Tuesday, January 6, 2009

SSL between MidTier & DataBase

Essentially the SSL support between an app server (MT) & Datatier(Database) depends on two things.
1. If the Databases support SSL (Oracle DB support this)
2. The DB driver support this (could be thin or a thick client)

Assuming OC4J is connecting to Oracle DB (which is configured to listen in SSL) here are the steps using Oracle JDBC thin driver.


1.
For OracleAS, you could config SSL as the connection pool
properties, for example:
connection-pool-name="scottConnPoolTCPS"
jndi-name="jdbc/sslDS"
name="jdbc/sslDS"/

factory-class="oracle.jdbc.driver.OracleDriver"
user="scott"
password="tiger"

url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=sracanov-a
u2.au.oracle.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))"
commit-record-table-name=""
value="/somepath/Wallets/client/
ewallet.p12"/
value="SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA"/


WLS to Oracle DB


For WLS, I don't see any doc for this type configuration. I don't
think it could be configured as the connection pool preperty.
However, these might work:

1) Specify the property in the java program as the following example:
//import packages
import java.sql.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.OracleDataSource;

//specify the properties object
java.util.Properties info = new java.util.Properties();
...
// Set the SSL version
info.put ("oracle.net.ssl_version","3.0");

// Set the wallet location
info.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)
(METHOD_DATA=(DIRECTORY=directory)))");

// Set the cipher suite
info.
put("oracle.net.ssl_cipher_suites","SSL_DH_DSS_WITH_DES_CBC_SHA");

// Force dn to match service name
info.put("oracle.net.ssl_serevr_dn_match","TRUE");

2) Using WLS SSL protocal, like submitting Context.SECURITY_PROTOCOL
= "ssl" along with in getting the JNDI initial context.
Copying Steve and Dave, they may have more infor on this.


Thanks to Frances Zhao for this information & let me know of your experience with this information.

No comments: