Tomcat cannot create TCPS Oracle JDBC connection

1
votes

I'm using database connection through JDBC in tomcat. Our environment is Tomcat 7 + JDK 8 and Oracle 12c.

As I can only connect to Oracle database through TCPS (and which we are using Oracle's wallet), so I have to modify my current Tomcat server.xml to create JDBC connection to Oracle. My updated configuration snippet 

    <Resource auth="Container" driverClassName="oracle.jdbc.driver.OracleDriver"
        initialSize="10"
        jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState;org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer;org.apache.tomcat.jdbc.pool.interceptor.SlowQueryReportJmx(threshold=10000)"
        jmxEnabled="true" logAbandoned="true" maxActive="100" maxIdle="100"
        maxWait="10000" 
        name="jdbc/jndiconnection" password="XXXXXX" removeAbandoned="true"
        type="javax.sql.DataSource" url=""jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname)(PORT=1234))(CONNECT_DATA=(SERVICE_NAME=servicename)))"
        username="XXXXXXXX" validationInterval="30000" validationQuery="SELECT 1 FROM DUAL" />

I added truststore/trusttypey/keystore/keytype as parameters,however I got error:

Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
    at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:296)
    at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:117)
    at oracle.net.nt.ConnOption.connect(ConnOption.java:133)
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:370)
    ... 73 more
Caused by: oracle.net.ns.NetException: Unable to initialize the key store.
        at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:369)
        at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:279)
        ... 76 more
Caused by: java.security.KeyStoreException: SSO not found
        at java.security.KeyStore.getInstance(KeyStore.java:851)
        at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:357)
        ... 77 more
Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.KeyStore.getInstance(KeyStore.java:848)
        ... 78 more

Then I followed the instruction from : https://sysapp.wordpress.com/2010/08/31/how-to-oracle-wallet-with-jdbc-thin-driver-datasource-tomcat/ However in the article it is using PROTOCAL as TCP but not TCPS.

<Resource
        name="jdbc/confluence"
        auth="Container"
        type="javax.sql.DataSource"
        driverClassName="oracle.jdbc.OracleDriver"
        url="jdbc:oracle:thin:/@mywallet"
        connectionProperties=”oracle.net.wallet_location=/opt/wallet"/>

Then I got error:

Caused by: oracle.net.ns.NetException: The method specified in wallet_location is not supported. Location: /opt/wallet
    at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:219)
    at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:117)
    at oracle.net.nt.ConnOption.connect(ConnOption.java:133)
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:370)
    ... 73 more

I have written Java sample code to connect through TCPS and the connection works fine. Did I missed some key points in the configuration file? And is there any other way to create Oracle's TCPS connection through JDBC?

2
oracletomcatjdbctomcat7
Was this ever solved?Arjang

2 Answers

1
votes

”oracle.net.wallet_location=/opt/wallet"

That's not what the property is supposed to be. It is supposed to be :

(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/wallet)))

The error message you get is because it cannot find a "METHOD=" in the one you provided.

0
votes

There are a few steps that you need to follow. (1) Make sure you have oraclepki.jar, osdt_core.jar, osdt_cert.jar in the classpath

(2) Also, specify the location of cwallet.sso file through the following system property. You can create a setenv.sh and add required system properties. Also, enable another system property as shown here. export JAVA_OPTS="$CATALINA_OPTS -Doracle.net.wallet_location='(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/test/wallet/)))'" export JAVA_OPTS="$CATALINA_OPTS -Doracle.net.ssl_server_dn_match=true"

(3) Make sure you have the certificate information in the URL as shown here. Please copy the 'security' part of the URL from your certificate. (description= (address=(protocol=tcps)(port=1522)(host=myorclhostname)) (connect_data=(service_name=myorcldb)) (security=(ssl_server_cert_dn= "CN=CMAN, O=Oracle Database , C=US")) ) (4) You need to activate oracle PKI provider. To statically enable it: Change java.security file of JRE (JRE_HOME/jre/lib/security/java.security): security.provider.7=oracle.security.pki.OraclePKIProvider

Refer to "SSL with JDBC driver" for more details.