8-10 Oracle Fusion Middleware Application Security Guide On the host where the client is running, start Oracle Wallet Manager and using this tool proceed as follows: 1. Create a wallet and import the DB server trusted CA certificate created in the first procedure in section Configuring SSL on an Oracle DB Server . 2. To establish two-way SSL: 1. Create a certificate request. 2. Sign the certificate with the CA certificate. 3. Import the certificate into wallet. This certificate is used as the client certificate when connecting to DB server over a two-way SSL.

3. Check the check box Auto Login under the menu Wallet.

4. Save the wallet. If connecting to the server with sqlplus, use Oracle Net Manager to create a TNS service by navigating to Oracle Net Configuration Configure SSL for Client Service Naming .

8.3.3.2.2 Connecting to a DB Server with JDBC Thin Driver In this scenario, proceed as

follows: 1. Set your JDBC URL with following SSL-specific settings: ■ PROTOCOL=TCPS. ■ SECURITY with correct SSL SERVER_CERT_CN value. The following snippet illustrates this setting: jdbc:oracle:thin:DESCRIPTION=ADDRESS_LIST=ADDRESS=PROTOCOL=TCPSHOST=mySe rver.us.oracle.comPORT=2484CONNECT_DATA=SERVICE_NAME=orcl.us.oracle.com SECURITY=SSL_SERVER_CERT_DN=CN=dbserver,OU=OPSS,O=Oracle,ST=Beijing,C=CN 2. Set the following system properties with the appropriate values: oracle.net.ssl_server_dn_match javax.net.ssl.trustStore javax.net.ssl.trustStoreType javax.net.ssl.trustStorePassword javax.net.ssl.keystore javax.net.ssl.keyStoreType javax.net.ssl.keyStorePassword For a Java SE application, set the above properties using the -D option when starting a JVM. Important: If for this TNS service you set Match server X.509 name to Yes, then the value of SSL_SERVER_CERT_DN must be the same as the value of DN set in the DB server certificate, as illustrated below where CN=dbserver,OU=OPSS,O=Oracle,ST=Beijing,C=CN is the DB server certificate DN: SECURITY= SSL_SERVER_CERT_DN=CN=dbserver,OU=OPSS,O=Oracle,ST=Beijing,C=CN Configuring the OPSS Security Store 8-11 3. For a Data Source on the Oracle WebLogic Server, use the WebLogic Administration console to specify the above properties and values in the tab Configuration Connection Pool of the Data Source . For details, see Oracle Fusion Middleware Administrators Guide. 4. For a Data Source on the WebSphere Application Server, use the Administration Console as follows:

1. Navigate to Data Sources YourDataSourceName Custom Properties.

2. Create the new custom property connectionProperties with a value as illustrated in the following line: oracle.net.ssl_server_dn_match=true;javax.net.ssl.trustStore=scratchweini uworkcertsqatestca.jks;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.tr ustStorePassword=welcome1;javax.net.ssl.keyStore=scratchweiniuworkcerts jksuser1.jks;javax.net.ssl.keyStoreType=JKS;javax.net.ssl.keyStorePassword =welcome1;oracle.net.ssl_version=3.0 Note that the values are separated by a semicolon, and the setting oracle.net.ssl_version=3.0 is required.

8.4 Configuring the OPSS Security Store

For examples of store configurations for Java SE applications, see Section 23.1, Configuring Policy and Credential Stores in Java SE Applications. For examples of store configurations for Java EE applications, see Example 1 and Example 4 . For details about configuring other artifacts, see Configuring the Identity Provider, Property Sets, and SSO .

8.5 Reassociating the OPSS Security Store

Reassociating the OPSS security store consists in relocating the policy, credential, and key stores from one repository to another one. The source can be file-, LDAP-, or DB-based; the target can be LDAP- or DB-based. The only type of LDAP target supported is Oracle Internet Directory; the only type of DB target supported is DB_ORACLE. Reassociation changes the repository preserving the integrity of the data stored. For each security artifact, reassociation searches the target store and, if it finds a match for it, it updates the matching artifact; otherwise, creates a new artifact. Reassociation is typically performed, for example, when setting a domain to use an LDAP- or DB-based OPSS store instead of the out-of-the-box file-based store. This operation can take place at any time after the OPSS store has been configured and instantiated, and it is carried out using either Fusion Middleware Control or reassociateSecurityStore as explained in the following sections: ■ Reassociating with Fusion Middleware Control ■ Reassociating with the Script reassociateSecurityStore

8.5.1 Reassociating with Fusion Middleware Control

Reassociation migrates the OPSS policy store policies, credentials, and keys from one repository to another and reconfigures the appropriate security store providers. This section explains how to perform reassociation with Fusion Middleware Control pages.