Connections > Oracle connection > Prerequisites
  

Prerequisites

You can use Oracle Connector to connect to an SSL-enabled Oracle database with Oracle database authentication or Kerberos authentication.
To connect to an SSL-enabled Oracle database, see SSL configuration.

SSL configuration

Before you use a secure Oracle connection with Oracle database authentication or Kerberos authentication to connect to an SSL-enabled Oracle database, the organization administrator needs to perform the prerequisite tasks.
  1. 1Create a truststore certificate.
  2. 2Create a keystore certificate. Applicable only when Client authentication is enabled in the Oracle database.

Adding the server certificate to the truststore

Add the server certificate to the client's truststore to establish a secure Oracle connection.
Use the following keytool command to add the server certificate to the client's truststore:
keytool -import -trustcacerts -alias ca -file <server certificate with path> -keystore
<name of truststore to be generated with extension> -storepass <password for truststore> -storetype <store type>
For example, consider you have a server certificate oratls_server.cert in the following location: C:\SSL\oracle
    1Run the following command to create the truststore truststore.jks with the truststore password “password”:
    C:\SSL\oracle> keytool -import -trustcacerts -alias ca -file oratls_server.cert -keystore truststore.jks -storepass password -storetype JKS
    2Run the following command to create the PKCS12 truststore truststore.p12 with truststore password “password”:
    C:\SSL\oracle> keytool -import -trustcacerts -alias ca -file oratls_server.cert -keystore truststore.p12 -storepass password -storetype PKCS12

Creating a keystore certificate

Create a keystore certificate when client authentication is enabled in the Oracle server. You must create a keystore certificate that contains all the client certificates to establish an Oracle connection.
Perform the following steps to create a keystore certificate:
    1Download and install the Oracle client from the Oracle website.
    2Run the following command to create an Oracle wallet:
    orapki wallet create -wallet <Path where wallet is to be created> -auto_login -pwd <wallet password>
    3Run the following command to create a self-signed client certificate to the Oracle wallet:
    orapki wallet add -wallet <Path where wallet is to be created> -dn "CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>" -keysize <key size in bits> -self_signed-validity <number of days> -pwd <wallet password>
    The command runs and creates the pkcs12 certificate at the specified location.
    You must specify the values of the CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>, keysize <key size in bits>, self_signed -validity <number of days>, and pwd <wallet password> from the server certificate.
    4 Run the following orapki command to export the self-signed client certificate:
    orapki wallet export -wallet <wallet path> -dn "CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>" -cert <Name of the exported certificate with path>
    The -dn command identifies the client certificate uniquely as the server wallet contains multiple client certificates installed.
    5Install the self-signed client certificate in the server Oracle wallet.
    Note: The client authentication fails if you do not add the self-signed client certificate to the server database Oracle wallet.
    6 Add the server certificate as a trusted certificate to the Oracle wallet.
    Run the following command to add the server certificate:
    orapki wallet add -wallet <wallet path> -trusted_cert -cert <Name of the server certificate with path> -pwd <wallet password>
    Note: You must use the same wallet password for all orapki commands.
    Example Tasks
    Perform the following tasks to create a keystore certificate:
    1. aRun the following command to create an Oracle wallet:
      2. C:\app\client\ksuwalka\product\12.1.0\client_1\BIN>orapki wallet create -wallet C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet -auto_login -pwd oracle4u
    2. bRun the following command to create a self-signed client certificate to the Oracle wallet:
      3. C:\app\client\ksuwalka\product\12.1.0\client_1\BIN>orapki wallet add -wallet C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet -dn "CN=inw1pc07_kriti, OU=DEV, O=infa,L=blr, ST=ka, C=IN" -keysize 2048 -self_signed -validity 3650 -pwd oracle4u
      The ewallet.p12 certificate is created in the following location: C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet
    3. cRun the following orapki command to export the self-signed client certificate:
      4. C:\app\client\ksuwalka\product\12.1.0\client_1\BIN>orapki wallet export -wallet C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet -dn "CN=inw1pc07_kriti, OU=DEV, O=infa,L=blr, ST=ka, C=IN" -cert C:\Users\ksuwalka\Desktop\client_inw1pc07.cert
    4. dAdd the server certificate as a trusted certificate to the Oracle wallet. Run the following command to add the server certificate:
      5. C:\app\client\ksuwalka\product\12.1.0\client_1\BIN>orapki wallet add -wallet C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet -trusted_cert -cert C:\SSL\oracle\oratls_server.cert -pwd oracle4u
      You can now use the keystore C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet\ewallet.p12 with keystore password oracle4u.