10 Replies Latest reply on Jan 16, 2020 8:37 AM by jewellgm

JBOSS 7.2 SSL Query

kvbarde Jan 13, 2020 6:19 AM

Hi Everyone

Am trying to configure ssl connection on JBOSS 7.2 for Oracle TLS

on oracle db server(ORADB18C) ran the following

keytool -genkeypair -alias vault -keypass Server1234 -storepass Server1234 -keystore server.jks

keytool -importkeystore -srckeystore server.jks -destkeystore server.jks -deststoretype pkcs12"

keytool -export -alias vault -storepass Server1234 -file server.cer -keystore server.jks

copied server.cer to application VM(VMT24)

keytool -importkeystore -srckeystore client.jks -destkeystore client.jks -deststoretype pkcs12

Added following options for JAVA_OPTS

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/oracle/wallet/client_wallet/client.jks"

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=Server1234 -Djavax.net.debug=all -Doracle.net.ssl_version='1.2'"

<datasource jta="true" jndi-name="java:/jdbc/t24DS" pool-name="t24DS" enabled="true" use-java-context="true" use-ccm="true"> <connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV</connection-url> <connection-property name="defaultRowPrefetch"> 100 </connection-property> <driver>ora12c</driver> <pool> <min-pool-size>5</min-pool-size> <max-pool-size>220</max-pool-size> <flush-strategy>FailingConnectionOnly</flush-strategy> </pool> <security> <user-name>test</user-name> <password>test</password> </security> </datasource>

When accessing JBOSS application via port 8080 and trying to navigate to application url getting errors

server.log

Caused by: java.sql.SQLRecoverableException: IO Error: Connection reset by peer, connect lapse 4 ms., Authentication lapse 0 ms.

at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:794)

at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)

at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)

at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)

at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)

... 176 more

Caused by: java.io.IOException: Connection reset by peer, connect lapse 4 ms., Authentication lapse 0 ms.

at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:790)

... 180 more

Any suggestions on SSL config in JBOSS , config settings. I have been following SSLSetup

note: we are trying to make SSL connections to Oracle 19c database. Our application runs in old legacy mode and in Browser mode.

SSL connectiviy via old legacy mode is working fine but using web Tier (JBOSS) is erroring

thank you

1. Re: JBOSS 7.2 SSL Query

jewellgm Jan 13, 2020 12:26 PM (in response to kvbarde)

I haven't personally tried to configure SSL to connect to a datasource, but I'm seeing pages indicate that you need to append some paramters to the connection url. Have you tried putting this at the end of yours?
?useSSL=true&requireSSL=true&verifyServerCertificate=true

Other sites have indicated that either useSSL or requireSSL are sufficient.

Secure database connection with WildFly
Actions
2. Re: JBOSS 7.2 SSL Query

kvbarde Jan 13, 2020 3:37 PM (in response to jewellgm)

HI Greg

I have referred to the above URL which you shared but I am getting some errors starting JBOSS with command below

20:33:03,962 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
        at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
        at org.jboss.as.server.ServerService.boot(ServerService.java:377)
        at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.xml.stream.XMLStreamException: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'requireSSL'
at [row,col {unknown-source}]: [169,101]
        at org.jboss.as.connector.subsystems.datasources.DataSourcesExtension$DataSourceSubsystemParser.readElement(DataSourcesExtension.java:650)
        at org.jboss.as.connector.subsystems.datasources.DataSourcesExtension$DataSourceSubsystemParser.readElement(DataSourcesExtension.java:204)
        at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)
        at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
        at org.jboss.as.server.parsing.StandaloneXml_8.parseServerProfile(StandaloneXml_8.java:607)
        at org.jboss.as.server.parsing.StandaloneXml_8.readServerElement(StandaloneXml_8.java:240)
        at org.jboss.as.server.parsing.StandaloneXml_8.readElement(StandaloneXml_8.java:137)
        at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:120)
        at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:52)
        at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)
        at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:76)
        at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:126)
        ... 3 more
Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'requireSSL'

JBOSS Command
$JBOSS_HOME/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 --server-config=T24.xml

Wonder if you can shed some light for ssl for T24.xml setting below

            </security-realm>
            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="/home/temenos/wallet/client_wallet/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="Server1234" alias="vault" key-password="Server1234" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>

                <datasource jta="true" jndi-name="java:/jdbc/t24DS" pool-name="t24DS" enabled="true" use-java-context="true" use-ccm="true" statistics-enabled="true">
                    <connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&requireSSL=true&verifyServerCertificate=true</connection-url> 
                    <connection-property name="defaultRowPrefetch">
                        100
                    </connection-property>
                    <driver>ora12c</driver>
                    <pool>
                        <min-pool-size>5</min-pool-size>
                        <max-pool-size>220</max-pool-size>
                        <flush-strategy>FailingConnectionOnly</flush-strategy>
                    </pool>
                    <security>
                        <user-name>test</user-name>
                        <password>test</password>
                    </security>
                </datasource>

JAVA_OPTS are as below

     JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/temenos/wallet/client_wallet/client.jks"
     JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"
     JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=Server1234 -Djavax.net.debug=all -Doracle.net.ssl_version='1.2'"
Actions
3. Re: JBOSS 7.2 SSL Query

ctomc Jan 14, 2020 3:47 AM (in response to kvbarde)

well, it is XML, you need to escape xml special chars like "&"

aka & becomes &
Actions
4. Re: JBOSS 7.2 SSL Query

kvbarde Jan 14, 2020 4:19 AM (in response to ctomc)

Thanks Tomaz

I changed the format but got an error
jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&requireSSL=true&verifyServerCertificate=true

Is there a format issue for host port sid??
Caused by: java.sql.SQLRecoverableException: IO Error: Invalid connection string format, a valid format is: "host:port:sid"
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:774)
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)
        at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
        ... 176 more
Actions
5. Re: JBOSS 7.2 SSL Query

mayerw01 Jan 14, 2020 4:41 AM (in response to kvbarde)

I understand Oracle needs special properties for the JDBC driver:
"First of all the JDBC URL must use the “tcps” protocol in order to activate SSL in the JDBC Thin driver." (https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf )
Actions
6. Re: JBOSS 7.2 SSL Query

kvbarde Jan 14, 2020 5:00 AM (in response to mayerw01)

Hi Mayer

sqlplus connection to port 2484 displays tcps protocol

[oracle@kedart24 bin]$ tnsping pdbdv

TNS Ping Utility for Linux: Version 12.2.0.1.0 - Production on 14-JAN-2020 09:56:45

Copyright (c) 1997, 2016, Oracle. All rights reserved.

Used parameter files:
/u01/orabase/db_home1/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = ORADB18C)(PORT = 2484))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = PDBDV)))
OK (30 msec)
[oracle@kedart24 bin]$ sqlplus t24/t24@PDBDV

SQL*Plus: Release 12.2.0.1.0 Production on Tue Jan 14 09:56:50 2020

Copyright (c) 1982, 2016, Oracle. All rights reserved.

Last Successful login time: Tue Jan 14 2020 08:25:05 +00:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps

thanks
Actions
7. Re: JBOSS 7.2 SSL Query

kvbarde Jan 15, 2020 9:27 AM (in response to kvbarde)

Hello Everyone

I have managed to figure out the setting for SSL connections for JBOSS 7.2 settings against 19c database and they are working fine

Thanks for your help and time

kedar
Actions
8. Re: JBOSS 7.2 SSL Query

jewellgm Jan 15, 2020 5:35 PM (in response to kvbarde)

Kedar,

It's good to hear that you got things running. Would you be able to share what you did so that other people who encounter the problem can see your solution?
Actions
9. Re: JBOSS 7.2 SSL Query

kvbarde Jan 16, 2020 5:00 AM (in response to jewellgm)

Hi Greg

There was some issue with the certificate which I re-created using orapki commands, so i recreated them. I believe there was some issue with JKS certificate created before.
Not mentioned on orapki commands to create wallet and converting PKCS12 to JKS ;in case needed can share them.

JAVA Settings were added
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/temenos/wallet/keystore.jks"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=manager03 -Doracle.net.ssl_cipher_suites='(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)'"
      JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom"

Reference: https://access.redhat.com/solutions/2066163

JDBC connection URL changed from

<connection-url>jdbc:oracle:thin:@ORADB18C:2484/PDBDV?useSSL=true&requireSSL=true&verifyServerCertificate=true</connection-url>
to
<connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=ORADB18C)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=PDBDV)))</connection-url>

Let me know if that helps

Regards
Kedar
Actions
10. Re: JBOSS 7.2 SSL Query

jewellgm Jan 16, 2020 8:37 AM (in response to kvbarde)

Yes, that's very helpful. Thanks for sharing what you found!
Actions

Go to original post