Configuring utilities to authenticate users with an SSL certificate and client password
You can configure the AllDBConnector class to use both an Oracle wallet SSL certificate and a user-provided password to authenticate a user to establish a database connection for a utility.
With this setup, the Oracle database server uses an SSL certificate in the Oracle wallet on the server tier to authenticate itself to the utility client through an encrypted channel. The AllDBConnector class then validates the SSL certificate on the client tier and authenticates the user through the user name and password. The database password from the user does not need to be sent from the client tier to the server tier. Only the SSL certificate from the server tier needs to be sent between the server and the client.
About this task
Procedure
- Create an Oracle Wallet with the Oracle orapki utility.
In a command-line utility, run the following command from Oracle bin directory:
Whereorapki wallet create -wallet wallet_directory -auto_login -pwd wallet_password
- wallet_directory is the directory where you
want to create the Wallet. For example,
c:\server.wallet
.Note: Ensure that the directory that you set as the wallet_directory is readable and executable by the appropriate users. - wallet_password is the password that you want
to set for the Wallet. For example,
s3rv3rp45s
.
orapki wallet create -wallet c:\server.wallet -auto_login -pwd s3rv3rp45s
- wallet_directory is the directory where you
want to create the Wallet. For example,
- Install the certificate that is issued by the certificate
authority.For more information about creating a certificate request and installing the certificate, see Oracle Technology Network.As an example for testing purposes, add a self-signed certificate to your Oracle Wallet for use as the database server certificate. In a command-line utility, run the following command from Oracle bin directory:
Whereorapki wallet add -wallet wallet_directory -dn "dn_name" -keysize 1024 -self_signed -validity 365 -user_cert -trusted_cert -pwd wallet_password
- wallet_directory is the directory where you
want to create the Wallet. For example,
c:\server.wallet
. - dn_name is the distinguished name of the certificate
owner, which is the database server name. For example,
CN=server
. - wallet_password is the password that you want
to set for the Wallet. For example,
s3rv3rp45s
.
orapki wallet add -wallet c:\server.wallet -dn "CN=server" -keysize 1024 -self_signed -validity 365 -user_cert -trusted_cert -pwd s3rv3rp45s
- wallet_directory is the directory where you
want to create the Wallet. For example,
- Export the SSL certificate for the database server.
In a command-line utility, run the following command from Oracle bin directory:
Whereorapki wallet export -wallet wallet_directory -dn "dn_name" -cert certificate_file -pwd wallet_password
- wallet_directory is the directory where you
want to create the Wallet. For example,
c:\server.wallet
. - dn_name is the distinguished name of the certificate
owner, which is the database server name. For example,
CN=server
. - certificate_file is the path and name of the
file that is to include the certificate that you are exporting. For
example,
c:\server.cert
. - wallet_password is the password that you want
to set for the Wallet. For example,
s3rv3rp45s
.
orapki wallet export -wallet c:\server.wallet -dn "CN=server" -cert c:\server.cert -pwd s3rv3rp45s
- wallet_directory is the directory where you
want to create the Wallet. For example,
- Shut down your Oracle database by running the following
command from Oracle bin directory:
sqlplus / as sysdba shutdown immediate; quit;
- Stop the Oracle listener with the Oracle Listener Control
utility by running the following command from Oracle bin directory:
lsnrctl stop
- Update the Oracle listener listener.ora configuration
file.
- Go to the following directory and open the listener.ora file
for editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
- Update the listener parameters to match the settings
for your system.When you are updating the file, ensure that you update the parameters in the following sections:
SID_LIST_LISTENER
LISTENER
WALLET_LOCATION
SSL_CLIENT_AUTHENTICATION
For example, your updated keys can resemble the following code snippet:SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = WCS) (SID_NAME = WCS) (ORACLE_HOME = C:\oracle\product\11.2.0\dbhome_1) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = myhostname.mycompany.com)(PORT = 2484)) ) ) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\server.wallet) ) ) SSL_CLIENT_AUTHENTICATION = FALSE
- Go to the following directory and open the listener.ora file
for editing:
- Update the Oracle sqlnet.ora configuration
file.
- Go to the following directory and open the sqlnet.ora file
for editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
- Update the configuration parameters to match the settings
for your system.When you are updating the file, ensure that you update the following parameters:
SQLNET.AUTHENTICATION_SERVICES
SSL_CLIENT_AUTHENTICATION
SSL_VERSION
NAMES.DIRECTORY_PATH
WALLET_LOCATION
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, NTS) SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION = 3.0 NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\server.wallet) ) )
- Go to the following directory and open the sqlnet.ora file
for editing:
- Restart the Oracle listener by running the following command
from Oracle bin directory:
lsnrctl start
- Start your Oracle database by running the following command
from Oracle bin directory:
sqlplus / as sysdba startup; quit;
- Create an Oracle Wallet with the orapki utility in your
client environment.For example, run the following command from Oracle bin directory:
orapki wallet create -wallet c:\client.wallet -auto_login -pwd cl13ntp45s
- Import the SSL certificate from your database server tier.
For example, in a command-line utility, run the following command from Oracle bin directory:
Whereorapki wallet add -wallet wallet_directory -trusted_cert -cert certificate_file -pwd wallet_password
- wallet_directory is the directory where you
want to create the Wallet. For example,
c:\client.wallet
. - certificate_file is the path and name of the
file that is to include the certificate that you are exporting. For
example,
c:\server.cert
. - wallet_password is the password that you want
to set for the Wallet. For example,
cl13ntp45s
.
orapki wallet add -wallet c:\client.wallet -trusted_cert -cert c:\server.cert -pwd cl13ntp45s
- wallet_directory is the directory where you
want to create the Wallet. For example,
- Optional: If you are importing certificates from multiple servers, ensure that the certificates have different distinguished names (DN).
- Ensure that your Oracle Wallet is readable by the user
or group that needs to invoke any WebSphere Commerce utilities.
For example, the group that includes the WebSphere Application Server user.
- Update the Oracle sqlnet.ora configuration
file for your client.
- Go to the following directory and open the sqlnet.ora file
for editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
- Update the configuration parameters to match the settings
for your system.When you are updating the file, ensure that you update the following parameters:
SQLNET.AUTHENTICATION_SERVICES
SSL_CLIENT_AUTHENTICATION
SSL_VERSION
NAMES.DIRECTORY_PATH
WALLET_LOCATION
SQLNET.AUTHENTICATION_SERVICES = (TCPS, BEQ, NTS) SSL_VERSION = 3.0 NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\client.wallet) ) ) SSL_CLIENT_AUTHENTICATION = FALSE
- Go to the following directory and open the sqlnet.ora file
for editing:
- Update the Oracle tnsnames.ora configuration
file.
- Go to the following directory and open the tnsnames.ora file
for editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
- Add a TNS entry to the tnsnames.ora file.
The entry must point to your database server.For example, your configuration can resemble the following code snippet:
WCS = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = myhostname.mycompany.com)(PORT = 2484)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = WCS) ) )
- Go to the following directory and open the tnsnames.ora file
for editing:
- Update the database connection configuration file for
the AllDBConnector class to ensure that WebSphere
Commerce utilities can authenticate users with the Oracle Wallet.
- Go to the following directory and open the alldbconnector.xml configuration
file for editing.
- WC_installdir/WC/xml/config
- WC_installdir\WC\xml\config
- WCDE_installdir\WC\xml\config
- Update the alldbconnector.xml file
to include two overrides to configure how utilities authenticate users.
In the first override configuration, you must configure the override for your local client database. In the second override configuration, configure the connection override properties for your production environment database. This second override configuration ensures that utilities can use the SSL certificates to authenticate users when a utility, such as the stagingprop utility, must connect to multiple databases.Note: For the override property identifier,
oradestwallet
, a corresponding TNS entry,WCSDEST
, must exist in the tnsnames.ora configuration file for your utility client environment.For more information about the properties that you can include in your override configuration in the alldbconnector.xml file, see Database connection acquisition for utilities and Ant tasks.
- If your Oracle database driver type is a thin driver, your updated AllDBConnector class
configuration in the alldbconnector.xml file
can resemble the following code snippet:
<oracle> <override identifier="orasrcwallet"> <property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/> <property name="oracle.net.tns_admin" value="c:\oracle\product\11.2.0\dbhome_1\network\admin" scope="system" /> <property name="oracle.net.wallet_location" value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" /> <property name="oracle.net.ssl_version" value="3.0" /> <property name="oracle.net.authentication_services" value="(TCPS)" /> <jdbcurl value="jdbc:oracle:thin:@wcs" /> <security providername="oracle.security.pki.OraclePKIProvider" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\oraclepki.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_cert.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_core.jar" /> </override> <override identifier="oradestwallet"> <property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/> <property name="oracle.net.tns_admin" value="c:\oracle\product\11.2.0\dbhome_1\network\admin" scope="system" /> <property name="oracle.net.wallet_location" value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" /> <property name="oracle.net.ssl_version" value="3.0" /> <property name="oracle.net.authentication_services" value="(TCPS)" /> <jdbcurl value="jdbc:oracle:thin:@wcsdest" /> <security providername="oracle.security.pki.OraclePKIProvider" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\oraclepki.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_cert.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_core.jar" /> </override> </oracle>
- If your Oracle database driver type is a thick driver, your updated AllDBConnector class
configuration in the alldbconnector.xml file
can resemble the following code snippet:
<oracle> <override identifier="orasrcwallet"> <property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/> <property name="oracle.net.wallet_location" value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" /> <property name="oracle.net.ssl_version" value="3.0" /> <jdbcurl value="jdbc:oracle:oci:@wcs" /> <security providername="oracle.security.pki.OraclePKIProvider" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\oraclepki.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_cert.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_core.jar" /> </override> <override identifier="oradestwallet"> <property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/> <property name="oracle.net.wallet_location" value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" /> <property name="oracle.net.ssl_version" value="3.0" /> <jdbcurl value="jdbc:oracle:oci:@wcsdest" /> <security providername="oracle.security.pki.OraclePKIProvider" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\oraclepki.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_cert.jar" /> <jar path="c:\oracle\product\11.2.0\dbhome_1\jlib\osdt_core.jar" /> </override> </oracle>
- orasrcwallet is the identifier of the override configuration for your authoring or staging environment.
- oradestwallet is the identifier of the override configuration for your production environment.
- wallet_directory is the directory that includes
the Wallet. For example,
c:\server.wallet
.
- If your Oracle database driver type is a thin driver, your updated AllDBConnector class
configuration in the alldbconnector.xml file
can resemble the following code snippet:
- Go to the following directory and open the alldbconnector.xml configuration
file for editing.