5 Replies Latest reply on Nov 15, 2017 2:23 PM by longshot

    Oracle JDBC SSL configuration and FIPS

    longshot
    longshot Nov 14, 2017 3:25 PM

      I’m configuring a wildfly web application to be FIPS SSL compliant with bouncy castle fips.

      This appears to be working.  I have the BCFIPS provider configured as follows in the java.security:

       

      1. security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      2. security.provider.2=sun.security.provider.Sun
      3. security.provider.3=sun.security.rsa.SunRsaSign
      4. security.provider.4=sun.security.ec.SunEC
      5. security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS

       

      My next step is that I need to configure our jdbc connection to be over SSL.

      So I have set what I believe is the appropriate configuration as shown below:

       

       

      <connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps) (HOST=localhost) (PORT=2484)) (CONNECT_DATA=(SERVICE_NAME=myservice)))</connection-url>

      <connection-property name="oracle.net.ssl_cipher_suites">SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</connection-property>

       

       

      I’m getting the following error when it tries to connect:

       

      by: oracle.net.ns.NetException: Unable to initialize ssl context.

      at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:325)

      at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:115)

      at oracle.net.nt.ConnOption.connect(ConnOption.java:133)

      at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:411)

      ... 143 more

      Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available

      at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)

      at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)

      at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:311)

       

       

      Do you think this is because it is using the BCFIPs provider?

      Is there a way to configure to tell it use a different provider if necessary?

      Any thoughts on options?

        • 1. Re: Oracle JDBC SSL configuration and FIPS
          mchoma
          mchoma Nov 14, 2017 3:51 PM (in response to longshot)

          Based on [1] it seems oracle driver is hardcoding javax.net.ssl.SSLContext.getInstance("SSL");

           

          Is it possible SSL is non allowed with BCFIPS only TLS? Does it work without BCFIPS?

          Are you using Oracle java?

           

          [1] JDBC Thin driver is not connecting over SSL con... | Oracle Community

            • Actions
          • 2. Re: Oracle JDBC SSL configuration and FIPS
            longshot
            longshot Nov 14, 2017 5:01 PM (in response to mchoma)

            Yes we are using Oracle Java.

            I don't know if the BCFIPS is only TLS. Security Policy doesn't say its prevented.  It only says stuff about TLS though.  Still researching.

            At the moment I have a different error with the application server configured with SSL on the JDBC driver but not configured for SSL at all on the application server. There I'm getting a connection refused.  I am anticipating this is likely a firewall or oracle server configuration issue.  I have no control on that side of things so am waiting for that to get straightened out.

            Once it is, I think there still could be more configuration needed on wildfly for the jdbc.  All I know right now for that case is that nothing is getting to database server. 

            Once I get this SSL connectivity working, I'll be able to know for better whether BCFIPS is the problem. I pinged this group just in case anyone else has seen something like this and could point me in the right direction. I'll look at your link.  Thank you for your help

              • Actions
            • 3. Re: Oracle JDBC SSL configuration and FIPS
              jewellgm
              jewellgm Nov 15, 2017 10:54 AM (in response to longshot)

              I found this link:

               

              oracle - Database Connectivity over TLS1.2 using JDBC Thin and JKS - Stack Overflow

               

              The discussion specifically talks about Oracle 12c, so I don't know whether this applies to you.  Step 1 appears to be the critical item, though.

                • Actions
              • 4. Re: Oracle JDBC SSL configuration and FIPS
                longshot
                longshot Nov 15, 2017 2:10 PM (in response to jewellgm)

                We are 12c.  I pulled down the patch and tried it, but still getting the same error so not seeing that solving anything.   Our db is definitely not configured properly for SSL yet but given that I'm testing with a FIPS compliant SSL wildfly configured application server and a non-SSL enabled wildfly application server.

                  • Actions
                • 5. Re: Oracle JDBC SSL configuration and FIPS
                  longshot
                  longshot Nov 15, 2017 2:23 PM (in response to longshot)

                  Hit return too soon:

                  We are 12c.  I pulled down the patch and tried it, but still getting the same error so not seeing that solving anything.   Our db is definitely not configured properly for SSL yet but given that I'm testing with a FIPS compliant SSL wildfly configured application server and a non-SSL enabled wildfly application server and I'm getting two different responses for the error still, I'm thinking its safe to say the patch didn't solve my problem

                    • Actions