Documentation Center

Configuring your Content Delivery microservices for TLS v1.2 (Oracle databases)

If you want to use TLS (Transport Layer Security) version 1.2 for all communication between your Content Delivery microservices and your Oracle databases, you need to perform some configuration steps on the database server and in the microservices (database clients).

Procedure

  1. Follow the instructions in the Database Administrator's Guide at https://docs.oracle.com/en/database/oracle/oracle-database/12.2/admin/index.html to configure your database server to work with Oracle Wallet.
  2. Confirm that the directory $ORACLE_HOME\wallet\ exists and contains the following files:
    • cwallet.sso
    • cwallet.sso.lck
    • ewallet.p12
    • ewallet.p12.lck
  3. From the database server, export your Oracle Wallet certificate by running the following command:
    orapki wallet export -wallet "$ORACLE_HOME\wallet" -pwd PASSWORD -dn DN -cert CERTFILENAMEBASE.cert
    where:
    • PASSWORD is your password
    • DN is your Distinguished Name (DN)
    • CERTFILENAMEBASE is the base filename (without extension) you want to give to your exported certificate file.
  4. Access the root location of a microservice that interacts with an Oracle database.
  5. Copy the $ORACLE_HOME\wallet\ directory from your database server to the config\ subdirectory of the root location.
  6. Convert the wallet to the P12 format by running the following commands:
    openssl pkcs12 -in SERVICEROOT\config\wallet\ewallet.p12 -nocerts -out SERVICEROOT\config\keystore\KSNAMEBASE.pem
    openssl pkcs12 -export -in SERVICEROOT\config\CERTFILENAMEBASE.cert -inkey SERVICEROOT\config\keystore\KSNAMEBASE.pem -name CERTFILENAMEBASE -out SERVICEROOT\config\keystore\KSNAMEBASE.p12
    where:
    • SERVICEROOT is the root folder of your microservice
    • KSNAMEBASE is the base filename (without extension) you want to give to your keystore
    • CERTFILENAMEBASE is the base filename (without extension) you just gave to your exported certificate file
  7. Create a new JKS (Java KeyStore) by running the following command:
    keytool -importkeystore -deststorepass DESTPASSWORD -destkeystore SERVICEROOT\config\keystore\DESTKSNAMEBASE.jks -srckeystore SERVICEROOT\config\keystore\KSNAMEBASE.p12 -srcstoretype PKCS12
    where:
    • DESTPASSWORD is the password you want to use to secure your Java KeyStore
    • SERVICEROOT is the root folder of your microservice
    • DESTKSNAMEBASE is the base filename (without extension) you want to give to your Java KeyStore
    • KSNAMEBASE is the base filename (without extension) you just gave to your P12 keystore.
  8. In the config\ subdirectory of your microservice root location, open the file cd_storage_conf.xml for editing.
  9. In the DataSource section, add the following new Property subelements:
    <Property Name="url" Value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=DBSERVERHOST)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DBSERVICENAME))(SECURITY=(SSL_SERVER_CERT_DN=&quot;DN&quot;)))"/>
    <Property Name="connectionProperties" Value="oracle.net.wallet_location=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=.\\config\\wallet)))"/>
    where:
    • DBSERVERHOST is the host name of the database server
    • DBSERVICENAME is the name of the database service
    • DN is your Distinguished Name (DN)
  10. Save and close cd_storage_conf.xml.
  11. In deployer-conf.xml, add the same two Property elements listed above to your Oracle database connection properties, and additionally add the following Property element:
    <Property Name="oracle.net.ssl_server_dn_match" Value="true"/>
  12. In deployer_conf.xml, in the State Store Oracle database configuration, add the following Property elements:
    <Property Name="url" Value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=DBSERVERHOST)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DBSERVICENAME))(SECURITY=(SSL_SERVER_CERT_DN=&quot;DN&quot;)))"/>
    <Property Name="oracle.net.wallet_location" Value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=.\config\wallet)))"/>
  13. In the config\ subdirectory of your microservice root location, open the file application.properties for editing.
  14. Ensure that this file contains the property-value pairs:
    server.ssl.enabled=true
     server.ssl.key-store=.\\config\\keystore\\DESTKSNAMEBASE.jks
     server.ssl.key-store-password=encrypted:ENCRYPTEDPASSWORD
     server.ssl.key-store-type=JKS
     server.ssl.key-alias=CERTALIAS
    where:
    • DESTKSNAMEBASE is the base filename (without extension) you just gave to your Java KeyStore
    • ENCRYPTEDPASSWORD is your encrypted Java KeyStore password.
    • CERTALIAS is your certificate alias.
  15. Save and close application.properties.
  16. Stop or uninstall your microservice.
  17. Restart or reinstall your microservice.
  18. Repeat step 3-16 for all other microservices that interact with an Oracle database.