Configuring your Content Delivery microservices for TLS v1.2 (Oracle databases)
If you want to use TLS (Transport Layer Security) version 1.2 for all communication between your Content Delivery microservices and your Oracle databases, you need to perform some configuration steps on the database server and in the microservices (database clients).
Procedure
- Follow the instructions in the Database Administrator's Guide at https://docs.oracle.com/en/database/oracle/oracle-database/12.2/admin/index.html to configure your database server to work with Oracle Wallet.
- Confirm that the directory $ORACLE_HOME\wallet\ exists and contains the following files:
- cwallet.sso
- cwallet.sso.lck
- ewallet.p12
- ewallet.p12.lck
- From the database server, export your Oracle Wallet certificate by running the following command:
orapki wallet export -wallet "$ORACLE_HOME\wallet" -pwd PASSWORD -dn DN -cert CERTFILENAMEBASE.certwhere:- PASSWORD is your password
- DN is your Distinguished Name (DN)
- CERTFILENAMEBASE is the base filename (without extension) you want to give to your exported certificate file.
- Access the root location of a microservice that interacts with an Oracle database.
- Copy the $ORACLE_HOME\wallet\ directory from your database server to the config\ subdirectory of the root location.
- Convert the wallet to the P12 format by running the following commands:
openssl pkcs12 -in SERVICEROOT\config\wallet\ewallet.p12 -nocerts -out SERVICEROOT\config\keystore\KSNAMEBASE.pem openssl pkcs12 -export -in SERVICEROOT\config\CERTFILENAMEBASE.cert -inkey SERVICEROOT\config\keystore\KSNAMEBASE.pem -name CERTFILENAMEBASE -out SERVICEROOT\config\keystore\KSNAMEBASE.p12where:- SERVICEROOT is the root folder of your microservice
- KSNAMEBASE is the base filename (without extension) you want to give to your keystore
- CERTFILENAMEBASE is the base filename (without extension) you just gave to your exported certificate file
- Create a new JKS (Java KeyStore) by running the following command:
keytool -importkeystore -deststorepass DESTPASSWORD -destkeystore SERVICEROOT\config\keystore\DESTKSNAMEBASE.jks -srckeystore SERVICEROOT\config\keystore\KSNAMEBASE.p12 -srcstoretype PKCS12where:- DESTPASSWORD is the password you want to use to secure your Java KeyStore
- SERVICEROOT is the root folder of your microservice
- DESTKSNAMEBASE is the base filename (without extension) you want to give to your Java KeyStore
- KSNAMEBASE is the base filename (without extension) you just gave to your P12 keystore.
- In the config\ subdirectory of your microservice root location, open the file cd_storage_conf.xml for editing.
- In the
DataSourcesection, add the following newPropertysubelements:<Property Name="url" Value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=DBSERVERHOST)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DBSERVICENAME))(SECURITY=(SSL_SERVER_CERT_DN="DN")))"/> <Property Name="connectionProperties" Value="oracle.net.wallet_location=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=.\\config\\wallet)))"/>where:- DBSERVERHOST is the host name of the database server
- DBSERVICENAME is the name of the database service
- DN is your Distinguished Name (DN)
- Save and close cd_storage_conf.xml.
- In deployer-conf.xml, add the same two
Propertyelements listed above to your Oracle database connection properties, and additionally add the followingPropertyelement:<Property Name="oracle.net.ssl_server_dn_match" Value="true"/> - In deployer_conf.xml, in the State Store Oracle database configuration, add the following
Propertyelements:<Property Name="url" Value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=DBSERVERHOST)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DBSERVICENAME))(SECURITY=(SSL_SERVER_CERT_DN="DN")))"/> <Property Name="oracle.net.wallet_location" Value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=.\config\wallet)))"/> - In the config\ subdirectory of your microservice root location, open the file application.properties for editing.
- Ensure that this file contains the property-value pairs:
server.ssl.enabled=true server.ssl.key-store=.\\config\\keystore\\DESTKSNAMEBASE.jks server.ssl.key-store-password=encrypted:ENCRYPTEDPASSWORD server.ssl.key-store-type=JKS server.ssl.key-alias=CERTALIASwhere:- DESTKSNAMEBASE is the base filename (without extension) you just gave to your Java KeyStore
- ENCRYPTEDPASSWORD is your encrypted Java KeyStore password.
- CERTALIAS is your certificate alias.
- Save and close application.properties.
- Stop or uninstall your microservice.
- Restart or reinstall your microservice.
- Repeat step 3-16 for all other microservices that interact with an Oracle database.