This discussion is archived
6 Replies Latest reply: Feb 21, 2013 12:29 AM by 796991 RSS

JDBC SSL connection to Oracle

796991 Newbie
Currently Being Moderated
Hi All,

I have been trying to connect to Oracle using a self signed certificate from a simple Java class. I am getting the below error.

main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT: fatal, description = handshake_failure

I have searched many forums but couldnt find the information of my help.
Below are the steps I have followed as per the documentation in wp-oracle-jdbc-thin-ssl-130128.pdf.

First Step: Created a self signed certificate and a truststore with the below commands using JDK 1.6.0_16

Create a Keystore:
keytool -genkey -keyalg RSA -alias MyKey -keystore keystore.jks -validity 360

Extracting the public key:
keytool -export -rfc -alias MyKey -keystore keystore.jks -file public.cert

Creating the Truststore:
keytool -import -alias MyKey -file public.cert -storetype JKS -keystore keystore.truststore

Second Step: Added the following in listener.ora and sqlnet.ora

listerner.ora :

# listener.ora Network Configuration File: D:\oracle\product\11.2.0\dbhome_1\NETWORK\ADMIN\listener.ora
# Generated by Oracle configuration tools.

SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = D:\oracle\product\11.2.0\dbhome_1)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:D:\oracle\product\11.2.0\dbhome_1\bin\oraclr11.dll")
)
)

SSL_CLIENT_AUTHENTICATION = FALSE

LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 2484))
)
)

ADR_BASE_LISTENER = D:\oracle

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
)
)

sqlnet.ora :

# sqlnet.ora Network Configuration File: D:\oracle\product\11.2.0\dbhome_1\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
)
)

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = E:\misc\Secure-jdbc\OracleCertificates)
)
)

ADR_BASE = D:\oracle\product\11.2.0\dbhome_1\log

Third Step: Created an empty auto logon wallet and added the above created certificate as a Trusted Certificate. (Imported the .cert file into the Trusted Certificates section in Wallet Manager)

Fourth Step: Used the below Java code to connect to the database using the truststore
public static void main(String[] args)
{
try
{
Class.forName("oracle.jdbc.driver.OracleDriver");
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))";
Properties props = new Properties();
props.setProperty("user", "system");
props.setProperty("password", "oracle");
props.setProperty("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore");
props.setProperty("javax.net.ssl.trustStoreType","JKS");
props.setProperty("javax.net.ssl.trustStorePassword","sudhir123#");
Connection conn=DriverManager.getConnection(url,props);
System.out.println("conn:"+conn);
conn.close();     
}
catch(Exception e)
{
e.printStackTrace();
}
}
Any help would be appreciated.

Thanks.

Edited by: user10569290 on 20-Feb-2013 22:02
  • 1. Re: JDBC SSL connection to Oracle
    rp0428 Guru
    Currently Being Moderated
    You need to edit your post and use \
     on the line before and the line after any code you post to preserve formatting.
    
    Your code is unreadable otherwise since it appears to have numerous syntax errors and then is no way to tell if these really exist.
    props.setProperty("javax.net.ssl.trustStore","E:\\misc
    Secure-jdbc
    Keys and Certificates
    keystore.truststore");
    That is an invalid string since it spans multiple lines.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
  • 2. Re: JDBC SSL connection to Oracle
    796991 Newbie
    Currently Being Moderated
    Thanks, I have added the
     for better readability. I accept my ignorance.                                                                                                                                                                                    
  • 3. Re: JDBC SSL connection to Oracle
    EJP Guru
    Currently Being Moderated
    Please run your client with -Djavax.net.debug=ssl,handshake and post the output here.
  • 4. Re: JDBC SSL connection to Oracle
    796991 Newbie
    Currently Being Moderated
    adding as trusted cert:
    Subject: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
    Issuer: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
    Algorithm: RSA; Serial number: 0x511e1ebc
    Valid from Fri Feb 15 17:10:44 GMT+05:30 2013 until Mon Feb 10 17:10:44 GMT+05:30 2014

    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1361364877 bytes = { 87, 208, 141, 28, 28, 175, 238, 6, 45, 247, 78, 95, 116, 154, 7, 215, 31, 111, 206, 155, 199, 131, 83, 159, 39, 217, 7, 13 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, received EOFException: error
    main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    main, SEND TLSv1 ALERT: fatal, description = handshake_failure
    main, WRITE: TLSv1 Alert, length = 2
    main, called closeSocket()
    main, called close()
    main, called closeInternal(true)
    java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake
         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:466)
         at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:535)
         at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:218)
         at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:29)
         at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:528)
         at java.sql.DriverManager.getConnection(DriverManager.java:582)
         at java.sql.DriverManager.getConnection(DriverManager.java:154)
         at SecureJDBC.getSecureConnection(SecureJDBC.java:45)
         at SecureJDBC.main(SecureJDBC.java:15)
    Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
         at oracle.net.ns.Packet.send(Packet.java:421)
         at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:170)
         at oracle.net.ns.NSProtocol.connect(NSProtocol.java:302)
         at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1407)
         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:328)
         ... 8 more
    Caused by: java.io.EOFException: SSL peer shut down incorrectly
         at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
         ... 16 more
  • 5. Re: JDBC SSL connection to Oracle
    EJP Guru
    Currently Being Moderated
    Set the javax.ssl.* properties as System properties, not in the connection properties.
  • 6. Re: JDBC SSL connection to Oracle
    796991 Newbie
    Currently Being Moderated
    Hi EJP,

    Please find the below code changes I have done to set the properties as part of System properties instead of Connection properties. I am still getting the same error.

    Code:
    Class.forName("oracle.jdbc.driver.OracleDriver");
              String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))";
         
              Properties systemProps = System.getProperties();
              systemProps.put("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore");
              systemProps.put("javax.net.ssl.trustStoreType","JKS");
              systemProps.put("javax.net.ssl.trustStorePassword","sudhir123#");
              System.setProperties(systemProps);
              
              Properties props = new Properties();
              props.setProperty("user", "system");
              props.setProperty("password", "oracle");
              /*props.setProperty("javax.net.ssl.trustStore","E:\\misc\\Secure-jdbc\\Keys and Certificates\\keystore.truststore");
              props.setProperty("javax.net.ssl.trustStoreType","JKS");
              props.setProperty("javax.net.ssl.trustStorePassword","sudhir123#");
              */          
              
              Connection conn=DriverManager.getConnection(url,props);
                   
             System.out.println("conn:"+conn);
             conn.close();
    Please find the below output with the SSL debug enabled.



    adding as trusted cert:
    Subject: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
    Issuer: CN=Sudhir Reddy, OU=FCDMS, O=3i, L=Hyd, ST=AP, C=IN
    Algorithm: RSA; Serial number: 0x511e1ebc
    Valid from Fri Feb 15 17:10:44 GMT+05:30 2013 until Mon Feb 10 17:10:44 GMT+05:30 2014

    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1361369602 bytes = { 14, 223, 155, 241, 143, 72, 188, 240, 205, 158, 201, 133, 217, 192, 95, 82, 61, 244, 93, 100, 12, 9, 232, 164, 116, 206, 30, 142 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, received EOFException: error
    main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    main, SEND TLSv1 ALERT: fatal, description = handshake_failure
    main, WRITE: TLSv1 Alert, length = 2
    main, called closeSocket()
    main, called close()
    main, called closeInternal(true)
    java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake
         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:466)
         at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:535)
         at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:218)
         at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:29)
         at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:528)
         at java.sql.DriverManager.getConnection(DriverManager.java:582)
         at java.sql.DriverManager.getConnection(DriverManager.java:154)
         at SecureJDBC.getSecureConnection(SecureJDBC.java:52)
         at SecureJDBC.main(SecureJDBC.java:15)
    Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
         at oracle.net.ns.Packet.send(Packet.java:421)
         at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:170)
         at oracle.net.ns.NSProtocol.connect(NSProtocol.java:302)
         at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1407)
         at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:328)
         ... 8 more
    Caused by: java.io.EOFException: SSL peer shut down incorrectly
         at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
         ... 16 more

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points