{"id":2877,"date":"2016-08-11T11:54:29","date_gmt":"2016-08-11T11:54:29","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=2877"},"modified":"2020-12-16T14:36:38","modified_gmt":"2020-12-16T19:36:38","slug":"activate-ssl-oracle-jdbc-thin-driver","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/activate-ssl-oracle-jdbc-thin-driver\/","title":{"rendered":"How to Activate SSL in Oracle JDBC Thin Driver"},"content":{"rendered":"<h2><strong>A quick guide on how to activate SSL in Oracle JDBC Thin Driver<\/strong><\/h2>\n<p>Activating SSL in Oracle JDBC Thin Driver is an extremely important step in enacting a much larger, more comprehensive advanced security implementation. Today we\u2019re going to take a quick look at how to activate SSL in a number of configurations in Oracle JDBC Thin Driver.<\/p>\n<p>Let\u2019s get started.<\/p>\n<h2><strong>Implementation 1: Use SSL for Encryption Only<\/strong><\/h2>\n<p>In the most basic implementation where you want to use SSL for encryption only, you must use what is called \u201cDiffie-Hellman anonymous authentication\u201d or else the connection will fail.<\/p>\n<p>There are three Cipher Suites available for this:<\/p>\n<ul>\n<li><em>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA<\/em><\/li>\n<li><em>SSL_DH_anon_WITH_RC4_128_MD5 <\/em><\/li>\n<li><em>SSL_DH_anon_WITH_DES_CBC_SHA<\/em><\/li>\n<\/ul>\n<p>Using Diffie-Hellman anonymous authentication will cause the server and the client not to be authenticated via SSL. However, this doesn\u2019t mean there will be no authentication in the Oracle database, but rather the authentication will have to be done another way.<\/p>\n<p><strong>Server Authentication<\/strong><br \/>\nYou need to configure the \u201clistener\u201d to switch off client authentication:<\/p>\n<p class=\"mrgleft50\">LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) )<br \/>\nWALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=\/server\/wallet\/path)))<br \/>\n<strong><em>SSL_CLIENT_AUTHENTICATION=FALSE<\/em><\/strong><\/p>\n<p>You also need to turn off SSL client authentication in sqlnet.ora:<\/p>\n<p class=\"mrgleft50\"><em>WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=\/server\/wallet\/path)))<br \/>\n<strong>SSL_CLIENT_AUTHENTICATION=FALSE<\/strong><br \/>\n<\/em><\/p>\n<p><strong>JDBC Thin Client Configuration<\/strong><br \/>\nWhile you don\u2019t have to configure the \u201ctruststore\u201d or \u201ckeystore,\u201d you do need to force the <a href=\"https:\/\/www.thesslstore.com\/blog\/cipher-suites-algorithms-security-settings\/\">Cipher Suite<\/a> to use Diffie-Hellman anonymous authentication:<\/p>\n<p class=\"mrgleft50\"><em>String url =<br \/>\n&#8220;jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam<br \/>\ne)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))&#8221;;<br \/>\nProperties props = new Properties();<br \/>\nprops.setProperty(&#8220;user&#8221;, &#8220;scott&#8221;);<br \/>\nprops.setProperty(&#8220;password&#8221;, &#8220;tiger&#8221;);<br \/>\nprops.setProperty(&#8220;oracle.net.ssl_cipher_suites&#8221;,<br \/>\n&#8220;(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,<br \/>\nSSL_DH_anon_WITH_DES_CBC_SHA)&#8221;);<br \/>\nConnection conn=DriverManager.getConnection(url,props);<\/em><\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<h2><strong>Implementation 2: Use SSL for Encryption and Server Authentication<\/strong><\/h2>\n<p>In this implementation, any Cipher Suite except Diffie-Hellman anonymous authentication can be used.<\/p>\n<p><strong>Server Configuration<\/strong><\/p>\n<p>The server configuration remains unchanged in this implementation.<\/p>\n<p><strong>JDBC Thin Client Configuration<\/strong><\/p>\n<p>You can use any format of the \u201ctruststore\u201d provided you specify the provider of said format. Sun\u2019s default PKI provider supports the JKS format or Wallets can also be used with Oracle\u2019s PKI provider.<\/p>\n<p>If the \u201ctruststore\u201d is JKS format:<\/p>\n<p class=\"mrgleft50\"><em>String url =<br \/>\n&#8220;jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam<br \/>\ne)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))&#8221;);<br \/>\nProperties props = new Properties();<br \/>\nprops.setProperty(&#8220;user&#8221;, &#8220;scott&#8221;);<br \/>\nprops.setProperty(&#8220;password&#8221;, &#8220;tiger&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStore&#8221;,<br \/>\n&#8220;D:\\\\truststore\\\\truststore.jks&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStoreType&#8221;,&#8221;JKS&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStorePassword&#8221;,&#8221;welcome123&#8243;);<br \/>\nConnection conn = DriverManager.getConnection(url, props);<\/em><\/p>\n<p>If the \u201ctruststore\u201d is a wallet:<\/p>\n<p class=\"mrgleft50\"><em>String url =<br \/>\n&#8220;jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servernam<br \/>\ne)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))&#8221;);<br \/>\nProperties props = new Properties();<br \/>\nprops.setProperty(&#8220;user&#8221;, &#8220;scott&#8221;);<br \/>\nprops.setProperty(&#8220;password&#8221;, &#8220;tiger&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStore&#8221;,<br \/>\n&#8220;\/truststore\/ewallet.p12&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStoreType&#8221;,&#8221;PKCS12&#8243;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStorePassword&#8221;,&#8221;welcome123&#8243;);<br \/>\nConnection conn = DriverManager.getConnection(url, props);<\/em><\/p>\n<p>Note: If you are using Oracle SSO wallets (if you turned on \u201cauto login\u201d when you created the \u201ctruststore\u201d wallet), there is no need to use a password.<\/p>\n<p class=\"mrgleft50\"><em>props.setProperty(&#8220;javax.net.ssl.trustStore&#8221;,<br \/>\n&#8220;\/truststore\/cwallet.sso&#8221;);<br \/>\nprops.setProperty(&#8220;javax.net.ssl.trustStoreType&#8221;,&#8221;SSO&#8221;);<\/em><\/p>\n<p><strong>Check the Server\u2019s Distinguished Name<\/strong><\/p>\n<p>If the Server has been successfully authenticated (i.e. it has a trusted certificate), its DN can be checked.<\/p>\n<p>The expected DN is specified in the JDBC URL:<\/p>\n<p class=\"&quot;mrgleft50'\"><em>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername<br \/>\n)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename))<strong>(SECURITY=(SSL_SE<br \/>\nRVER_CERT_DN=\\&#8221;CN=server_test,C=US\\&#8221;)))<\/strong><\/em><\/p>\n<p>The following property need to be used to focuse the JDBC Thin Driver to verify the DN:<\/p>\n<p class=\"mrgleft50\"><em>props.setProperty(&#8220;oracle.net.ssl_server_dn_match&#8221;, &#8220;true&#8221;);<\/em><\/p>\n<h2><strong>Implementation 3: Use SSL for Encryption and Authentication of Both Tiers<\/strong><\/h2>\n<p>Another implementation is to use SSL for both Encryption and Authentication of both tiers.<\/p>\n<p><strong>Server Configuration<\/strong><br \/>\nYou need to configure the \u201clistener\u201d to turn on client authentication:<\/p>\n<p class=\"mrgleft50\"><em>LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)) ) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=\/server\/wa llet\/path)))<br \/>\n<strong>SSL_CLIENT_AUTHENTICATION=TRUE <\/strong><\/em><\/p>\n<p>SSL Client Authentication also needs to be turned on in sqlnet.ora:<\/p>\n<p class=\"mrgleft50\"><em>WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=\/server\/wallet\/path)))<br \/>\n<strong>SSL_CLIENT_AUTHENTICATION=TRUE<\/strong><\/em><\/p>\n<p>Note: The location for the wallet in listener.ora and sqlnet.ora must be the same.<\/p>\n<p><strong>JDBC Thin Client Configuration<\/strong><\/p>\n<p>Your \u201ctruststore\u201d needs to be specified as indicated in the above section. Because the client must be authenticated via the server, you must specify a \u201ckeystore.\u201d<\/p>\n<p>The \u201ckeystore\u201d contains the client certificate and also a set of private\/public keys. You can use any format for the \u201ckeystore\u201d provided you specify a provider for that format. Sun\u2019s default PKI provider supports JKS and PKCS12.<\/p>\n<p>If you use a JKS keystore, Sun\u2019s PKI provider will be used. If you use PKCS12 or SSO wallets, then Oracle\u2019s PKI provider must be used.<\/p>\n<p>If you don\u2019t provide a \u201ckeystore,\u201d the server cannot verify the client certificate and the SSL handshake will fail.<\/p>\n<p>If the keystore format type is JKS:<\/p>\n<p class=\"mrgleft50\"><em>props.setProperty(&#8220;javax.net.ssl.keyStore&#8221;, &#8220;D:\\\\client_jks\\\\keystore.jks&#8221;); props.setProperty(&#8220;javax.net.ssl.keyStoreType&#8221;,&#8221;JKS&#8221;); props.setProperty(&#8220;javax.net.ssl.keyStorePassword&#8221;,&#8221;welcome123&#8243;);<\/em><\/p>\n<p>If the keystore is a wallet:<\/p>\n<p class=\"mrgleft50\"><em>props.setProperty(&#8220;javax.net.ssl.keyStore&#8221;, &#8220;\/client_wallet\/ewallet.p12&#8221;); props.setProperty(&#8220;javax.net.ssl.keyStoreType&#8221;,&#8221;PKCS12&#8243;); props.setProperty(&#8220;javax.net.ssl.keyStorePassword&#8221;,&#8221;welcome123&#8243;);<\/em><\/p>\n<p>If you use SSO wallets (no password required):<\/p>\n<p class=\"mrgleft50\"><em>props.setProperty(&#8220;javax.net.ssl.keyStore&#8221;, &#8220;\/truststore\/cwallet.sso&#8221;); props.setProperty(&#8220;javax.net.ssl.keyStoreType&#8221;,&#8221;SSO&#8221;); <\/em><\/p>\n<h2><strong>Implementation 4: Use SSL as an Authentication Service in the Database<\/strong><\/h2>\n<p>A database user that is identified by DN may be authenticated through SSL. This requires SSL client authentication be enabled. The server will verify the client credentials during the SSL handshake and if SSL authentication service is enabled, the Database user will be authenticated with the Database through his SSL credential.<\/p>\n<p>Note: In this section, SSL will be used to authenticate a Database user, meaning each Database user will have to possess his own certificate.<\/p>\n<p><strong>Server Configuration<\/strong><br \/>\n\u201cListener\u201d configuration is the same as in the previous sections.<\/p>\n<p>You also need to enable SSL authentication service in sqlnet.ora:<\/p>\n<p class=\"mrgleft50 textroman\">SQLNET.AUTHENTICATION_SERVICES = (tcps, beq, none)<\/p>\n<p>A user that is identified externally as his DN has to be created. For example:<\/p>\n<p class=\"mrgleft50 textroman\">SQL&gt; create user sslclient identified externally as<br \/>\n&#8216;CN=client_test,C=US&#8217;;<br \/>\nUser created.<br \/>\nSQL&gt; grant connect,create session to sslclient;<br \/>\nGrant succeeded.<\/p>\n<p><strong>JDBC Thin Client Configuration<\/strong><\/p>\n<p>The connection property:<\/p>\n<p class=\"mrgleft50 textroman\">\u201coracle.net.authentication_services\u201d<\/p>\n<p>Must be used to activate SSL authentication.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A quick guide on how to activate SSL in Oracle JDBC Thin Driver Activating SSL in Oracle JDBC Thin Driver is an extremely important step in enacting a much larger,&#8230;<\/p>\n","protected":false},"author":6,"featured_media":2878,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[25],"tags":[172,173,136],"class_list":["post-2877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssl-certificates","tag-jdbc-thin-driver","tag-oracle","tag-ssl","post-with-tags"],"views":47679,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/08\/SSL.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=2877"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2877\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/2878"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=2877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=2877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=2877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}