6-30 Oracle Fusion Middleware Administrators Guide Enabling SSL in Other Authentication Modes You can do this by running the configureSSL command with a properties file as parameter and specifying appropriate authentication type parameter value. For details, see Creating and Managing Oracle Virtual Directory Listeners in the Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory.

6.6.3 Configuring SSL for the Database

This section contains these topics: ■ SSL-Enable Oracle Database ■ SSL-Enable a Data Source

6.6.3.1 SSL-Enable Oracle Database

Take these steps to SSL-enable Oracle database: 1. Create a root CA and a certificate for the DB. Here is an example: mkdir root mkdir server Create root wallet, add self-signed certificate and export orapki wallet create -wallet .root -pwd password orapki wallet add -wallet .root -dn CN=root_test,C=US -keysize 2048 -self_ signed -validity 3650 -pwd password orapki wallet display -wallet .root -pwd password orapki wallet export -wallet .root -dn CN=root_test,C=US -cert .rootb64certificate.txt -pwd password Create server wallet, add self-signed certificate and export orapki wallet create -wallet .server -pwd password orapki wallet add -wallet .server -dn CN=server_test,C=US -keysize 2048 -pwd password orapki wallet display -wallet .server -pwd password orapki wallet export -wallet .server -dn CN=server_test,C=US -request .servercreq.txt -pwd password Import trusted certificates orapki cert create -wallet .root -request .servercreq.txt -cert .servercert.txt -validity 3650 -pwd password orapki cert display -cert .servercert.txt -complete orapki wallet add -wallet .server -trusted_cert -cert .rootb64certificate.txt -pwd password orapki wallet add -wallet .server -user_cert -cert .servercert.txt -pwd password orapki wallet create -wallet .server -auto_login -pwd password}} 2. Update listener.ora, sqlnet.ora, and tnsnames.ora for the database. a. This example shows the default listener.ora: SID_LIST_LISTENER = Note: Self-signed certificates are not recommended for production use. For information about obtain production wallets, see Section 8.4.8.3, Changing a Self-Signed Wallet to a Third-Party Wallet. . Configuring SSL in Oracle Fusion Middleware 6-31 SID_LIST =SID_DESC =SID_NAME = PLSExtProcORACLE_HOME = path_to_O_ HPROGRAM = extproc LISTENER =DESCRIPTION_LIST =DESCRIPTION = ADDRESS = PROTOCOL = IPCKEY = EXTPROC1 ADDRESS = PROTOCOL = TCPHOST = mynode.mycorp.comPORT = 1521 ADDRESS = PROTOCOL = TCPSHOST = mynode.mycorp.comPORT = 2490 WALLET_LOCATION=SOURCE=METHOD=FILEMETHOD_DATA=DIRECTORY=wallet_ location SSL_CLIENT_AUTHENTICATION=FALSE}} And here is an updated listener.ora file, illustrating a scenario with no client authentication: SID_LIST_LISTENER = SID_LIST = SID_DESC = GLOBAL_DBNAME = dbname ORACLE_HOME = path_to_O_H SID_NAME = sid SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = SOURCE = METHOD = FILE METHOD_DATA = DIRECTORY = wallet_path LISTENER = DESCRIPTION_LIST = DESCRIPTION = ADDRESS = PROTOCOL = IPCKEY = EXTPROC1521 DESCRIPTION = ADDRESS = PROTOCOL = TCPHOST = mynode.mycorp.comPORT = 1521 DESCRIPTION = ADDRESS = PROTOCOL = TCPSHOST = mycorp.comPORT = 2490 Note that the SSL port has been added. b. Likewise, a modified sqlnet.ora file may look like this: NAMES.DIRECTORY_PATH= TNSNAMES, EZCONNECT SQLNET.AUTHENTICATION_SERVICES=BEQ,TCPS,NTS WALLET_LOCATION=SOURCE=METHOD=FILEMETHOD_DATA=DIRECTORY= directory SSL_CLIENT_AUTHENTICATION=FALSE c. A modified tnsnames.ora file may look like this: OID = DESCRIPTION = ADDRESS = PROTOCOL = TCPHOST = mynode.mycorp.comPORT = 1521 6-32 Oracle Fusion Middleware Administrators Guide CONNECT_DATA = SERVER = DEDICATED SERVICE_NAME = mynode.mycorp.com SSL = DESCRIPTION = ADDRESS_LIST = ADDRESS = PROTOCOL = TCPSHOST = mynode.mycorp.comPORT = 2490 CONNECT_DATA = SERVICE_NAME = mynode.mycorp.com SECURITY=SSL_SERVER_CERT_DN=\CN=server_test,C=US\ 3. Test the connection to the database using the new connect string. For example: tnsping ssl sqlplus usernamepasswordssl

6.6.3.2 SSL-Enable a Data Source

Take these steps to configure your data sources on Oracle WebLogic Server to use SSL. 1. Create a truststore and add the root certificate which is created when SSL-enabling the database as a trusted certificate to the truststore. 2. In the Oracle WebLogic Server Administration Console, navigate to the Connection pool tab of the data source that you are using. The properties you need to specify in the JDBC Properties text box depend on the type of authentication you wish to configure. ■ If you will require client authentication two way authentication: javax.net.ssl.keyStore=..password of the keystore javax.net.ssl.keyStoreType=JKS javax.net.ssl.keyStorePassword=...password of the keystore javax.net.ssl.trustStore=...the truststore location on the disk javax.net.ssl.trustStoreType=JKS javax.net.ssl.trustStorePassword=...password of the truststore ■ If you will require no client authentication: javax.net.ssl.trustStore=...the truststore location on the disk javax.net.ssl.trustStoreType=JKS javax.net.ssl.trustStorePassword=...password of the truststore See Also: The chapter Configuring Secure Sockets Layer Authentication in the Oracle Database Advanced Security Administrators Guide. Note: The data source can be an existing source such as an Oracle WebCenter data source, or a new data source. See Creating a JDBC Data Source in Oracle Fusion Middleware Configuring and Managing JDBC for Oracle WebLogic Server for details.