents referenced below refer to setting connection properties.
    The way you set this in the application server is by setting connectionProperties custom property in the datasource config.

    First select "Custom properties" under "Additional Properties".
    Select "New" to create a new property.

    Here is an example:

    property name:
    connectionProperties
    (Make sure the name is set to the correct case)

    property value:
    oracle.net.ssl_cipher_suites=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA);C=c;D=d

    property type:
    String

    To add more connection properties, you simply add ";" and then a name/value pair.

    For example, to use with an Oracle Wallet, you could do this:

    property value:
    javax.net.ssl.trustStore=C:/app/oracle/MyTestWallets/client_wallet/ewallet.p12; javax.net.ssl.trustStoreType=PKCS12; javax.net.ssl.trustStorePassword=bugaboo#; oracle.net.ssl_version=3.0

    Select "Ok" and then save the changes.



  6.  
  7. Use "Test connection" to verify that the connection can be made.

 

 

There are two Oracle documents that are useful when using Oracle SSL with JDBC:

 

 

 

title image (modified) credits: (cc) Some rights reserved by geralt and Nemo

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11081185