How To
Summary
In IBM® Engineering Lifecycle Management (ELM) environment in order to comply with security policy, you might need to establish a secure database connection with Oracle® Database.
Objective
This article provides instructions on how to establish a secure database connection with Oracle® Database in ELM.
Environment
IBM Engineering Lifecycle Management deployed on IBM WebSphere® Application Server or IBM WebSphere® Liberty
Steps
On the Oracle® Database Server, we assume that the database server is properly configured to allow SSL connection, and the DBA has a valid ewallet file ready. By default the ewallet file is created in PKCS12 format. It needs to be converted to JKS format by using the orapki (Oracle® wallet) tool with pkcs12_to_jks option. This file needs to be copied to the server, or servers, where IBM Engineering Lifecycle Management applications are installed.
For IBM Engineering Lifecycle Management deployed on IBM WebSphere® Application Server, perform the following:
1. In WebSphere Integrated Solutions Console, navigate to , click server1 and then in the Container Settings section, click Session management. In the Additional Properties section, click Custom properties, click New, and add the following JVM properties and values:
name: javax.net.ssl.trustStore, value: x:\path\ewallet.jks
Note: this location is where the ewallet has been copied on the application server
1. In WebSphere Integrated Solutions Console, navigate to , click server1 and then in the Container Settings section, click Session management. In the Additional Properties section, click Custom properties, click New, and add the following JVM properties and values:
name: javax.net.ssl.trustStore, value: x:\path\ewallet.jks
Note: this location is where the ewallet has been copied on the application server
name: javax.net.ssl.trustStoreType, value: JKS
name: javax.net.ssl.trustStorePassword, value: xxxx
name: oracle.net.ssl_cipher_suites, value: Cipher suites value set in Oracle, such as: SSL_RSA_WITH_AES_256_CBC_256SHA
name: oracle.net.ssl_client_authentication, value: FALSE
name: oracle.net.ssl_version, value: 1.2
2. In the WebSphere Integrated Solutions Console, navigate to server1, process definition, Java Virtual Machine, under classpath, add 4 entries point to the following required JDBC JAR files. Ensure to include the fully qualified path name to the files. These files can be downloaded from Oracle®:
ojdbc8.jar
oraclepki.jar
osdt_cert.jar
osdt.core.jar
Note: Depends on the Oracle server installation, you might just need the ojdbc8.jar not the other 3 files to establish SSL db connection.
Examples:
Windows:
Linux:
C:\ORA_Driver\ojdbc8.jar
C:\ORA_Driver\oraclepki.jar
C:\ORA_Driver\osdt_cert.jar
C:\ORA_Driver\osdt_core.jar
Linux:
/opt/ORA_Driver/ojdbc8.jar
/opt/ORA_Driver/oraclepki.jar
/opt/ORA_Driver/osdt_cert.jar
/opt/ORA_Driver/osdt_core.jar
3. Update the java.security file, uncomment the following line, by doing that it allows the use of the AES 256 cypher:
#crypto.policy=unlimited
4. Restart WebSphere Application Server
For IBM Engineering Lifecycle Management deployed on IBM WebSphere® Application Server Liberty, perform the following:
1. Edit the server.startup file under ELMInstall\server, add in the following JVM properties:
#crypto.policy=unlimited
4. Restart WebSphere Application Server
For IBM Engineering Lifecycle Management deployed on IBM WebSphere® Application Server Liberty, perform the following:
1. Edit the server.startup file under ELMInstall\server, add in the following JVM properties:
Linux:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/path/ewallet.jks"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=jks"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxx"
JAVA_OPTS="$JAVA_OPTS -Doracle.net.ssl_cipher_suites=SSL_RSA_WITH_AES_256_CBC_256SHA"
JAVA_OPTS="$JAVA_OPTS -Doracle.net.ssl_client_authentication=FALSE"
JAVA_OPTS="$JAVA_OPTS -Doracle.net.ssl_version=1.2"
Windows:
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=c:\path\ewallet.jks
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStoreType=jks
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=xxxx
set JAVA_OPTS=%JAVA_OPTS% -Doracle.net.ssl_cipher_suites=SSL_RSA_WITH_AES_256_CBC_256SHA
set JAVA_OPTS=%JAVA_OPTS% -Doracle.net.ssl_client_authentication=FALSE
set JAVA_OPTS=%JAVA_OPTS% -Doracle.net.ssl_version=1.2
Note: The cipher specified is just an example. Users should replace whatever cipher their Oracle server permits to use. For example replace "SSL_RSA_WITH_AES_256_CBC_256SHA" with "TLS_RSA_WITH_AES_256_CBC_SHA256" if needed.
2. Set the environment variable ORACLE_JDBC_DRIVER_FILE on the server where ELM is installed, point to all the following required JDBC JAR files. Ensure to include the fully qualified path name to the files:
ojdbc8.jar
oraclepki.jar
osdt_cert.jar (Oracle® JDBC drivers prior to 23c)
osdt_core.jar (Oracle® JDBC drivers prior to 23c)
oraclepki.jar
osdt_cert.jar (Oracle® JDBC drivers prior to 23c)
osdt_core.jar (Oracle® JDBC drivers prior to 23c)
Note: Depends on the Oracle server installation, you might just need the ojdbc8.jar not the other 3 files to establish SSL db connection.
Windows:
set ORACLE_JDBC_DRIVER_FILE="C:\ORA_Driver\ojdbc8.jar;C:\ORA_Driver\oraclepki.jar;C:\ORA_Driver\osdt_cert.jar;C:\ORA_Driver\osdt_core.jar"
Linux:
export ORACLE_JDBC_DRIVER_FILE="/opt/ORA_Driver/ojdbc8.jar,/opt/ORA_Driver/oraclepki.jar,/opt/ORA_Driver/osdt_cert.jar,/opt/ORA_Driver/osdt_core.jar"
3. Update the java.security file, uncomment the following line, by doing that it allows the use of the AES 256 cypher
#crypto.policy=unlimited
4. Restart WebSphere Application Server Liberty.
For IBM Engineering Lifecycle Management, perform the following:
For IBM Engineering Lifecycle Management, perform the following:
1. From your web browser, navigate to the following address: https://fully_qualified_hostname:9443/jts/setup
2. On the Configure Database page, provide the following information to set up a secure connection with Oracle® Database:
2. On the Configure Database page, provide the following information to set up a secure connection with Oracle® Database:
a. Under Configure DB vendor and connection section, specify db vendor as Oracle, connection type: JDBC
b. Under JDBC password, input the oracle db user password
c. Under JDBC location: input the database connection string in the following format:
thin:DBUser/{password}@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xxx.com)(PORT=xxxx))(CONNECT_DATA=(SERVICE_NAME=xxxx)))
b. Under JDBC password, input the oracle db user password
c. Under JDBC location: input the database connection string in the following format:
thin:DBUser/{password}@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xxx.com)(PORT=xxxx))(CONNECT_DATA=(SERVICE_NAME=xxxx)))
d. Click test connection and ensure that the connection is established successfully.
For repotools, make the following changes to enable repotools can connect with an Oracle® database with SSL secure connection:
Find repotool-<app>.bat from ELMInstall\server directory, edit the file to add the following lines to the DEFINE section:
Linux:
For repotools, make the following changes to enable repotools can connect with an Oracle® database with SSL secure connection:
Find repotool-<app>.bat from ELMInstall\server directory, edit the file to add the following lines to the DEFINE section:
Linux:
DEFINE="$DEFINE -Djavax.net.ssl.trustStore=/root/ewallet/ewallet.jks"
DEFINE="$DEFINE -Djavax.net.ssl.trustStoreType=jks"
DEFINE="$DEFINE -Djavax.net.ssl.trustStorePassword=xxxx"
DEFINE="$DEFINE -Doracle.net.ssl_cipher_suites = SSL_RSA_WITH_AES_256_CBC_256SHA"
DEFINE="$DEFINE -Doracle.net.ssl_client_authentication = FALSE"
DEFINE="$DEFINE -Doracle.net.ssl_version = 1.2"
Windows:
The changes in this section need to be made to the repotools script for each IBM Engineering Lifecycle Management application. Such as repotools-jts, repotools-ccm, etc.
set DEFINE=%DEFINE% "-Djavax.net.ssl.trustStore=c:\pathname\ewallet.jks"
set DEFINE=%DEFINE% "-Djavax.net.ssl.trustStoreType=jks"
set DEFINE=%DEFINE% "-Djavax.net.ssl.trustStorePassword=xxxx"
set DEFINE=%DEFINE% "-Doracle.net.ssl_cipher_suites = SSL_RSA_WITH_AES_256_CBC_256SHA"
set DEFINE=%DEFINE% "-Doracle.net.ssl_client_authentication = FALSE"
set DEFINE=%DEFINE% "-Doracle.net.ssl_version = 1.2"
Additional Information
If the database connection fails with java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_256SHA it is possible that the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 should be used in both server.startup and repotool as the value for -Doracle.net.ssl_cipher_suites
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSF34G","label":"IBM Engineering Lifecycle Management Suite"},"ARM Category":[{"code":"a8m50000000L3DPAA0","label":"Continuous Engineering"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 March 2024
UID
ibm16468589