Enabling TLS connections for an Oracle database

Use this procedure to enable TLS communication with Oracle DSA.

Before you begin

This procedure should be performed after running configImpactSSL.sh to configure Impact connections to use SSL. For more information on configImpactSSL.sh, see Configuring SSL with scripts.

Procedure

The following configuration has been tested with Oracle Server version 18c and version 19c.
  1. Set the Oracle property to use SSL.

    In $IMPACT_HOME/etc/server.props, set the following property:

    impact.connect.oracle.tcps=true
  2. Create the Oracle datasource, using the Impact GUI -> Data Model.

    For example, set the following datasource parameters:

    datasource username = system
datasource password = {password}
Connection Options = General Settings
Connection Method = SID
Host Name = {oracle hostname}
Host Port = 2484
SID = {databasee SID)
  3. Obtain the Oracle client drivers (or copy the Oracle drivers from the Oracle server to the Impact server). The files are: 
    ojdbc8.jar 
oraclepki.jar 
osdt_cert.jar 
osdt_core.jar

    Copy the files to the $IMPACT_HOME/lib3p directory.

    Remove ojdbc6-11.2.0.4.jar from the $IMPACT_HOME/lib3p directory.

    Note: For reasons of persistence, when Impact is configured on OCP, you should add any new JAR files to dsalib.

    See Adding JDBC drivers and third-party JAR files to the shared library.

  4. Add the following properties to the Oracle driver properties file, $IMPACT_HOME/etc/NCI_oracle.jdbc.driver.OracleDriver.props: 
    oracle.net.encryption_client=REJECTED
oracle.net.crypto_checksum_client=REQUESTED
oracle.net.crypto_checksum_types_client=SHA1
oracle.net.ssl_version=1.2

    See the Oracle documentation for descriptions of the properties.

    See also Configuring the JDBC connection properties for a JDBC driver.

  5. Exchange the certificates between Impact server and Oracle server.

    See the Oracle documentation for details about working with certificates.

    See also Enabling SSL connections with external servers.

  6. Copy the files under the wallet directory from the Oracle server to the Impact server. The files are: 
    cwallet.sso
ewallet.p12

    Add the following wallet location to the Oracle driver properties listed in Step 4 (in NCI_oracle.jdbc.driver.OracleDriver.props):

    oracle.net.wallet_location=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY={wallet_location})))

    For example, if the wallet files are copied to the /opt/IBM/tivoli/impact/wallet directory, then the following wallet location will be added to NCI_oracle.jdbc.driver.OracleDriver.props:

    oracle.net.wallet_location=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/IBM/tivoli/impact/wallet)))