Websphere Application Server to Oracle Database using TLS 1.2

1
votes

I am trying to implement TLS 1.2 from Websphere Application Server v9.0.5.6 to Oracle 19c Database. Both the WAS and Oracle are on different Virtual Machines running on Centos 7. Used Websphere provided IBM Java 8 and Oracle provided ojdbc8.jar (from Oracle 19c Client). Non-ssl connection is working fine from WAS console.

I have done the following to implement TLS 1.2.

  1. Used this link and completed the Oracle Database side SSL configuration. For testing I even made the client side configuration on WAS vm and tested using sqlplus (with oracle user and oracle 19c client) and I was able to connect and get TCPS as provided in this query.
  2. Then I added the Oracle DB self-signed certificates to 'WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12'. I used iKeyman for adding the DB certificate to WAS. Then added the custom property in datasource ‘connectionProperties’ with values javax.net.ssl.trustStore=WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12; javax.net.ssl.trustStoreType=PKCS12; oracle.net.ssl_version=1.2; javax.net.ssl.trustStorePassword=***
  3. Instead of point 2, I also tried JKS. Added the Oracle DB self-signed certificates to 'WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts'. I used iKeyman for adding the DB certificate to WAS. Then added the custom property in datasource ‘connectionProperties’ with values javax.net.ssl.keyStore= WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts; javax.net.ssl.keyStoreType=JKS; oracle.net.ssl_version=1.2; javax.net.ssl.keyStorePassword=***

I enabled the debug logs and in both the scenarios I am getting the error 'java.security.SignatureException: Signature length not correct: got 128 but was expecting 256'

Can anyone pls suggest on the error or how TLS 1.2 from WAS to Oracle DB can be successfully achieved?

Sysout Logs

[29/03/21 10:37:15:975 BST] 0000008c FileRepositor A   ADMR0010I: Document cells/appserver01Node01Cell/security.xml is modified.
    [29/03/21 10:37:15:978 BST] 0000008c FileRepositor A   ADMR0010I: Document cells/appserver01Node01Cell/nodes/appserver01Node01/trust.p12 is modified.
    [29/03/21 10:37:26:165 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.164 BST|Thread.java:1164|adding as trusted certificates (
      "certificate" : {
        "version"            : "v3",
        "serial number"      : "30 F6 93 B4",
        "signature algorithm": "SHA256withRSA",
        "issuer"             : "CN=dbserver01.miracle.com",
        "not before"         : "2021-03-28 04:43:25.000 BST",
        "not  after"         : "2031-02-04 03:43:25.000 GMT",
        "subject"            : "CN=dbserver01.miracle.com",
        "subject public key" : "RSA",
        "extensions"         : [
          {
            ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 57 d7 09 3f d2 5e db c3  43 93 6f af 82 4a fc 7d  W.......C.o..J..
            0010: 16 74 be 60                                        .t..
            ]
            ]
          }
        ]},
      "certificate" : {
        "version"            : "v3",
        "serial number"      : "38 5D 50 BF 82",
        "signature algorithm": "SHA256withRSA",
        "issuer"             : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
        "not before"         : "2021-03-25 21:09:10.000 GMT",
        "not  after"         : "2036-03-21 21:09:10.000 GMT",
        "subject"            : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
        "subject public key" : "RSA",
        "extensions"         : [
          {
            ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 4c 3e 62 ab 29 d9 6c 08                           L.b...l.
            ]
            ]
          },
          {
            ObjectId: 2.5.29.19 Criticality=true
            BasicConstraints:[
            CA:true
            PathLen:2147483647
            ]
          },
          {
            ObjectId: 2.5.29.17 Criticality=false
            SubjectAlternativeName [
            [RFC822Name: ProfileUUID:AppSrv01-BASE-5d9b3381-f22f-4812-a07b-c1e59b63d0a5]]
          }
        ]}
    )
    [29/03/21 10:37:26:171 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.166 BST|Thread.java:1164|keyStore is: /home/sunny/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
    [29/03/21 10:37:26:172 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.171 BST|Thread.java:1164|keyStore type is: jks
    [29/03/21 10:37:26:178 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.173 BST|Thread.java:1164|keyStore provider is: 
    …..
    [29/03/21 10:37:26:218 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.217 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384
    [29/03/21 10:37:26:220 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.218 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
    ……
    [29/03/21 10:37:26:261 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.256 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
    [29/03/21 10:37:26:264 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.262 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256
    [29/03/21 10:37:26:287 BST] 0000008c SystemOut     O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.284 BST|Thread.java:1164|Unable to indicate server name
    …
    [29/03/21 10:37:26:303 BST] 0000008c SystemOut     O javax.net.ssl|INFO|8C|WebContainer : 1|2021-03-29 10:37:26.300 BST|Thread.java:1164|No available application protocols
    [29/03/21 10:37:26:304 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.303 BST|Thread.java:1164|Ignore, context unavailable extension: application_layer_protocol_negotiation
    [29/03/21 10:37:26:306 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.304 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
    [29/03/21 10:37:26:307 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.306 BST|Thread.java:1164|Ignore, context unavailable extension: renegotiation_info
    [29/03/21 10:37:26:310 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.309 BST|Thread.java:1164|Produced ClientHello handshake message (
    "ClientHello": {
      "client version"      : "TLSv1.2",
      "random"              : "88 57 8E A5 C0 F4 72 B7 2C F9 EA 52 C1 8B D8 D4 3E 09 5D 3A BB 50 9C 5D 78 54 DD 19 AA 81 A9 63",
      "session id"          : "",
      "cipher suites"       : "[SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D), SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), SSL_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), SSL_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), SSL_RSA_WITH_AES_128_GCM_SHA256(0x009C), SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), 
………..
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), SSL_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), SSL_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008),  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016), SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
      "compression methods" : "00",
      "extensions"          : [
        "supported_groups (10)": {
          "versions": [secp256r1, secp384r1, secp521r1]
        },
        "ec_point_formats (11)": {
          "formats": [uncompressed]
        },
        "signature_algorithms (13)": {
          "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
        },
        "signature_algorithms_cert (50)": {
          "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
        },
        "extended_master_secret (23)": {
          <empty>
        },
        "supported_versions (43)": {
          "versions": [TLSv1.2]
        }
      ]
    }
    )
    [29/03/21 10:37:26:312 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.311 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 262
    [29/03/21 10:37:26:314 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.313 BST|Thread.java:1164|Raw write (
      0000: 16 03 03 01 06 01 00 01  02 03 03 88 57 8e a5 c0  ............W...
      0010: f4 72 b7 2c f9 ea 52 c1  8b d8 d4 3e 09 5d 3a bb  .r....R.........
      .
      00e0: 08 04 08 05 08 06 08 09  08 0a 08 0b 04 01 05 01  ................
      00f0: 06 01 04 02 03 03 03 01  03 02 02 03 02 01 02 02  ................
      0100: 00 17 00 00 00 2b 00 03  02 03 03                 ...........
    )
    [29/03/21 10:37:26:321 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.320 BST|Thread.java:1164|Raw read (
      0000: 16 03 03 00 51 02 00 00  4d 03 03 60 61 9f d6 32  ....Q...M...a..2
      0010: 63 9b cf 09 dc a2 95 64  8d c0 cb 0f e5 ed 1b 1b  c......d........
      0040: b5 10 28 2a 9d e0 ed 5e  a8 f9 a5 13 c0 30 00 00  .............0..
      .
      02d0: 2b f9 e5 e8 c0 60 be 3b  11 68 2a 0d 1f 60 18 b3  .........h......
      02e0: e6 d5 0b 7e 12 03 9e 72  2f 88 f3 54 26 18 18 ca  .......r...T....
      02f0: e5 ae 0a 2f db b9 0f 18  ae c5 2f 8d 16 03 03 00  ................
      0300: 04 0e 00 00 00                                     .....
    )
    [29/03/21 10:37:26:323 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.322 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
    [29/03/21 10:37:26:328 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.327 BST|Thread.java:1164|Consuming ServerHello handshake message (
    "ServerHello": {
      "server version"      : "TLSv1.2",
      "random"              : "60 61 9F D6 32 63 9B CF 09 DC A2 95 64 8D C0 CB 0F E5 ED 1B 1B E3 C9 2B 7F 06 6D 03 58 6D DF 4F",
      "session id"          : "3A EC 80 A8 76 B9 C2 33 CD 59 71 86 01 77 6F 4B 64 3A 0A A6 B5 10 28 2A 9D E0 ED 5E A8 F9 A5 13",
      "cipher suite"        : "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
      "compression methods" : "00",
      "extensions"          : [
        "renegotiation_info (65,281)": {
          "renegotiated connection": [<no renegotiated connection>]
        }
      ]
    }
    )
    [29/03/21 10:37:26:335 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.334 BST|Thread.java:1164|Ignore unavailable extension: supported_versions
    [29/03/21 10:37:26:336 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.335 BST|Thread.java:1164|Negotiated protocol version: TLSv1.2
    …
    [29/03/21 10:37:26:367 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.365 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
    [29/03/21 10:37:26:369 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.367 BST|Thread.java:1164|Consumed extension: renegotiation_info
    [29/03/21 10:37:26:370 BST] 0000008c SystemOut     O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.369 BST|Thread.java:1164|Session initialized:  Session(1617010646369|SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
    [29/03/21 10:37:26:372 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.371 BST|Thread.java:1164|Ignore unavailable extension: server_name
     …
    [29/03/21 10:37:26:380 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
    [29/03/21 10:37:26:381 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: extended_master_secret
    [29/03/21 10:37:26:387 BST] 0000008c SystemOut     O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.382 BST|Thread.java:1164|Ignore impact of unsupported extension: renegotiation_info
    [29/03/21 10:37:26:390 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.388 BST|Thread.java:1164|Raw read (
      0000: 16 03 03 01 cf 0b 00 01  cb 00 01 c8 00 01 c5 30  ...............0
      0010: 82 01 c1 30 82 01 2a 02  11 00 a2 75 59 bc 83 45  ...0.......uY..E
      .
      0260: e8 c6 b2 6c ac 7d 76 15  a0 94 72 cd 50 e8 37 75  ...l..v...r.P.7u
      02a0: 0f 18 ae c5 2f 8d 16 03  03 00 04 0e 00 00 00     ...............
    )
    [29/03/21 10:37:26:392 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.390 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
    [29/03/21 10:37:26:394 BST] 0000008c SystemOut     O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.393 BST|Thread.java:1164|Consuming server Certificate handshake message (
    "Certificates": [
      "certificate" : {
        "version"            : "v1",
        "serial number"      : "00 A2 75 59 BC 83 45 CD 7D 9E B0 D9 8B E3 FD 9B 92",
        "signature algorithm": "SHA256withRSA",
        "issuer"             : "CN=dbserver01.miracle.com",
        "not before"         : "2021-03-21 02:10:55.000 GMT",
        "not  after"         : "2031-03-19 02:10:55.000 GMT",
        "subject"            : "CN=dbserver01.miracle.com",
        "subject public key" : "RSA"}
    ]
    )
    [29/03/21 10:37:26:404 BST] 0000008c SystemOut     O javax.net.ssl|SEVERE|8C|WebContainer : 1|2021-03-29 10:37:26.403 BST|Thread.java:1164|Fatal (BAD_CERTIFICATE): PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed (
    "throwable" : {
      com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at com.ibm.jsse2.util.h.a(h.java:174)
        at com.ibm.jsse2.util.h.b(h.java:185)
        at com.ibm.jsse2.util.g.a(g.java:10)
        at com.ibm.jsse2.bq.a(bq.java:32)
        at com.ibm.jsse2.bq.a(bq.java:70)
        at com.ibm.jsse2.bq.checkServerTrusted(bq.java:10)
        at com.ibm.jsse2.y$c.a(y$c.java:99)
        at com.ibm.jsse2.y$c.a(y$c.java:10)
        at com.ibm.jsse2.y$c.consume(y$c.java:6)
        at com.ibm.jsse2.p.consume(p.java:43)
        at com.ibm.jsse2.Z.a(Z.java:73)
        at com.ibm.jsse2.bf$a$b.a(bf$a$b.java:2)
        at com.ibm.jsse2.bf$a$b.run(bf$a$b.java:3)
        at java.security.AccessController.doPrivileged(AccessController.java:774)
        at com.ibm.jsse2.bf$a.run(bf$a.java:26)
        at oracle.net.nt.SSLSocketChannel.runTasks(SSLSocketChannel.java:602)
        at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:434)
        at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:128)
        at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:350)
        at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:247)
        at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:117)
        at oracle.net.ns.NSProtocol.connect(NSProtocol.java:340)
        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
        at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:406)
        at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:291)
        at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
        at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPhysicalConnection(OracleConnectionPoolDataSource.java:148)
        at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPooledConnection(OracleConnectionPoolDataSource.java:91)
        at com.ibm.ws.rsadapter.DSConfigHelper$1.run(DSConfigHelper.java:1273)
        at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5446)
        at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5662)
        at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
        at com.ibm.ws.rsadapter.spi.ServerFunction$6.run(ServerFunction.java:571)
        at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
        at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1288)
        at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1196)
        at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:2076)
        at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:1952)
        at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2820)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)
        at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:83)
        at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:287)
        at javax.management.modelmbean.RequiredModelMBean$4.run(RequiredModelMBean.java:1263)
        at java.security.AccessController.doPrivileged(AccessController.java:708)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
        at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1257)
        at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:1096)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:831)
        at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:813)
        at com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:1353)
        at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
        at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1246)
        at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)
        at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:246)
        at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)
        at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)
        at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)
        at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)
        at org.apache.struts.action.RequestProcessor.processActionPerform(Unknown Source)
        at org.apache.struts.action.RequestProcessor.process(Unknown Source)
        at org.apache.struts.action.ActionServlet.process(Unknown Source)
        at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
        at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:78)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
        at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:1408)
        at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:198)
        at org.apache.struts.action.RequestProcessor.doForward(Unknown Source)
        at org.apache.struts.tiles.TilesRequestProcessor.doForward(Unknown Source)
        at org.apache.struts.action.RequestProcessor.processForwardConfig(Unknown Source)
        at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(Unknown Source)
        at org.apache.struts.action.RequestProcessor.process(Unknown Source)
        at org.apache.struts.action.ActionServlet.process(Unknown Source)
        at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
        at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
        at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:984)
        at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:531)
        at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:352)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
        at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:963)
        at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
        at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
        at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
        at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
        at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
        at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
        at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
        at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
        at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
        at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
      Caused by: java.security.cert.CertPathValidatorException: signature check failed
        at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130)
        at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:232)
        at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:136)
        at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:75)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)
        at com.ibm.jsse2.util.h.a(h.java:74)
        ... 127 more
      Caused by: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
        at com.ibm.crypto.provider.RSASignature.engineVerify(Unknown Source)
        at java.security.Signature$Delegate.engineVerify(Signature.java:1403)
        at java.security.Signature.verify(Signature.java:777)
        at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:739)
        at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker.java:182)
        at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163)
        at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:120)
2
oraclewebspheretls1.2jkspkcs#12

2 Answers

0
votes

Steps

  1. Following is my setup, though setup should not make a difference for achieving TLS 1.2.
    WAS v9.0.5.6 on Centos VM1. WAS installed with ‘user1’. Used Websphere provided IBM Java 8.
    Oracle Client 19c on same Centos VM1. Oracle client installed with ‘oracle’ user.
    Oracle Database 19c on Centos VM2. Database installed with ‘oracle’ user.

  2. Used this link to complete the server and client side certificate configuration. Generated and exchanged the self-signed certificates on/between server and client as given in the instructions. For testing keep the password free from special characters. I have seen issues when password contains special characters.

  3. On Oracle Client host (Centos VM1 for me) convert Oracle PKCS12 to Java Key Store. I used the below command with ‘oracle’ user.

    orapki wallet pkcs12_to_jks -wallet "/home/oracle/wallet" -pwd abcd123 -jksKeyStoreLoc "/home/oracle/jkswallet/ewallet.jks" -jksKeyStorepwd abcd123

  4. Change the permission of “home/oracle/jkswallet” and “home/oracle/jkswallet/ewallet.jks" to 755 so that its accessible for ‘user1’ running WAS on same server.

  5. On WAS create a normal ‘JDBC provider’ using ojdbc8.jar. No other jar is needed. Create a ‘Data source’ using the earlier created JDBC provider. Along with Data source also create ‘JAAS - J2C authentication data’ for username and password.

  6. I used the following url format in ‘Data source’

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=172.16.77.11)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=PROD01PDB)))

  7. Add a property in the ‘Custom properties’ under your ‘Data Source’
    Name: connectionProperties
    Value: javax.net.ssl.keyStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.keyStoreType=JKS; javax.net.ssl.keyStorePassword=abcd123; javax.net.ssl.trustStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.trustStoreType=JKS; javax.net.ssl.trustStorePassword=abcd123; oracle.net.ssl_version=1.2; oracle.net.ssl_server_dn_match=false

Finally the trimmed Debug Log

[06/04/21 16:14:30:947 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.946 BST|Thread.java:1164|found key for : orakey (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=appserver01",
    "not before"         : "2021-04-06 01:35:51.000 BST",
    "not  after"         : "2031-04-04 01:35:51.000 BST",
    "subject"            : "CN=appserver01",
    "subject public key" : "RSA"}
)
[06/04/21 16:14:30:956 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.955 BST|Thread.java:1164|adding as trusted certificates (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=appserver01",
    "not before"         : "2021-04-06 01:35:51.000 BST",
    "not  after"         : "2031-04-04 01:35:51.000 BST",
    "subject"            : "CN=appserver01",
    "subject public key" : "RSA"},
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
)
application_layer_protocol_negotiation
[06/04/21 16:14:32:709 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.708 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:32:714 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.712 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "7B 73 62 0A 5B C3 CC 62 19 FC C1 78 03 30 F4 39 7C F8 A3 81 F9 02 4C BB 7A 35 8D F7 55 8A 8A 83",
  "session id"          : "",
  "cipher suites"       : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
  "compression methods" : "00",
  "extensions"          : [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)

[06/04/21 16:14:32:736 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.735 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:32:741 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.740 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "60 6C 7A D8 CC A6 0C B4 A4 5E 49 53 44 B4 68 77 7D 18 01 D6 04 10 DD E8 A6 E5 8D 6C EE DC 54 2A",
  "session id"          : "11 E9 ED 05 27 69 4E B8 A4 FA 28 0F 4C 19 AD 2F D6 55 47 ED A1 EB 0E 91 E6 E6 7B 53 D9 E0 0C DA",
  "cipher suite"        : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
[06/04/21 16:14:32:804 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.803 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:32:820 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.817 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
]
)
[06/04/21 16:14:32:831 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.830 BST|Thread.java:1164|Found trusted certificate (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
)
[06/04/21 16:14:32:916 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.915 BST|Thread.java:1164|JsseJCE:  Using cipher RSA/SSL/PKCS1Padding from provider IBMJCE version 1.8
[06/04/21 16:14:32:922 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.920 BST|Thread.java:1164|RSAClientKeyExchange:  Using cipher for wrap RSA/SSL/PKCS1Paddingfrom provider from init IBMJCE version 1.8
[06/04/21 16:14:32:928 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.926 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
  "client_version":  TLSv1.2
  "encrypted": {
    0000: 24 64 33 4f 9f 90 85 77  fe 9d c2 f4 ac 75 78 56  .d3O...w.....uxV
    ......
    0060: 21 21 f9 68 c9 2e 79 60  cc fe d1 78 1d 5a 69 c1  ...h..y....x.Zi.
    0070: 4e 73 47 eb b6 39 3f 07  0a 89 62 fb 29 78 c5 f9  NsG..9....b..x..
  }
}
)
[06/04/21 16:14:33:052 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.050 BST|Thread.java:1164|Produced ChangeCipherSpec message
[06/04/21 16:14:33:054 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.052 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 56 66 52 df 64 68 37 a0  de 28 28 18 
  }'}
)
[06/04/21 16:14:33:055 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.054 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 134


[06/04/21 16:14:33:291 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.290 BST|Thread.java:1164|found key for : orakey (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=appserver01",
    "not before"         : "2021-04-06 01:35:51.000 BST",
    "not  after"         : "2031-04-04 01:35:51.000 BST",
    "subject"            : "CN=appserver01",
    "subject public key" : "RSA"}
)
[06/04/21 16:14:33:294 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.293 BST|Thread.java:1164|adding as trusted certificates (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=appserver01",
    "not before"         : "2021-04-06 01:35:51.000 BST",
    "not  after"         : "2031-04-04 01:35:51.000 BST",
    "subject"            : "CN=appserver01",
    "subject public key" : "RSA"},
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
)

[06/04/21 16:14:33:389 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.387 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:33:405 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.391 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "59 4F CB D5 24 6A E7 DC D4 75 4C 1D EC F9 84 2F BC D5 EC 24 EB BC 69 4F 35 29 88 0F 42 46 B7 0E",
  "session id"          : "",
  "cipher suites"       : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
  "compression methods" : "00",
  "extensions"          : [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)

[06/04/21 16:14:33:424 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.422 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:33:427 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.426 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "60 6C 7A D9 FB 0C 6F 09 5C 10 3A 03 F4 01 E2 4A 58 60 72 D1 9D 7B 3A D7 2F 91 12 32 7C CF 85 0D",
  "session id"          : "2A 9D 32 23 12 52 AC 29 B8 69 D5 50 60 FE 15 4E C8 68 1C 8A AA C1 71 0E 42 55 EF BD CE 88 95 53",
  "cipher suite"        : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
[06/04/21 16:14:33:521 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.519 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:33:522 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.521 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
]
)
[06/04/21 16:14:33:524 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.523 BST|Thread.java:1164|Found trusted certificate (
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=dbserver01.miracle.com",
    "not before"         : "2021-04-06 01:50:52.000 BST",
    "not  after"         : "2031-04-04 01:50:52.000 BST",
    "subject"            : "CN=dbserver01.miracle.com",
    "subject public key" : "RSA"}
)

[06/04/21 16:14:33:555 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.554 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
  "client_version":  TLSv1.2
  "encrypted": {
    0000: 3f b0 62 d5 f6 31 b9 b5  02 37 29 3e 63 e0 38 f8  ..b..1...7..c.8.
    0010: 0e f5 03 a3 d3 ad 00 a1  06 92 c7 ff 65 a4 44 5b  ............e.D.
    …
    0060: 2e 52 49 75 fb 9d b3 00  96 77 53 29 46 f5 60 ae  .RIu.....wS.F...
    0070: b2 84 59 db f1 fc 66 6e  5f 41 51 75 da 52 c5 4a  ..Y...fn.AQu.R.J
  }
}
)
[06/04/21 16:14:33:579 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.575 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 69 8c 88 f6 6a 03 b6 81  ad d6 58 c1 
  }'}
)
IBMJCE version 1.8
[06/04/21 16:14:33:716 BST] 00000078 SystemOut     O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.714 BST|Thread.java:1164|Consuming server Finished handshake message (
"Finished": {
  "verify data": {
    0000: 84 65 d5 89 28 fc 35 0c  47 a0 e3 42 
  }'}
)
[06/04/21 16:14:34:642 BST] 00000078 DSConfigurati I   DSRA8025I: Successfully connected to DataSource.
0
votes

What is the version of the JDBC driver you are using? If you are using the latest 18.3 then, you can pass connection properties in the URL. Check out this blog for 12.2 and lower.