How to Activate SSL in Oracle JDBC Thin Driver
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

How to Activate SSL in Oracle JDBC Thin Driver

A quick guide on how to activate SSL in Oracle JDBC Thin Driver

Activating SSL in Oracle JDBC Thin Driver is an extremely important step in enacting a much larger, more comprehensive advanced security implementation. Today we’re going to take a quick look at how to activate SSL in a number of configurations in Oracle JDBC Thin Driver.

Let’s get started.

Implementation 1: Use SSL for Encryption Only

In the most basic implementation where you want to use SSL for encryption only, you must use what is called “Diffie-Hellman anonymous authentication” or else the connection will fail.

There are three Cipher Suites available for this:

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  • SSL_DH_anon_WITH_RC4_128_MD5
  • SSL_DH_anon_WITH_DES_CBC_SHA

Using Diffie-Hellman anonymous authentication will cause the server and the client not to be authenticated via SSL. However, this doesn’t mean there will be no authentication in the Oracle database, but rather the authentication will have to be done another way.

Server Authentication
You need to configure the “listener” to switch off client authentication:

LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) )
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE

You also need to turn off SSL client authentication in sqlnet.ora:

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE

JDBC Thin Client Configuration
While you don’t have to configure the “truststore” or “keystore,” you do need to force the Cipher Suite to use Diffie-Hellman anonymous authentication:

String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”;
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“oracle.net.ssl_cipher_suites”,
“(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_DES_CBC_SHA)”);
Connection conn=DriverManager.getConnection(url,props);

Implementation 2: Use SSL for Encryption and Server Authentication

In this implementation, any Cipher Suite except Diffie-Hellman anonymous authentication can be used.

Server Configuration

The server configuration remains unchanged in this implementation.

JDBC Thin Client Configuration

You can use any format of the “truststore” provided you specify the provider of said format. Sun’s default PKI provider supports the JKS format or Wallets can also be used with Oracle’s PKI provider.

If the “truststore” is JKS format:

String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”);
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“javax.net.ssl.trustStore”,
“D:\\truststore\\truststore.jks”);
props.setProperty(“javax.net.ssl.trustStoreType”,”JKS”);
props.setProperty(“javax.net.ssl.trustStorePassword”,”welcome123″);
Connection conn = DriverManager.getConnection(url, props);

If the “truststore” is a wallet:

String url =
“jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam
e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))”);
Properties props = new Properties();
props.setProperty(“user”, “scott”);
props.setProperty(“password”, “tiger”);
props.setProperty(“javax.net.ssl.trustStore”,
“/truststore/ewallet.p12”);
props.setProperty(“javax.net.ssl.trustStoreType”,”PKCS12″);
props.setProperty(“javax.net.ssl.trustStorePassword”,”welcome123″);
Connection conn = DriverManager.getConnection(url, props);

Note: If you are using Oracle SSO wallets (if you turned on “auto login” when you created the “truststore” wallet), there is no need to use a password.

props.setProperty(“javax.net.ssl.trustStore”,
“/truststore/cwallet.sso”);
props.setProperty(“javax.net.ssl.trustStoreType”,”SSO”);

Check the Server’s Distinguished Name

If the Server has been successfully authenticated (i.e. it has a trusted certificate), its DN can be checked.

The expected DN is specified in the JDBC URL:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername
)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename))(SECURITY=(SSL_SE
RVER_CERT_DN=\”CN=server_test,C=US\”)))

The following property need to be used to focuse the JDBC Thin Driver to verify the DN:

props.setProperty(“oracle.net.ssl_server_dn_match”, “true”);

Implementation 3: Use SSL for Encryption and Authentication of Both Tiers

Another implementation is to use SSL for both Encryption and Authentication of both tiers.

Server Configuration
You need to configure the “listener” to turn on client authentication:

LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) ) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wa llet/path)))
SSL_CLIENT_AUTHENTICATION=TRUE

SSL Client Authentication also needs to be turned on in sqlnet.ora:

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=TRUE

Note: The location for the wallet in listener.ora and sqlnet.ora must be the same.

JDBC Thin Client Configuration

Your “truststore” needs to be specified as indicated in the above section. Because the client must be authenticated via the server, you must specify a “keystore.”

The “keystore” contains the client certificate and also a set of private/public keys. You can use any format for the “keystore” provided you specify a provider for that format. Sun’s default PKI provider supports JKS and PKCS12.

If you use a JKS keystore, Sun’s PKI provider will be used. If you use PKCS12 or SSO wallets, then Oracle’s PKI provider must be used.

If you don’t provide a “keystore,” the server cannot verify the client certificate and the SSL handshake will fail.

If the keystore format type is JKS:

props.setProperty(“javax.net.ssl.keyStore”, “D:\\client_jks\\keystore.jks”); props.setProperty(“javax.net.ssl.keyStoreType”,”JKS”); props.setProperty(“javax.net.ssl.keyStorePassword”,”welcome123″);

If the keystore is a wallet:

props.setProperty(“javax.net.ssl.keyStore”, “/client_wallet/ewallet.p12”); props.setProperty(“javax.net.ssl.keyStoreType”,”PKCS12″); props.setProperty(“javax.net.ssl.keyStorePassword”,”welcome123″);

If you use SSO wallets (no password required):

props.setProperty(“javax.net.ssl.keyStore”, “/truststore/cwallet.sso”); props.setProperty(“javax.net.ssl.keyStoreType”,”SSO”);

Implementation 4: Use SSL as an Authentication Service in the Database

A database user that is identified by DN may be authenticated through SSL. This requires SSL client authentication be enabled. The server will verify the client credentials during the SSL handshake and if SSL authentication service is enabled, the Database user will be authenticated with the Database through his SSL credential.

Note: In this section, SSL will be used to authenticate a Database user, meaning each Database user will have to possess his own certificate.

Server Configuration
“Listener” configuration is the same as in the previous sections.

You also need to enable SSL authentication service in sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES = (tcps, beq, none)

A user that is identified externally as his DN has to be created. For example:

SQL> create user sslclient identified externally as
‘CN=client_test,C=US’;
User created.
SQL> grant connect,create session to sslclient;
Grant succeeded.

JDBC Thin Client Configuration

The connection property:

“oracle.net.authentication_services”

Must be used to activate SSL authentication.

4 comments
    • This post predates Hashed Out, but thanks for pointing this out, I’ll take this down and make sure it has proper attribution.

  • I’m trying to do this within tomcat, using web.xml – how would I set the connection properties? Do I need commas between them? This web.xml configuration works to create an application specific DB connection using the 1521 port if I remove the connectionProperties and use the 1521 parameter line.

    type
    SIMPLE

    datasource
    mydatasource

    driver
    oracle.jdbc.OracleDriver

    url
    <!– jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource –>
    jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNECT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))

    connectionProperties
    javax.net.ssl.trustStore=”/usr/share/tomcat/conf/TrustStore.jks javax.net.ssl.trustStoreType=”JKS” javax.net.ssl.trustStorePassword=”mypassword”

    username
    myuser

    password
    mydbpass

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.