10 Replies Latest reply on Jan 16, 2020 8:37 AM by Greg Jewell

    JBOSS 7.2 SSL Query

    Kedar Barde Newbie

      Hi Everyone

       

      Am trying to configure ssl connection on JBOSS 7.2 for Oracle TLS

       

      on oracle db server(ORADB18C) ran the following

       

      keytool -genkeypair -alias vault -keypass Server1234  -storepass Server1234 -keystore server.jks

      keytool -importkeystore -srckeystore server.jks -destkeystore server.jks -deststoretype pkcs12"

      keytool -export -alias vault -storepass Server1234 -file server.cer -keystore server.jks

       

      copied server.cer to application VM(VMT24)

      keytool -importkeystore -srckeystore client.jks -destkeystore client.jks -deststoretype pkcs12

       

      Added following options for JAVA_OPTS

       

            JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/oracle/wallet/client_wallet/client.jks"

            JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"

            JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=Server1234 -Djavax.net.debug=all -Doracle.net.ssl_version='1.2'"

       

       

      <datasource jta="true" jndi-name="java:/jdbc/t24DS" pool-name="t24DS" enabled="true" use-java-context="true" use-ccm="true">
        
      <connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV</connection-url>
        
      <connection-property name="defaultRowPrefetch">
        100
        
      </connection-property>
        
      <driver>ora12c</driver>
        
      <pool>
        
      <min-pool-size>5</min-pool-size>
        
      <max-pool-size>220</max-pool-size>
        
      <flush-strategy>FailingConnectionOnly</flush-strategy>
        
      </pool>
        
      <security>
        
      <user-name>test</user-name>
        
      <password>test</password>
        
      </security>
        
      </datasource>

       

       

      When accessing JBOSS application via port 8080 and trying to navigate to application url getting errors

       

      server.log

       

       

      Caused by: java.sql.SQLRecoverableException: IO Error: Connection reset by peer, connect lapse 4 ms., Authentication lapse 0 ms.

              at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:794)

              at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)

              at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)

              at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)

              at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)

              ... 176 more

      Caused by: java.io.IOException: Connection reset by peer, connect lapse 4 ms., Authentication lapse 0 ms.

              at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:790)

              ... 180 more

       

       

      Any suggestions on SSL config in JBOSS , config settings. I have been following SSLSetup

       

      note: we are trying to make SSL connections to Oracle 19c database. Our application runs in old legacy mode and in Browser mode.

      SSL connectiviy via old legacy mode is working fine but using web Tier (JBOSS) is erroring

       

      thank you

        • 1. Re: JBOSS 7.2 SSL Query
          Greg Jewell Expert

          I haven't personally tried to configure SSL to connect to a datasource, but I'm seeing pages indicate that you need to append some paramters to the connection url.  Have you tried putting this at the end of yours?

          ?useSSL=true&requireSSL=true&verifyServerCertificate=true

           

          Other sites have indicated that either useSSL or requireSSL are sufficient.

           

          Secure database connection with WildFly

          • 2. Re: JBOSS 7.2 SSL Query
            Kedar Barde Newbie

            HI Greg

             

            I have referred to the above URL which you shared but I am getting some errors starting JBOSS with command below

             

            20:33:03,962 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration

                    at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)

                    at org.jboss.as.server.ServerService.boot(ServerService.java:377)

                    at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372)

                    at java.lang.Thread.run(Thread.java:748)

            Caused by: javax.xml.stream.XMLStreamException: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'requireSSL'

            at [row,col {unknown-source}]: [169,101]

                    at org.jboss.as.connector.subsystems.datasources.DataSourcesExtension$DataSourceSubsystemParser.readElement(DataSourcesExtension.java:650)

                    at org.jboss.as.connector.subsystems.datasources.DataSourcesExtension$DataSourceSubsystemParser.readElement(DataSourcesExtension.java:204)

                    at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)

                    at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)

                    at org.jboss.as.server.parsing.StandaloneXml_8.parseServerProfile(StandaloneXml_8.java:607)

                    at org.jboss.as.server.parsing.StandaloneXml_8.readServerElement(StandaloneXml_8.java:240)

                    at org.jboss.as.server.parsing.StandaloneXml_8.readElement(StandaloneXml_8.java:137)

                    at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:120)

                    at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:52)

                    at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)

                    at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:76)

                    at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:126)

                    ... 3 more

            Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'requireSSL'

             

             

            JBOSS Command

            $JBOSS_HOME/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 --server-config=T24.xml

             

            Wonder if you can shed some light for ssl for T24.xml setting below

             

                        </security-realm>

                        <security-realm name="ApplicationRealm">

                            <server-identities>

                                <ssl>

                                    <keystore path="/home/temenos/wallet/client_wallet/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="Server1234" alias="vault" key-password="Server1234" generate-self-signed-certificate-host="localhost"/>

                                </ssl>

                            </server-identities>

                            <authentication>

                                <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                            <authorization>

                                <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                            </authorization>

                        </security-realm>

                    </security-realms>

             

                            <datasource jta="true" jndi-name="java:/jdbc/t24DS" pool-name="t24DS" enabled="true" use-java-context="true" use-ccm="true" statistics-enabled="true">

                                <connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&requireSSL=true&verifyServerCertificate=true</connection-url> <!-- This does not work but errors -->

                                <connection-property name="defaultRowPrefetch">

                                    100

                                </connection-property>

                                <driver>ora12c</driver>

                                <pool>

                                    <min-pool-size>5</min-pool-size>

                                    <max-pool-size>220</max-pool-size>

                                    <flush-strategy>FailingConnectionOnly</flush-strategy>

                                </pool>

                                <security>

                                    <user-name>test</user-name>

                                    <password>test</password>

                                </security>

                            </datasource>

             

             

            JAVA_OPTS are as below

             

                 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/temenos/wallet/client_wallet/client.jks"

                 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"

                 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=Server1234 -Djavax.net.debug=all -Doracle.net.ssl_version='1.2'"

            • 3. Re: JBOSS 7.2 SSL Query
              Tomaž Cerar Master

              well, it is XML, you need to escape xml special chars like "&"

               

              aka & becomes &amp;

              • 4. Re: JBOSS 7.2 SSL Query
                Kedar Barde Newbie

                Thanks Tomaz

                 

                I changed the format but got an error

                jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&amp;requireSSL=true&amp;verifyServerCertificate=true

                 

                Is there a format issue for host port sid??

                Caused by: java.sql.SQLRecoverableException: IO Error: Invalid connection string format, a valid format is: "host:port:sid"

                        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:774)

                        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)

                        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)

                        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)

                        at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)

                        ... 176 more

                • 5. Re: JBOSS 7.2 SSL Query
                  Wolfgang Mayer Master

                  I understand Oracle needs special properties for the JDBC driver:
                  "First of all the JDBC URL must use the “tcps” protocol in order to activate SSL in the JDBC Thin driver." (https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf )

                  • 6. Re: JBOSS 7.2 SSL Query
                    Kedar Barde Newbie

                    Hi Mayer

                     

                    sqlplus connection to port 2484 displays tcps protocol

                     

                    [oracle@kedart24 bin]$ tnsping pdbdv

                     

                    TNS Ping Utility for Linux: Version 12.2.0.1.0 - Production on 14-JAN-2020 09:56:45

                     

                    Copyright (c) 1997, 2016, Oracle.  All rights reserved.

                     

                    Used parameter files:

                    /u01/orabase/db_home1/network/admin/sqlnet.ora

                     

                    Used TNSNAMES adapter to resolve the alias

                    Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = ORADB18C)(PORT = 2484))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = PDBDV)))

                    OK (30 msec)

                    [oracle@kedart24 bin]$ sqlplus t24/t24@PDBDV

                     

                     

                    SQL*Plus: Release 12.2.0.1.0 Production on Tue Jan 14 09:56:50 2020

                     

                    Copyright (c) 1982, 2016, Oracle.  All rights reserved.

                     

                    Last Successful login time: Tue Jan 14 2020 08:25:05 +00:00

                     

                    Connected to:

                    Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

                     

                    SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

                     

                    SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')

                    --------------------------------------------------------------------------------

                    tcps

                     

                    thanks

                    • 7. Re: JBOSS 7.2 SSL Query
                      Kedar Barde Newbie

                      Hello Everyone

                       

                      I have managed to figure out the setting for SSL connections for JBOSS 7.2 settings against 19c database and they are working fine

                       

                      Thanks for your help and time

                       

                      kedar

                      • 8. Re: JBOSS 7.2 SSL Query
                        Greg Jewell Expert

                        Kedar,

                         

                        It's good to hear that you got things running.  Would you be able to share what you did so that other people who encounter the problem can see your solution?

                        • 9. Re: JBOSS 7.2 SSL Query
                          Kedar Barde Newbie

                          Hi Greg

                           

                          There was some issue with the certificate which I re-created using orapki commands, so i recreated them. I believe there was some issue with JKS certificate created before.

                          Not mentioned on orapki commands to create wallet and converting PKCS12 to JKS ;in case needed can share them.

                           

                          JAVA Settings were added

                                JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/temenos/wallet/keystore.jks"

                                JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"

                                JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=manager03 -Doracle.net.ssl_cipher_suites='(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)'"

                                JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom"

                           

                          Reference: https://access.redhat.com/solutions/2066163

                           

                          JDBC connection URL changed from

                           

                          <connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&requireSSL=true&verifyServerCertificate=true</connection-url>

                          to

                          <connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=ORADB18C)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=PDBDV)))</connection-url>

                           

                          Let me know if that helps

                           

                          Regards

                          Kedar

                           

                          • 10. Re: JBOSS 7.2 SSL Query
                            Greg Jewell Expert

                            Yes, that's very helpful.  Thanks for sharing what you found!