/
HSI WebSphere ssl Connect to Oracle (TCS)

HSI WebSphere ssl Connect to Oracle (TCS)

Owned by Vincent Li (Unlicensed)
Last updated: Mar 18, 2022

(Below content most copied from Clark Gao's WebSphere ssl Connect to Oracle)

Because Oracle Database(TCS) will close the open port: 1521, and switch to secure port: 1528.

For the Websphere Server (Intra QA and Production) of HSI application deployed, the related configuration need be updated.

In general, there are 2 steps for the change:

1) Import secure database server's certificate (auto - retrieve from port or manual import);

2) Update current JDBC connection - update the connecting url, add a new property in custom property and update user (J2C authentication).


Step 1: Import the certificate of TCS database server:

1.1 (Auto) Extract the certificate from DB location within WebSphere in TrustStore (Add Certification for Root)

SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port

Host : see table

Port : see table

Select SSL Configuration for outbound connection :

Select Trust Store: CellDefaultSSLSettings

Alias : see table below

Import certificate the save

EnvironmentVariables to be used
DEV

Host : dbdev.csd.toronto.ca

Port : 1528

Select SSL Configuration for outbound connection :

Select Trust Store: CellDefaultSSLSettings (for local machine no cell, so NodeDefaultSSLSetting)

Alias : csisdev.ssl

QA

Host : dbqa.csd.toronto.ca

Port : 1528

Select SSL Configuration for outbound connection :

Select Trust Store: CellDefaultSSLSettings

Alias : csisqa.ssl

PROD

Host : tcsscan.csd.toronto.ca

Port : 1528

Select SSL Configuration for outbound connection :

Select Trust Store: CellDefaultSSLSettings

Alias : csisprod.ssl

1.2 If failed to retrieve from port, you have to import the certificate manually.


Step 2: Setup JDBC (For TCS database, the Data sources should be CSIS)


2.1 Before go to Data sources > CSIS, need prepare certificate file path(2.1.1) and update Database access user name (2.1.2).

For CSIS, maybe there are many resources in different cluster, for HSI Sync application,

in QA the nodes are: sparta-b1 and noah-b1; for Production, the nodes are: scorpio-a1 and leda-a1. Please check correct cluster for the nodes.

2.1.1 Find TrustStore physical path (use for JDBC's custom properties setup)

       Need the file path for JDBC settings (custom properties setup)

       Normally, TrustStore File Path, please verify (Here is an example)

          /opt/IBM/WebSphere/AppServer/profiles/<server name>/config/cells/<cellname>/trust.p12

e.g.    /opt/IBM/WebSphere/AppServer/profiles/ws9DVDmgr02/config/cells/ws9DVCell02/trust.p12

2.1.2 Update JDBC's DB user name

Global security > JAAS - J2C authentication data > ws9DVCellManager02
            (or like M4XD0166233Node01/CSIS (DEV))

Define

Alias : ws9DVCellManager02/CSIS or M4XD0166233Node01/CSIS (DEV)

userid : csisweb  update as hsiusr

password : no change
(If need update,

QA: csisontheweb

PROD: Check with database administrator

)

Here is an example of local DEV:

2.2  Update current JDBC data source

Go to Resources > JDBC > Data sources > CSIS (below is local example)

2.2.1 Update CSIS' URL:

URL: replace current setting with new content in below table:

EnvironmentURL
DEV

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST= dbdev.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=CSISDV))) 

QA

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=dbqa.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=TCSLINKEXT)))

PRODjdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=tcsscan.csd.toronto.ca)(PORT=1528))(CONNECT_DATA=(SERVICE_NAME=TCSLINKEXT)))

Here is a snapshot of local DEV:

2.2.2 Data source - Customer properties:

   1) Create a new property for CSIS

       Under Data sources> CSIS, click Custom properties to add a new property:

e.g. 


       Navigate to: Data sources > CSIS > Custom properties > New...

        name : connectionProperties

        value:  see table below

  1. update the sslTrustStore path,  ( here is for WSDEV ), see 2.1.1

       2.update TrustStorePassword, get password from Admin for the TrustStore

        (Be careful the trustStorePassword need be replaced and also the path of trust.p12 need be updated with real path, here is an example.


Environmentvalue

javax.net.ssl.trustStore followed with cell's trust store's real path;
javax.net.ssl.trustStorePassword set as password, default is WebAS.
Below is an example of server: vsun11Dmgr01, cell: clqaCell01.

DEV

oracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/ws9DVDmgr02/config/cells/ws9DVCell02/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=XXXXXX;oracle.net.ssl_version=1.2

QA

oracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/vsun11Dmgr01/config/cells/clqaCell01/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=WebAS;oracle.net.ssl_version=1.2

PRODoracle.net.ssl_cipher_suites=(SSL_RSA_WITH_AES_256_GCM_SHA384);C=c;D=d; javax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/profiles/vsun11Dmgr01/config/cells/clqaCell01/trust.p12;javax.net.ssl.trustStoreType=PKCS12;javax.net.ssl.trustStorePassword=WebAS;oracle.net.ssl_version=1.2

   

     2) Check & Change property

       name: enableClientInformation = true       (Default is false)

Here is a snapshot of Local DEV:


Step 3. Verify:

Navigate back to Data sources – CSIS page, click "Test connection", 

    If display the message like below, it successful complete the configuration, then click "Apply", "Save" and go back Data sources page.

or if display as below:

If setup no typo, the issue maybe Cipher is not support.

For current Oracel Database secure connection, 

for Oracle SQLNET.ORA, to have minimum Cipher_Suite as below

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_GCM_SHA384 )