Before you encrypt data traffic for the Oracle database
The decision to encrypt data traffic for the Oracle database includes several considerations.
Consider the following items when you configure database traffic encryption:
- Sterling B2B Integrator must be installed in TCP (clear) mode before you can configure encryption.
- Perform these changes to your database before you install Sterling B2B Integrator.
- Configure wallets for encryption-only mode even if the wallet that is used is empty. Enable auto login for all wallets.
- If you want to use SSL for encryption only, it is recommended to follow the instructions in the "CASE #1: USE SSL FOR ENCRYPTION ONLY" section of the Oracle documentation. It is not necessary to configure certificates for the wallet. In this mode, Diffie-Hellman ciphers are used. The server and the client are not authenticated through SSL. You must authenticate by using a user name and a password. However, if you are running Sterling B2B Integrator on an operating system that requires an IBM® JDK, you cannot use this mode, as IBM JSSE TrustManager does not permit anonymous ciphers. You must configure wallets with certificates.
- If you want to use SSL for encryption and for server authentication, it is recommended to follow the instructions in the "CASE #2: USE SSL FOR ENCRYPTION AND SERVER AUTHENTICATION" section of the Oracle documentation.
- If you want to use SSL for encryption and for server authentication of both tiers, it is recommended to follow the instructions in the Oracle "CASE #3: USE SSL FOR ENCRYPTION AND AUTHENTICATION OF BOTH TIERS" section of the Oracle documentation, depending on how you intend to configure client or server authentication.
- After you configure your database for data traffic encryption, the database accepts both TCP (clear) and TCPS (encrypted) connections.
- There is a known issue in the Oracle 11g database when the listener is configured only for TCPS. The lsnrctl utility that is used to start and stop database listeners attempts to contact the listener, which is enabled first. You should define the address list of the listener to contact either TCP or IPC before it contacts TCPS.