5 Replies Latest reply on Nov 15, 2017 2:23 PM by Laura O'Donnell

    Oracle JDBC SSL configuration and FIPS

    Laura O'Donnell Newbie

      I’m configuring a wildfly web application to be FIPS SSL compliant with bouncy castle fips.

      This appears to be working.  I have the BCFIPS provider configured as follows in the java.security:

       

      1. security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      2. security.provider.2=sun.security.provider.Sun
      3. security.provider.3=sun.security.rsa.SunRsaSign
      4. security.provider.4=sun.security.ec.SunEC
      5. security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS

       

      My next step is that I need to configure our jdbc connection to be over SSL.

      So I have set what I believe is the appropriate configuration as shown below:

       

       

      <connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps) (HOST=localhost) (PORT=2484)) (CONNECT_DATA=(SERVICE_NAME=myservice)))</connection-url>

      <connection-property name="oracle.net.ssl_cipher_suites">SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</connection-property>

       

       

      I’m getting the following error when it tries to connect:

       

      by: oracle.net.ns.NetException: Unable to initialize ssl context.

      at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:325)

      at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:115)

      at oracle.net.nt.ConnOption.connect(ConnOption.java:133)

      at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:411)

      ... 143 more

      Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available

      at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)

      at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)

      at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:311)

       

       

      Do you think this is because it is using the BCFIPs provider?

      Is there a way to configure to tell it use a different provider if necessary?

      Any thoughts on options?