![A Look at 30 Key Cyber Crime Statistics [2023 Data Update]](https://www.thesslstore.com/blog/wp-content/uploads/2022/02/cyber-crime-statistics-feature2-75x94.jpg)
(No Ratings Yet)
Loading...How to Activate SSL in Oracle JDBC Thin Driver
A quick guide on how to activate SSL in Oracle JDBC Thin Driver
Activating SSL in Oracle JDBC Thin Driver is an extremely important step in enacting a much larger, more comprehensive advanced security implementation. Today we’re going to take a quick look at how to activate SSL in a number of configurations in Oracle JDBC Thin Driver.
Let’s get started.
Implementation 1: Use SSL for Encryption Only
In the most basic implementation where you want to use SSL for encryption only, you must use what is called “Diffie-Hellman anonymous authentication” or else the connection will fail.
There are three Cipher Suites available for this:
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_WITH_RC4_128_MD5
- SSL_DH_anon_WITH_DES_CBC_SHA
Using Diffie-Hellman anonymous authentication will cause the server and the client not to be authenticated via SSL. However, this doesn’t mean there will be no authentication in the Oracle database, but rather the authentication will have to be done another way.
Server Authentication
You need to configure the “listener” to switch off client authentication:
LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) )
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE
You also need to turn off SSL client authentication in sqlnet.ora:
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE
JDBC Thin Client Configuration
While you don’t have to configure the “truststore” or “keystore,” you do need to force the Cipher Suite to use Diffie-Hellman anonymous authentication:
String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”;
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“oracle.net.ssl_cipher_suites”,
“(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_DES_CBC_SHA)”);
Connection conn=DriverManager.getConnection(url,props);
Implementation 2: Use SSL for Encryption and Server Authentication
In this implementation, any Cipher Suite except Diffie-Hellman anonymous authentication can be used.
Server Configuration
The server configuration remains unchanged in this implementation.
JDBC Thin Client Configuration
You can use any format of the “truststore” provided you specify the provider of said format. Sun’s default PKI provider supports the JKS format or Wallets can also be used with Oracle’s PKI provider.
If the “truststore” is JKS format:
String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”);
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“javax.net.ssl.trustStore”,
“D:\\truststore\\truststore.jks”);
props.setProperty(“javax.net.ssl.trustStoreType”,”JKS”);
props.setProperty(“javax.net.ssl.trustStorePassword”,”welcome123″);
Connection conn = DriverManager.getConnection(url, props);
If the “truststore” is a wallet:
String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”);
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“javax.net.ssl.trustStore”,
“/truststore/ewallet.p12”);
props.setProperty(“javax.net.ssl.trustStoreType”,”PKCS12″);
props.setProperty(“javax.net.ssl.trustStorePassword”,”welcome123″);
Connection conn = DriverManager.getConnection(url, props);
Note: If you are using Oracle SSO wallets (if you turned on “auto login” when you created the “truststore” wallet), there is no need to use a password.
props.setProperty(“javax.net.ssl.trustStore”,
“/truststore/cwallet.sso”);
props.setProperty(“javax.net.ssl.trustStoreType”,”SSO”);
Check the Server’s Distinguished Name
If the Server has been successfully authenticated (i.e. it has a trusted certificate), its DN can be checked.
The expected DN is specified in the JDBC URL:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername
)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename))(SECURITY=(SSL_SE
RVER_CERT_DN=\”CN=server_test,C=US\”)))
The following property need to be used to focuse the JDBC Thin Driver to verify the DN:
props.setProperty(“oracle.net.ssl_server_dn_match”, “true”);
Implementation 3: Use SSL for Encryption and Authentication of Both Tiers
Another implementation is to use SSL for both Encryption and Authentication of both tiers.
Server Configuration
You need to configure the “listener” to turn on client authentication:
LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) ) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wa llet/path)))
SSL_CLIENT_AUTHENTICATION=TRUE
SSL Client Authentication also needs to be turned on in sqlnet.ora:
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=TRUE
Note: The location for the wallet in listener.ora and sqlnet.ora must be the same.
JDBC Thin Client Configuration
Your “truststore” needs to be specified as indicated in the above section. Because the client must be authenticated via the server, you must specify a “keystore.”
The “keystore” contains the client certificate and also a set of private/public keys. You can use any format for the “keystore” provided you specify a provider for that format. Sun’s default PKI provider supports JKS and PKCS12.
If you use a JKS keystore, Sun’s PKI provider will be used. If you use PKCS12 or SSO wallets, then Oracle’s PKI provider must be used.
If you don’t provide a “keystore,” the server cannot verify the client certificate and the SSL handshake will fail.
If the keystore format type is JKS:
props.setProperty(“javax.net.ssl.keyStore”, “D:\\client_jks\\keystore.jks”); props.setProperty(“javax.net.ssl.keyStoreType”,”JKS”); props.setProperty(“javax.net.ssl.keyStorePassword”,”welcome123″);
If the keystore is a wallet:
props.setProperty(“javax.net.ssl.keyStore”, “/client_wallet/ewallet.p12”); props.setProperty(“javax.net.ssl.keyStoreType”,”PKCS12″); props.setProperty(“javax.net.ssl.keyStorePassword”,”welcome123″);
If you use SSO wallets (no password required):
props.setProperty(“javax.net.ssl.keyStore”, “/truststore/cwallet.sso”); props.setProperty(“javax.net.ssl.keyStoreType”,”SSO”);
Implementation 4: Use SSL as an Authentication Service in the Database
A database user that is identified by DN may be authenticated through SSL. This requires SSL client authentication be enabled. The server will verify the client credentials during the SSL handshake and if SSL authentication service is enabled, the Database user will be authenticated with the Database through his SSL credential.
Note: In this section, SSL will be used to authenticate a Database user, meaning each Database user will have to possess his own certificate.
Server Configuration
“Listener” configuration is the same as in the previous sections.
You also need to enable SSL authentication service in sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES = (tcps, beq, none)
A user that is identified externally as his DN has to be created. For example:
SQL> create user sslclient identified externally as
‘CN=client_test,C=US’;
User created.
SQL> grant connect,create session to sslclient;
Grant succeeded.
JDBC Thin Client Configuration
The connection property:
“oracle.net.authentication_services”
Must be used to activate SSL authentication.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown