Hello, I'm having an issue with setting up SSL encrypted connections to an Oracle database.
I looked up on many websites and places and got the impression that either people abandon setting up the encryption or implemented the connection in code rather than through the jndi context in Tomcat itself. Tomcat 8.5.34 JDK 1.8.0_171 RedHat 7.4 (Selinux permissive) OracleDB 12.2.0.1.0 I've written a simple Java application which just connects to the database using TCPS and makes a simple query. This works. java -D oracle.net.tns_admin ="./oracle_wallets/" -D oracle.net.wallet_location ="(SOURCE=(METHOD=FILE) (METHOD_DATA = (DIRECTORY=./oracle_wallets)))" -cp ./: ./lib/ ojdbc8.jar :./lib/ oraclepki.jar DataSourceSample I'm using the official ojdbc8.jar from Oracle appropriate for the version of Java and the Oracle database. Because Oracle Wallets is an invention of Oracle itself, I added the appropriate security provider in java.security: security.provider.4=oracle.security.pki.OraclePKIProvider ( loaded before com.sun.net.ssl.internal.ssl.Provider ) so it gets loaded before the default PKCS implementation in Java. cwallet.sso cwallet.sso.lck ewallet.p12 ewallet.p12.lck sqlnet.ora tnsnames.ora are all placed inside the ./oracle_wallets. As said before, the little Java app that I wrote is able to open the wallets and connect to the database: AArray = [B@6328d34a AArray = [B@145eaa29 AArray = [B@15bb6bea .... Driver Name: Oracle JDBC driver Driver Version: 12.2.0.1.0 Default Row Prefetch Value is: 20 Database Username is: MY_USER .... 82062920015 SomeResults1 87093009324 SomeResults2 74031825702 SomeResults3 .... I translated this to Tomcat in the following way: I placed the ojdbc8.jar and oraclepki.jar in the libs folder of Catalina. I added the Java options in bin/setenv.sh: export CATALINA_OPTS="$CATALINA_OPTS -Doracle.net.tns_admin=<full path>/oracle_wallets/" export CATALINA_OPTS="$CATALINA_OPTS -Doracle.net.wallet_location='(SOURCE=(METHOD=FILE) (METHOD_DATA = (DIRECTORY= <full path> /oracle_wallets)))'" The entries in the context.xml file look like this: <Resource name="jdbc/dominoDataSource" auth="Container" type="javax.sql.DataSource" username="MY_USER" password="*************" url="jdbc:oracle:thin:@MY_DATABASE" driverClassName="oracle.jdbc.OracleDriver" timeBetweenEvictionRunsMillis="120000" testOnBorrow="True" logAbandoned="True" removeAbandonedTimeout="3600" maxIdle="20" initialSize="32" removeAbandonedOnBorrow="True" maxTotal="256" validationQuery="select 1 from dual" removeAbandonedOnMaintenance="True" maxWaitMillis="300000" /> I can confirm that the rights on the filesystem for the wallets are permissive enough for Tomcat to read them. Tomcat is able to connect to the database. But for some reason it's as if it's unable to read the wallets. Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:523) at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521) at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660) at oracle.net.ns.NSProtocol.connect(NSProtocol.java:286) at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1438) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:518) ... 68 more Caused by: oracle.net.ns.NetException: Unable to initialize ssl context. at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:564) at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:143) at oracle.net.nt.ConnOption.connect(ConnOption.java:161) at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:470) ... 73 more Caused by: oracle.net.ns.NetException: Unable to initialize the key store. at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:642) at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:547) ... 76 more Caused by: java.security.KeyStoreException: SSO not found at java.security.KeyStore.getInstance(KeyStore.java:851) at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:628) ... 77 more Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:695) at java.security.KeyStore.getInstance(KeyStore.java:848) ... 78 more I tried checking if it was maybe linked to the application by removing it, but the same result. Would be nice if anyone has tried this similarly with or without succes. Regards, Christophe -- -- Christophe Vanlancker <christophe.vanlanc...@inuits.eu> +32 (494) 232277 | Linux & Open-Source consultant - Inuits.eu
