WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to setup TLS for Oracle Datasource?

    Posted Fri September 25, 2020 05:49 PM
    Hello!
    Could somebody explain pls, which is can be done for achieve secure database connection from WAS 8 or 9 to Oracle 12.2?

    Currently what we done:
    1. setup wallet on database side 
    2. setup test node on WAS 8 ND
    3. test wallet with windows workstation - just for SSL connection possibility - successfully
    4. on test node (2) we create selfsigned certificate- SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates.
    5. place selfsigned certificate from DB wallet to SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
    6. place selfsigned certificate from (4) to trusted in wallet. thus we exchange trusted certificate on both side.
    7. as connect string in new datasource we set jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=dbhostname)(PORT=1543))(CONNECT_DATA=(SERVICE_NAME=dbservicename)))
    at this point if we try test created datasource it fail with error at SystemOut.log:

    [9/25/20 13:53:03:423 MSK] 0000006c SystemOut O Default : 2, WRITE: TLSv1.2 Handshake, length = 64
    [9/25/20 13:53:03:423 MSK] 0000006c SystemOut O Default : 2, READ: TLSv1.2 Alert, length = 2
    [9/25/20 13:53:03:423 MSK] 0000006c SystemOut O Default : 2, RECV TLSv1.2 ALERT: fatal, handshake_failure
    [9/25/20 13:53:03:423 MSK] 0000006c SystemOut O Default : 2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    [9/25/20 13:53:03:423 MSK] 0000006c SystemOut O Default : 2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    [9/25/20 13:53:03:425 MSK] 0000006c DSConfigurati W DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/SSL. Encountered java.sql.SQLRecoverableExcep
    java.sql.SQLRecoverableException: IO Error: Received fatal alert: handshake_failure, connect lapse 9 ms., Authentication lapse 0 ms. DSRA0010E: SQL State = 08006, Error Code = 17,002

    How it can be fixed?

    ------------------------------
    Oleg SAgay
    ------------------------------


  • 2.  RE: How to setup TLS for Oracle Datasource?

    Posted Sun September 27, 2020 11:50 AM
    Connection is established by driver code – so you have to provide all information explicitly in custom properties of data source including path to trust keys store (sslConnection=true, connectionProperties= oracle.net.ssl_version=3.0;javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/profileName/etc/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=YourPassword)
    See note: https://www.ibm.com/support/pages/websphere-application-server-and-oracle-ssloracle-wallet

    ------------------------------
    Sebastian Tylko
    ------------------------------

    Original Message


  • 3.  RE: How to setup TLS for Oracle Datasource?

    Posted Wed September 30, 2020 03:17 AM

    Thank you for your attention!
    Yes, i do it, but use another one fresh created jks with DB and WAS host certificates and create 2  custom properties in datasource -
    connectionProperties=
    oracle.net.ssl_version=3.0;SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA);javax.net.ssl.trustStore=H:\\WAS9\\cert\\DS_trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=zzzz

    SSL_CIPHER_SUITES - exactly the same as in sqlnet.ora

    Now in WAS got "I/O  error"

    java.sql.SQLRecoverableException: Ошибка ввода/вывода: IO Error Received fatal alert: handshake_failure, Authentication lapse 0 ms. DSRA0010E: Состояние SQL = 08006, Код ошибки = 17 002
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:874)
    …..
    Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
    at com.ibm.jsse2.k.a(k.java:5)

    And on DB side  

    [29-SEP-2020 17:58:32:408] SSL_Info: SSLv3 read client certificate A (TLSv12 protocol)
    [29-SEP-2020 17:58:32:408] nttwr: entry
    [29-SEP-2020 17:58:32:408] nttwr: socket 16 had bytes written=7
    [29-SEP-2020 17:58:32:408] nttwr: exit
    [29-SEP-2020 17:58:32:408] nzosp_bio_write: processed=7, ret=0
    [29-SEP-2020 17:58:32:408] nzbiowrite: write 7/7 bytes
    [29-SEP-2020 17:58:32:408] 0: 15030300 020228-- -------- -------- |......( |

    [29-SEP-2020 17:58:32:408] SSL_Alert: write - fatal - handshake failure
    [29-SEP-2020 17:58:32:408] SSL_Alert: write - fatal - handshake failure
    [29-SEP-2020 17:58:32:408] SSL_Info: error in SSLv3 verify peer certificate
    [29-SEP-2020 17:58:32:408] nzos_Handshake: Handshake error(cb=0,rc=-1,rer=1,ser=336105671) - error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
    [29-SEP-2020 17:58:32:408] nzos_Handshake: exit
    [29-SEP-2020 17:58:32:408] ntzdosecneg: SSL handshake failed with error 29024.
    [29-SEP-2020 17:58:32:408] ntzdosecneg: exit
    [29-SEP-2020 17:58:32:408] ntzcontrol: failed with error 542
    [29-SEP-2020 17:58:32:408] ntzcontrol: exit

    which certificate i`ve missed?? I`ve see both side certificate in logs....



    ------------------------------
    Oleg SAgay
    ------------------------------

    Original Message


  • 4.  RE: How to setup TLS for Oracle Datasource?

    Posted Wed September 30, 2020 06:21 AM
    SSL/TLS versionmust be the same on client as configured on server and you probably don't want to use SSLv3 from my example (which is ooold)
    If you have TLS 1.0 on server - then it should be: oracle.net.ssl_version=1.0
    For WAS9 (Java8) - you don't have to enable any cipher suites explicitly in properties.
    Check Oracle documentation here:
    https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdbc/client-side-security.html#GUID-2BD2F189-A58C-4A85-8524-CFD9BB9AC575
    And check twice if you have proper Oracle certificate in your trust store. The easiest is to just retrieve it from working server port like described here:
    https://www.ibm.com/support/knowledgecenter/en/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/tsec_sslretrievesignersport.html and point connection property to WAS trust store.

    ------------------------------
    Sebastian Tylko
    ------------------------------

    Original Message


  • 5.  RE: How to setup TLS for Oracle Datasource?

    Posted Thu October 01, 2020 06:15 AM
    It's been a while since I set this up for a websphere 9 environment. What I noticed back then was that I needed at least a 12.2 version Oracle jdbc driver (12.2.0.1). With a driver of a slightly lower version, the connection was not succesful, but I don't remember what kind of (ssl) errors were generated then. The suggestion to use a higher TLS version (and not SSLv3) is also a good one.

    ------------------------------
    Jos Koeken
    ------------------------------

    Original Message