Hello Christophe, Very interesting, thanks!
Would it be possible in your scenario to export the certificates from the wallet and import them to a different keystore (PCKS12 or JKS)? You can have a look at [1] Hope it helps, Luis [1] https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets El vie., 16 nov. 2018 a las 12:03, Christophe Vanlancker (< carroarma...@inuits.eu>) escribió: > I ran a strace on the Tomcat process, and see that Tomcat actually IS able > to see and read the wallets. > > > > [pid 21880] open("< full path to wallets>/oracle_wallets/cwallet.sso", > O_RDONLY) = 362 > > > So I think this means that the problem lies somewhere between Tomcat and > the OJDBC driver. > > > Regards, > Christophe > > -- > -- > Christophe Vanlancker <christophe.vanlanc...@inuits.eu> > +32 (494) 232277 | Linux & Open-Source consultant - Inuits.eu > > > From: "Christophe Vanlancker" <carroarma...@inuits.eu> > To: "users" <users@tomcat.apache.org> > Sent: Thursday, 15 November, 2018 13:24:10 > Subject: Tomcat 8 and Oracle Wallets > > Hello, > > I'm having an issue with setting up SSL encrypted connections to an Oracle > database. > > I looked up on many websites and places and got the impression that either > people abandon setting up the encryption or implemented the connection in > code rather than through the jndi context in Tomcat itself. > > Tomcat 8.5.34 > JDK 1.8.0_171 > RedHat 7.4 (Selinux permissive) > OracleDB 12.2.0.1.0 > > I've written a simple Java application which just connects to the database > using TCPS and makes a simple query. > This works. > > java -D oracle.net.tns_admin ="./oracle_wallets/" -D > oracle.net.wallet_location ="(SOURCE=(METHOD=FILE) (METHOD_DATA = > (DIRECTORY=./oracle_wallets)))" -cp ./: ./lib/ ojdbc8.jar :./lib/ > oraclepki.jar DataSourceSample > > I'm using the official ojdbc8.jar from Oracle appropriate for the version > of Java and the Oracle database. > > Because Oracle Wallets is an invention of Oracle itself, I added the > appropriate security provider in java.security: > security.provider.4=oracle.security.pki.OraclePKIProvider ( loaded before > com.sun.net.ssl.internal.ssl.Provider ) so it gets loaded before the > default PKCS implementation in Java. > > cwallet.sso cwallet.sso.lck ewallet.p12 ewallet.p12.lck sqlnet.ora > tnsnames.ora are all placed inside the ./oracle_wallets. > > As said before, the little Java app that I wrote is able to open the > wallets and connect to the database: > > AArray = [B@6328d34a > AArray = [B@145eaa29 > AArray = [B@15bb6bea > .... > Driver Name: Oracle JDBC driver > Driver Version: 12.2.0.1.0 > Default Row Prefetch Value is: 20 > Database Username is: MY_USER > .... > 82062920015 SomeResults1 > 87093009324 SomeResults2 > 74031825702 SomeResults3 > .... > > > I translated this to Tomcat in the following way: > > I placed the ojdbc8.jar and oraclepki.jar in the libs folder of Catalina. > > I added the Java options in bin/setenv.sh: > > export CATALINA_OPTS="$CATALINA_OPTS -Doracle.net.tns_admin=<full > path>/oracle_wallets/" > export CATALINA_OPTS="$CATALINA_OPTS > -Doracle.net.wallet_location='(SOURCE=(METHOD=FILE) (METHOD_DATA = > (DIRECTORY= <full path> /oracle_wallets)))'" > > The entries in the context.xml file look like this: > > <Resource name="jdbc/dominoDataSource" > auth="Container" > type="javax.sql.DataSource" > username="MY_USER" > password="*************" > url="jdbc:oracle:thin:@MY_DATABASE" > driverClassName="oracle.jdbc.OracleDriver" > timeBetweenEvictionRunsMillis="120000" > testOnBorrow="True" > logAbandoned="True" > removeAbandonedTimeout="3600" > maxIdle="20" > initialSize="32" > removeAbandonedOnBorrow="True" > maxTotal="256" > validationQuery="select 1 from dual" > removeAbandonedOnMaintenance="True" > maxWaitMillis="300000" > /> > > I can confirm that the rights on the filesystem for the wallets are > permissive enough for Tomcat to read them. > Tomcat is able to connect to the database. > > But for some reason it's as if it's unable to read the wallets. > > > Caused by: oracle.net.ns.NetException: The Network Adapter could not > establish the connection > at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:523) > at > oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521) > > at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660) > at oracle.net.ns.NSProtocol.connect(NSProtocol.java:286) > at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1438) > at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:518) > ... 68 more > Caused by: oracle.net.ns.NetException: Unable to initialize ssl context. > at > oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:564) > > at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:143) > at oracle.net.nt.ConnOption.connect(ConnOption.java:161) > at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:470) > ... 73 more > Caused by: oracle.net.ns.NetException: Unable to initialize the key store. > at > oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:642) > > at > oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:547) > > ... 76 more > Caused by: java.security.KeyStoreException: SSO not found > at java.security.KeyStore.getInstance(KeyStore.java:851) > at > oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:628) > > ... 77 more > Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not > available > at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) > at java.security.Security.getImpl(Security.java:695) > at java.security.KeyStore.getInstance(KeyStore.java:848) > ... 78 more > > I tried checking if it was maybe linked to the application by removing it, > but the same result. > > Would be nice if anyone has tried this similarly with or without succes. > > > Regards, > Christophe > > -- > -- > Christophe Vanlancker <christophe.vanlanc...@inuits.eu> > +32 (494) 232277 | Linux & Open-Source consultant - Inuits.eu > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
