Tomcat ssl connection to Oracle

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat ssl connection to Oracle

Will Nordmeyer
I'm trying to configure an SSL Oracle connection.  I'm running on
CentOS7 (for my DB Server and my Web Server).

Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80  from the
CentOS Repository on the Web Server
Oracle 12.2.0.1 on the Database Server

I'm setting up the datasource in my web.xml - the 1521 port connection
works fine.  I change to 2484 and made the other following parameters
(javax.net.ssl.trustStore parameters):

        <context-param>
                <param-name>type</param-name>
                <param-value>SIMPLE</param-value>
        </context-param>
        <context-param>
                <param-name>datasource</param-name>
                <param-value>mydatasource</param-value>
        </context-param>
        <context-param>
                <param-name>driver</param-name>
                <param-value>oracle.jdbc.OracleDriver</param-value>
        </context-param>
        <context-param>
                <param-name>url</param-name>
<!--
<param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource</param-value>
-->
                <param-value>jdbc:oracle:thin:@(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNECT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value>
        </context-param>
        <context-param>
                <param-name>javax.net.ssl.trustStore</param-name>
                <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value>
        </context-param>
        <context-param>
                <param-name>javax.net.ssl.trustStoreType</param-name>
                <param-value>JKS</param-value>
        </context-param>
        <context-param>
                <param-name>javax.net.ssl.trustStorePassword</param-name>
                <param-value>mypassword</param-value>
        </context-param>
        <context-param>
                <param-name>username</param-name>
                <param-value>myuser</param-value>
        </context-param>
        <context-param>
                <param-name>mydbpass</param-name>
                <param-value>apso11</param-value>
        </context-param>


It fails with the following error:

May 22 12:12:00 myserver server: Caused by:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target


the TrustStore.JKS is in that directory.

If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS
line, in the startup, then it works.


JAVA_OPTS="-Xms1024m -Xmx2048m
-Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS
-Djjavax.net.ssl.trustStoreType=JKS
-Djavax.net.ssl.trustStorePassword=mypassword"

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat ssl connection to Oracle

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 6/5/18 10:37 AM, Will Nordmeyer wrote:

> I'm trying to configure an SSL Oracle connection.  I'm running on
> CentOS7 (for my DB Server and my Web Server).
>
> Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80  from
> the CentOS Repository on the Web Server Oracle 12.2.0.1 on the
> Database Server
>
> I'm setting up the datasource in my web.xml - the 1521 port
> connection works fine.  I change to 2484 and made the other
> following parameters (javax.net.ssl.trustStore parameters):

Tomcat doesn't configure JNDI DataSources in web.xml. What component
are you configuring, here?

> <context-param> <param-name>type</param-name>
> <param-value>SIMPLE</param-value> </context-param> <context-param>
> <param-name>datasource</param-name>
> <param-value>mydatasource</param-value> </context-param>
> <context-param> <param-name>driver</param-name>
> <param-value>oracle.jdbc.OracleDriver</param-value>
> </context-param> <context-param> <param-name>url</param-name> <!--
> <param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource
</param-value>
>
>
- -->
> <param-value>jdbc:oracle:thin:@(DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNE
CT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value
>
>
>
</context-param>
> <context-param> <param-name>javax.net.ssl.trustStore</param-name>
> <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value>
> </context-param> <context-param>
> <param-name>javax.net.ssl.trustStoreType</param-name>
> <param-value>JKS</param-value> </context-param> <context-param>
> <param-name>javax.net.ssl.trustStorePassword</param-name>
> <param-value>mypassword</param-value> </context-param>

This looks like you are trying to configure system properties from
within web.xml.

> <context-param> <param-name>username</param-name>
> <param-value>myuser</param-value> </context-param> <context-param>
> <param-name>mydbpass</param-name>
> <param-value>apso11</param-value> </context-param>
>
>
> It fails with the following error:
>
> May 22 12:12:00 myserver server: Caused by:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target

Your truststore is probably being ignored.

> the TrustStore.JKS is in that directory.
>
> If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS
> line, in the startup, then it works.
>
>
> JAVA_OPTS="-Xms1024m -Xmx2048m
> -Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS
> -Djjavax.net.ssl.trustStoreType=JKS
> -Djavax.net.ssl.trustStorePassword=mypassword"

Yes, that's because these are system properties and not
servlet-context init-params which don't affect system properties.

I'd recommend against setting a JVM-wide trust store. It's cleaner and
safer if you configure each (type of) connection separately.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsWpxUACgkQHPApP6U8
pFg+NA/7BNXqcvqu+pQAdr9aa7eQH7ifR8Uq/Mv0ncccuSGMVBns12HPfdfF+uhX
Vj3WowLMKg7qBMpWgKRmXw57mXJBM9yCj0uSBPP8jIRqlE0isJsmvTaL9A07CnvP
91YVZyRdMamgBxVNZu1AkCW3rYIn5Az/7t+Ch2yFclcbYpTT0m+TDodPSkxfk6E0
mhUEwoc/ZtKu5ylL403qFnW8vS4frpExIYHotjiIx7G2tke2N3hKoNMsnDvaplRo
MVcEYbMoXZXR5+KG06VKoyynAGaETPWmR/1B3DlfOCEvgm03vvZW/9r0OOgzqVa7
w64+6L/2ikt2aZEKS1zIV5HvGSOZYM2Vv/XgHbRPdROQwi0suRTvEwtFw7TC23h5
GDRih65kDU6WvDR2bMagdMW8grh7jDG1b4wUB1HtEyNqLM201ynuv+bkfLfiHENK
lHaRASYWUVlycM74V9F62OADIyyepwY6LB701pc2dSaQls500ez6hJOcQ8Bo+I01
QRDp+88v/kMiHWAktWoYDTapVsuMFHGIxe/p7PjRHDhq3kqSDsFsdTY6AJPc4yq6
3KfgaFibioRm9aHfV8uKiFd1eeXuTv9gCchW8JdOCgghXn3o2YoO8hw66U3MHIVZ
9X8ePICJm5AWQXbfJ1RGSmnxX2zAqrVokyWDd/s0fQw4DZoa5r4=
=k0H5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat ssl connection to Oracle

Will Nordmeyer
On Tue, Jun 5, 2018 at 11:07 AM, Christopher Schultz
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Will,
>
> On 6/5/18 10:37 AM, Will Nordmeyer wrote:
>> I'm trying to configure an SSL Oracle connection.  I'm running on
>> CentOS7 (for my DB Server and my Web Server).
>>
>> Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80  from
>> the CentOS Repository on the Web Server Oracle 12.2.0.1 on the
>> Database Server
>>
>> I'm setting up the datasource in my web.xml - the 1521 port
>> connection works fine.  I change to 2484 and made the other
>> following parameters (javax.net.ssl.trustStore parameters):
>
> Tomcat doesn't configure JNDI DataSources in web.xml. What component
> are you configuring, here?
>
My Data Source.  It has worked for years as a 1521 based connection
configured in the web.xml.  I have the entire data source
configuration below.  Configured as 1521 without the additional
parameters of trustStore, trustStoreType & trustStorePassword.

>> <context-param> <param-name>type</param-name>
>> <param-value>SIMPLE</param-value> </context-param> <context-param>
>> <param-name>datasource</param-name>
>> <param-value>mydatasource</param-value> </context-param>
>> <context-param> <param-name>driver</param-name>
>> <param-value>oracle.jdbc.OracleDriver</param-value>
>> </context-param> <context-param> <param-name>url</param-name> <!--
>> <param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource
> </param-value>
>>
>>
> - -->
>> <param-value>jdbc:oracle:thin:@(DESCRIPTION=
>> (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNE
> CT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value
>>
>>
>>
> </context-param>
>> <context-param> <param-name>javax.net.ssl.trustStore</param-name>
>> <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value>
>> </context-param> <context-param>
>> <param-name>javax.net.ssl.trustStoreType</param-name>
>> <param-value>JKS</param-value> </context-param> <context-param>
>> <param-name>javax.net.ssl.trustStorePassword</param-name>
>> <param-value>mypassword</param-value> </context-param>
>
> This looks like you are trying to configure system properties from
> within web.xml.
>
>> <context-param> <param-name>username</param-name>
>> <param-value>myuser</param-value> </context-param> <context-param>
>> <param-name>mydbpass</param-name>
>> <param-value>apso11</param-value> </context-param>
>>
>>
>> It fails with the following error:
>>
>> May 22 12:12:00 myserver server: Caused by:
>> sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>
> Your truststore is probably being ignored.
>
But why?

>> the TrustStore.JKS is in that directory.
>>
>> If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS
>> line, in the startup, then it works.
>>
>>
>> JAVA_OPTS="-Xms1024m -Xmx2048m
>> -Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS
>> -Djjavax.net.ssl.trustStoreType=JKS
>> -Djavax.net.ssl.trustStorePassword=mypassword"
>
> Yes, that's because these are system properties and not
> servlet-context init-params which don't affect system properties.
>
> I'd recommend against setting a JVM-wide trust store. It's cleaner and
> safer if you configure each (type of) connection separately.
>
> - -chris

Chris - that's why I'm here. :)  Why are my parameters that are set
specifically for the connection being ignored.  The non-SSL version of
this connection has worked in my web.xml for years.  It doesn't show
up as a data source when I run Probe or other management interfaces,
but it works for the application.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat ssl connection to Oracle

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 6/5/18 11:14 AM, Will Nordmeyer wrote:
> Chris - that's why I'm here. :)  Why are my parameters that are
> set specifically for the connection being ignored.  The non-SSL
> version of this connection has worked in my web.xml for years.  It
> doesn't show up as a data source when I run Probe or other
> management interfaces, but it works for the application.

Whatever configures your DataSource must take those <init-param>
values and use them in a meaningful way.

What code reads those <init-param> values and configures your
DataSource? Go read that code and see whether it cares about the trust
store and other parameters you are trying to send it.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsW8IIACgkQHPApP6U8
pFhwSxAAyolyp7SZWmpzxkM0+6HSj+tRaFTsGdMLAdPF0vg0Pd3tWzQcbpQeOeRl
t+gjWHKwmO351HZVKzj5oV+o+luvlGMZbvL+ZLqv42o1RSYYBKShRnHHE21XxPlA
0yZjNQS+2wnAfxK7WM7UeGRUdaHDUrEzzx3fe5GmWUsZ+/lfBgDsu+z654WSl3ey
V3NF9alctewmOXjHdNT0T6pWjBP+zF7qzv6SOXkatvoiEqi43QXg+cPZ//W01654
kBvsbv5A5iXNXi0nlcfUs+j1KWsKxQbEsmu5T7tTowHuguWTH9NqKJzkSfuRdUjj
5lX96/nJc/LQ163C6WQrb7yh+ZQ2c/iIRiqPdpoQ9rPR8t71Q5/EwtX/jDDoBI66
JowyiqDFN9otmDCT4rLmEF2iurzbaxTDmf+NRQUG54aS96tAGgGOnzY8soqxvi/+
PB8dAiQnbwcgAz+C0lDoRH/O3zjLcjY3kj2LO0l4dUHLwEB4DUDMwTZVq6U9baRO
nQGql5HqD2Zn3U5f1b7ECRGBGxykdDXDGbYsFo6XWIDThmscc2Vxk1xI3fFJzxOd
YofYRR9PktLAaiLI8uip+t+vS92GIam/Cq31lhHJ4L/mtYqStj/r7HVGdryqJIbT
cbaoLzQ6sAd8tnr6gjmyPOWzDLC/Q+723Aw6S2DuhKraMb6RDpA=
=MlNL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]