6 Replies Latest reply: Feb 21, 2013 2:29 AM by 796991 RSS

    JDBC SSL connection to Oracle

    796991

      Hi All,

      I have been trying to connect to Oracle using a self signed certificate from a simple Java class. I am getting the below error.

      main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
      main, SEND TLSv1 ALERT: fatal, description = handshake_failure

      I have searched many forums but couldnt find the information of my help.
      Below are the steps I have followed as per the documentation in wp-oracle-jdbc-thin-ssl-130128.pdf.

      First Step: Created a self signed certificate and a truststore with the below commands using JDK 1.6.0_16

      Create a Keystore:
      keytool -genkey -keyalg RSA -alias MyKey -keystore keystore.jks -validity 360

      Extracting the public key:
      keytool -export -rfc -alias MyKey -keystore keystore.jks -file public.cert

      Creating the Truststore:
      keytool -import -alias MyKey -file public.cert -storetype JKS -keystore keystore.truststore

      Second Step: Added the following in listener.ora and sqlnet.ora

      listerner.ora :

      # listener.ora Network Configuration File: D:\oracle\product\11.2.0\dbhome_1\NETWORK\ADMIN\listener.ora
      # Generated by Oracle configuration tools.

      SID_LIST_LISTENER =
      (SID_LIST =
      (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = D:\oracle\product\11.2.0\dbhome_1)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:D:\oracle\product\11.2.0\dbhome_1\bin\oraclr11.dll")
      )
      )

      SSL_CLIENT_AUTHENTICATION = FALSE

      LISTENER =
      (DESCRIPTION_LIST =
      (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      )
      (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
      )
      (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
      )
      )

      ADR_BASE_LISTENER = D:\oracle

      WALLET_LOCATION =
      (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA =
      (DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
      )
      )

      sqlnet.ora :

      # sqlnet.ora Network Configuration File: D:\oracle\product\11.2.0\dbhome_1\NETWORK\ADMIN\sqlnet.ora
      # Generated by Oracle configuration tools.

      ENCRYPTION_WALLET_LOCATION =
      (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA =
      (DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
      )
      )

      # This file is actually generated by netca. But if customers choose to
      # install "Software Only", this file wont exist and without the native
      # authentication, they will not be able to connect to the database on NT.

      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

      NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

      SSL_CLIENT_AUTHENTICATION = FALSE

      WALLET_LOCATION =
      (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA =
      (DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
      )
      )

      ADR_BASE = D:\oracle\product\11.2.0\dbhome_1\log

      Third Step: Created an empty auto logon wallet and added the above created certificate as a Trusted Certificate. (Imported the .cert file into the Trusted Certificates section in Wallet Manager)

      Fourth Step: Used the below Java code to connect to the database using the truststore

      public static void main(String[] args) { try { Class.forName("oracle.jdbc.driver.OracleDriver"); String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))"; Properties props = new Properties(); props.setProperty("user", "system"); props.setProperty("password", "oracle"); props.setProperty("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore"); props.setProperty("javax.net.ssl.trustStoreType","JKS"); props.setProperty("javax.net.ssl.trustStorePassword","sudhir123#"); Connection conn=DriverManager.getConnection(url,props); System.out.println("conn:"+conn); conn.close(); } catch(Exception e) { e.printStackTrace(); } }

      Any help would be appreciated.

      Thanks.

      Edited by: user10569290 on 20-Feb-2013 22:02

        • 1. Re: JDBC SSL connection to Oracle
          rp0428
          You need to edit your post and use \
           on the line before and the line after any code you post to preserve formatting.
          
          Your code is unreadable otherwise since it appears to have numerous syntax errors and then is no way to tell if these really exist.
          props.setProperty("javax.net.ssl.trustStore","E:\\misc
          Secure-jdbc
          Keys and Certificates
          keystore.truststore");
          That is an invalid string since it spans multiple lines.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
          • 2. Re: JDBC SSL connection to Oracle
            796991
            Thanks, I have added the
             for better readability. I accept my ignorance.                                                                                                                                                                                    
            • 3. Re: JDBC SSL connection to Oracle
              EJP
              Please run your client with -Djavax.net.debug=ssl,handshake and post the output here.
              • 4. Re: JDBC SSL connection to Oracle
                796991
                adding as trusted cert:
                Subject: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
                Issuer: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
                Algorithm: RSA; Serial number: 0x511e1ebc
                Valid from Fri Feb 15 17:10:44 GMT+05:30 2013 until Mon Feb 10 17:10:44 GMT+05:30 2014

                trigger seeding of SecureRandom
                done seeding SecureRandom
                %% No cached client session
                *** ClientHello, TLSv1
                RandomCookie: GMT: 1361364877 bytes = { 87, 208, 141, 28, 28, 175, 238, 6, 45, 247, 78, 95, 116, 154, 7, 215, 31, 111, 206, 155, 199, 131, 83, 159, 39, 217, 7, 13 }
                Session ID: {}
                Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
                Compression Methods: { 0 }
                ***
                main, WRITE: TLSv1 Handshake, length = 73
                main, WRITE: SSLv2 client hello message, length = 98
                main, received EOFException: error
                main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                main, SEND TLSv1 ALERT: fatal, description = handshake_failure
                main, WRITE: TLSv1 Alert, length = 2
                main, called closeSocket()
                main, called close()
                main, called closeInternal(true)
                java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake
                     at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:466)
                     at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:535)
                     at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:218)
                     at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:29)
                     at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:528)
                     at java.sql.DriverManager.getConnection(DriverManager.java:582)
                     at java.sql.DriverManager.getConnection(DriverManager.java:154)
                     at SecureJDBC.getSecureConnection(SecureJDBC.java:45)
                     at SecureJDBC.main(SecureJDBC.java:15)
                Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
                     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
                     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
                     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
                     at oracle.net.ns.Packet.send(Packet.java:421)
                     at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:170)
                     at oracle.net.ns.NSProtocol.connect(NSProtocol.java:302)
                     at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1407)
                     at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:328)
                     ... 8 more
                Caused by: java.io.EOFException: SSL peer shut down incorrectly
                     at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
                     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
                     ... 16 more
                • 5. Re: JDBC SSL connection to Oracle
                  EJP
                  Set the javax.ssl.* properties as System properties, not in the connection properties.
                  • 6. Re: JDBC SSL connection to Oracle
                    796991
                    Hi EJP,

                    Please find the below code changes I have done to set the properties as part of System properties instead of Connection properties. I am still getting the same error.

                    Code:
                    Class.forName("oracle.jdbc.driver.OracleDriver");
                              String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))";
                         
                              Properties systemProps = System.getProperties();
                              systemProps.put("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore");
                              systemProps.put("javax.net.ssl.trustStoreType","JKS");
                              systemProps.put("javax.net.ssl.trustStorePassword","sudhir123#");
                              System.setProperties(systemProps);
                              
                              Properties props = new Properties();
                              props.setProperty("user", "system");
                              props.setProperty("password", "oracle");
                              /*props.setProperty("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore");
                              props.setProperty("javax.net.ssl.trustStoreType","JKS");
                              props.setProperty("javax.net.ssl.trustStorePassword","sudhir123#");
                              */          
                              
                              Connection conn=DriverManager.getConnection(url,props);
                                   
                             System.out.println("conn:"+conn);
                             conn.close();
                    Please find the below output with the SSL debug enabled.



                    adding as trusted cert:
                    Subject: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
                    Issuer: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
                    Algorithm: RSA; Serial number: 0x511e1ebc
                    Valid from Fri Feb 15 17:10:44 GMT+05:30 2013 until Mon Feb 10 17:10:44 GMT+05:30 2014

                    trigger seeding of SecureRandom
                    done seeding SecureRandom
                    %% No cached client session
                    *** ClientHello, TLSv1
                    RandomCookie: GMT: 1361369602 bytes = { 14, 223, 155, 241, 143, 72, 188, 240, 205, 158, 201, 133, 217, 192, 95, 82, 61, 244, 93, 100, 12, 9, 232, 164, 116, 206, 30, 142 }
                    Session ID: {}
                    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
                    Compression Methods: { 0 }
                    ***
                    main, WRITE: TLSv1 Handshake, length = 73
                    main, WRITE: SSLv2 client hello message, length = 98
                    main, received EOFException: error
                    main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                    main, SEND TLSv1 ALERT: fatal, description = handshake_failure
                    main, WRITE: TLSv1 Alert, length = 2
                    main, called closeSocket()
                    main, called close()
                    main, called closeInternal(true)
                    java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake
                         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:466)
                         at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:535)
                         at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:218)
                         at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:29)
                         at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:528)
                         at java.sql.DriverManager.getConnection(DriverManager.java:582)
                         at java.sql.DriverManager.getConnection(DriverManager.java:154)
                         at SecureJDBC.getSecureConnection(SecureJDBC.java:52)
                         at SecureJDBC.main(SecureJDBC.java:15)
                    Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
                         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
                         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
                         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
                         at oracle.net.ns.Packet.send(Packet.java:421)
                         at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:170)
                         at oracle.net.ns.NSProtocol.connect(NSProtocol.java:302)
                         at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1407)
                         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:328)
                         ... 8 more
                    Caused by: java.io.EOFException: SSL peer shut down incorrectly
                         at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
                         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
                         ... 16 more