Managing secrets to protect sensitive Oracle SSL configuration data

If you plan to use SSL for your Oracle database, create a secret manually to protect the certificate data for the database.

About this task

The steps for creating the secret vary depending on whether your database enables server only or both server and client authentication.

Procedure

  1. Export your certification by running a command like the following example (example is for Linux®) on your local or remote database server:
    orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd -dn "CN=hostname" -cert /tmp/<your-certification-name>.crt
  2. Create the certificate secret for your database server by running a command like the following example:
    kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt
    Note: In the <your-certification-name>.crt file, you can add multiple certificates like in the following example:
    -----BEGIN CERTIFICATE-----
    MIIGXTCCBU****
    Kwa==
    -----END CERTIFICATE-----
    ...
    -----BEGIN CERTIFICATE-----
    MIIGX****
    Kws==
    -----END CERTIFICATE-----

What to do next

Use the name of your secret to create the configuration for an SSL database connection when you complete your CR YAML file.
The following values specify the SSL database configuration:
dc_ssl_enabled: true
For example, for the relevant datasource for your IBM FileNet® Content Manager deployment, your CR might look like the following sample snip:

datasource_configuration:
    dc_ssl_enabled: true
    dc_gcd_datasource:
      dc_database_type: "oracle"
      dc_oracle_gcd_jdbc_url: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST={host})(PORT={port}))(CONNECT_DATA=(SERVICE_NAME={dbname})))"
      ...
      database_ssl_secret_name: "ibm-oracle-ssl-secret"
    dc_os_datasources:
    - dc_database_type: "oracle"
      dc_oracle_gcd_jdbc_url: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST={host})(PORT={port}))(CONNECT_DATA=(SERVICE_NAME={dbname})))" 
      ...
      database_ssl_secret_name: "ibm-oracle-ssl-secret"
Important: Make sure that the Oracle SSL JDBC URL uses the following format: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST={host})(PORT={port}))(CONNECT_DATA=(SERVICE_NAME={dbname})))".

Also remember to add the database user name and password to the ibm-fncm-secret.