Creating secrets to protect sensitive Oracle SSL configuration data

If you plan to use SSL for your Oracle database, create a secret manually to protect the certificate data for the database.

About this task

The steps for creating the secret vary depending on whether your database enables server only or both server and client authentication.

Procedure

  1. Export your certification by running a command like the following example (example is for Linux®) on your local or remote database server: 
    orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd -dn "CN=hostname" -cert /tmp/<your-certification-name>.crt
  2. Create the certificate secret for your database server by running a command like the following example: 
    kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt

    The secret you create, ibm-oracle-ssl-cert-secret, is the value for the parameter trusted_certificate_list.

What to do next

Use the name of your secret to create the configuration for an SSL database connection when you complete your CR YAML file.
First, add the secret to your trusted certificate list in the shared configuration:
shared_configuration:
        trusted_certificate_list
        -  <your-secret-name>
The following values specify the SSL database configuration:
dc_ssl_enabled: true
For example, for the relevant datasource for your FileNet® Content Manager deployment, your CR might look like the following sample snip:
shared_configuration:
     trusted_certificate_list
        - ibm-oracle-ssl-cert-secret
datasource_configuration:
    #the candidate value is "db2" or "db2HADR" or "oracle" or "sqlserver" or "postgresql"
    dc_ssl_enabled: true
    dc_gcd_datasource:
      dc_database_type: "oracle"
      database_servername: "hostname.fyre.ibm.com"
      database_name: "GCDDB"
      database_port: "5555"
      dc_oracle_gcd_jdbc_url: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=hostname.fyre.ibm.com)(PORT=5555))(CONNECT_DATA=(SERVICE_NAME=orcl)))"
    dc_os_datasources:
    - dc_database_type: "oracle"
      database_servername: "hostname.fyre.ibm.com"
      database_name: "OS1DB"
      database_port: "5555"
      dc_oracle_os_jdbc_url: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=hostname.fyre.ibm.com)(PORT=5555))(CONNECT_DATA=(SERVICE_NAME=orcl)))"

Also remember to add the database user name and password to the ibm-fncm-secret.