(Below content most copied from Clark Gao's WebSphere ssl Connect to Oracle)
Because Oracle Database(TCS) will close the open port: 1521, and switch to secure port: 1528.
For the Websphere Server (Intra QA and Production) of HSI application deployed, the related configuration need be updated.
In general, there are 2 steps for the change:
1) Import secure database server's certificate (auto - retrieve from port or manual import);
2) Update current JDBC connection - update the connecting url, add a new property in custom property and update user (J2C authentication).
Step 1: Import the certificate of TCS database server:
1.1 (Auto) Extract the certificate from DB location within WebSphere in TrustStore (Add Certification for Root)
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port
Host : see table
Port : see table
Select SSL Configuration for outbound connection :
Select Trust Store: CellDefaultSSLSettings
Alias : see table below
Import certificate the save
| Environment | Variables to be used |
|---|---|
| WS DEV | Host : sun06.csd.toronto.ca Port : 1528 Select SSL Configuration for outbound connection : Select Trust Store: CellDefaultSSLSettings (for local machine no cell, so NodeDefaultSSLSetting) Alias : wsdev.ssl |
| QA | Host : dbqa.csd.toronto.ca Port : 1528 Select SSL Configuration for outbound connection : Select Trust Store: CellDefaultSSLSettings Alias : csisqa.ssl |
| PROD | Host : tcsscan.csd.toronto.ca Port : 1528 Select SSL Configuration for outbound connection : Select Trust Store: CellDefaultSSLSettings Alias : csisprod.ssl |
1.2 If failed to retrieve from port, you have to import the certificate manually.
Step 2: Setup JDBC (For TCS database, the Data sources should be CSIS)
2.1 Before go to Data sources > CSIS, need prepare certificate file path(2.1.1) and update Database access user name (2.1.2).
For CSIS, maybe there are many resources in different cluster, for HSI Sync application,
in QA the nodes are: sparta-b1 and noah-b1; for Production, the nodes are: scorpio-a1 and leda-a1. Please check correct cluster for the nodes.
2.1.1 Find TrustStore physical path (use for JDBC's custom properties setup)
Need the file path for JDBC settings (custom properties setup)
Normally, TrustStore File Path, please verify (Here is an example)
/opt/IBM/WebSphere/AppServer/profiles/<server name>/config/cells/<cellname>/trust.p12
e.g. /opt/IBM/WebSphere/AppServer/profiles/ws9DVDmgr02/config/cells/ws9DVCell02/trust.p12
2.1.2 Update JDBC's DB user name
Global security > JAAS - J2C authentication data > ws9DVCellManager02
(or like M4XD0166233Node01/CSIS (DEV))
Define
Alias : ws9DVCellManager02/CSIS or M4XD0166233Node01/CSIS (DEV)
userid : csisweb update as hsiusr
password : no change
(If need update,
QA: csisontheweb
PROD: Check with database administrator
)
Here is an example of local DEV:
2.2 Update current JDBC data source
Go to Resources > JDBC > Data sources > CSIS (below is local example)
2.2.1 Update CSIS' URL:
URL: replace current setting with new content in below table:
| Environment | URL |
|---|---|
| DEV | jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST= dbdev.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=CSISDV))) |
| QA | jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=dbqa.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=TCSLINKEXT))) |
| PROD | jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=tcsscan.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=TCSLINKEXT))) |
Here is a snapshot of local DEV:
2.2.2 Data source - Customer properties:
1) Create a new property for CSIS
Under Data sources> CSIS, click Custom properties to add a new property:
e.g. 
Navigate to: Data sources > CSIS > Custom properties > New...
name : connectionProperties
value: see table below
- update the sslTrustStore path, ( here is for WSDEV ), see 2.1.1
2.update TrustStorePassword, get password from Admin for the TrustStore
(Be careful the trustStorePassword need be replaced and also the path of trust.p12 need be updated with real path, here is an example.
| Environment | value |
|---|---|
javax.net.ssl.trustStore followed with cell's trust store's real path; | |
| DEV | oracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/ws9DVDmgr02/config/cells/ws9DVCell02/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=XXXXXX;oracle.net.ssl_version=1.2 |
| QA | oracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/vsun11Dmgr01/config/cells/clqaCell01/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=WebAS;oracle.net.ssl_version=1.2 |
| PROD | oracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/vsun11Dmgr01/config/cells/clqaCell01/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=WebAS;oracle.net.ssl_version=1.2 |
2) Check & Change property
name: enableClientInformation = true (Default is false)
Here is a snapshot of Local DEV:
Step 3. Verify:
Navigate back to Data sources – CSIS page, click "Test connection",
If display the message like below, it successful complete the configuration, then click "Apply", "Save" and go back Data sources page.
or if display as below:
If setup no typo, the issue maybe Cipher is not support.
For current Oracel Database secure connection,
for Oracle SQLNET.ORA, to have minimum Cipher_Suite as below
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_GCM_SHA384 )