Forum Stats

  • 3,875,356 Users
  • 2,266,907 Discussions
  • 7,912,175 Comments

Discussions

How to configure secure jdbc url in adf-config to deploy SOA artifacts into mds

3783434
3783434 Member Posts: 5
edited Jun 3, 2019 2:35PM in SOA Suite Discusssions

How to configure secure DB connection in ADF-config.xml for deploying the SOA artifacts into MDS.

Recently we have moved from non-ssl to SSL both from the application database and when trying to deploy SOA  artifacts to MDS store getting SSL handshake error.

below are the property  passed in ADF-config.xml

<metadata-store class-name="oracle.mds.persistence.stores.db.DBMetadataStore">

            <property value="PROD_MDS" name="jdbc-userid"/>

            <property value="******" name="jdbc-password"/>

              <property value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xxxxxxxxxx)(PORT=1535))(CONNECT_DATA=(SERVICE_NAME=xxxxx)))" name="jdbc-url"/>

              <property value="$storelocation/truststore_aiadb.jks" name="javax.net.ssl.trustStore"/>

              <property value="********" name="javax.net.ssl.trustStorePassword"/>

              <!--<property value="/app/local/softwares/jdk1.7.0_80/jre/lib/security/cacerts" name="javax.net.ssl.trustStore"/>

              <property value="*******" name="javax.net.ssl.trustStorePassword"/>-->

               <property value="jks" name="javax.net.ssl.trustStoreType"/>

              <property value="1.2" name="oracle.net.ssl_version"/>

              <property value="10000" name="oracle.net.CONNECT_TIMEOUT"/>

              <property value="soa-infra" name="partition-name"/>

</metadata-store>

Error:-

[scac] MDS-01370: MetadataStore configuration for metadata-store-usage "mstore-usage_3" is invalid.

     [scac] MDS-01259: The metadata store "oracle.mds.persistence.stores.db.DBMetadataStore" cannot be instantiated.

     [scac] MDS-00003: error connecting to the database

     [scac] Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: Remote host closed connection during handshake

regards,

Tarak.

Tagged:

Answers

  • vladodias
    vladodias Member Posts: 2,283 Gold Trophy
    edited May 29, 2019 10:12PM

    Hi mate,

    Really hard without having a clear indication of what is failing on the handshake...

    It might be because of Java 7, it defaults to TLS 1.0, you may try adding TLS 1.1 and 2.2 into the JVM parameters and restarting...

    -Dhttps.protocols=TLSv1.1,TLSv1.2

    Cheers,

    Vlad

    3783434
  • 3783434
    3783434 Member Posts: 5
    edited May 29, 2019 10:29PM

    Vlad,

    Please enlighten me.. I have configured tls1.2 at the application level and also the DB running only on tls1.2 so we have updated our data source with SSL properties and after that we able to connect to DB via data sources. We successfully brought up the application(Admin and MS1 and MS2) with no errors in the logs

    The only pending part is to deploy the AIA composite using AIA deployment script.

    The deployment script using below command

    ${ANT_HOME}/bin/ant -f ${AIA_HOME}/Infrastructure/Install/AID/AIAInstallDriver.xml -DPropertiesFile=${AIA_INSTANCE}/config/AIAInstallProperties.xml -DDeploymentPlan=${DEPLOYMENT_PLAN} | tee ${DEPLOYMENT_LOGFILE}

    I have updated java 7 jcepolicy file, upgraded JDBC driver to 12.1.2. Since my WebLogic is successfully able to connect so i am sure JDK/JDBC is not an issue here. 

    I know its hard to find out the problem. Can you tell how I can pass SSL debug properties to ant command?

    Regards,

    Tarak.

  • vladodias
    vladodias Member Posts: 2,283 Gold Trophy
    edited May 30, 2019 1:47AM

    Hi Tarak,

    Try creating an env variable like below... it should show the output on the ant logs...

    ANT_OPTS="-Djavax.net.debug=all"

    Also try this...

    ANT_OPTS="-Djavax.net.debug=all -Dhttps.protocols=TLSv1.1,TLSv1.2"

    Cheers,

    Vlad

  • 3783434
    3783434 Member Posts: 5
    edited May 30, 2019 10:18AM

    No luck after adding it to aiaenv.sh which we source it before calling the deployment script.

    ANT_OPTS="-Djavax.net.debug=all -Dhttps.protocols=TLSv1.2"

    export CLASSPATH=$CLASSPATH:$ANT_OPTS

    Regards,

    Tarak.

  • vladodias
    vladodias Member Posts: 2,283 Gold Trophy
    edited May 30, 2019 6:30PM

    It shouldn't be in the classpath... it should be only...

    export ANT_OPTS="-Djavax.net.debug=all -Dhttps.protocols=TLSv1.2"

    What if you add directly to the command line?

    ${ANT_HOME}/bin/ant -f ${AIA_HOME}/Infrastructure/Install/AID/AIAInstallDriver.xml -DPropertiesFile=${AIA_INSTANCE}/config/AIAInstallProperties.xml -DDeploymentPlan=${DEPLOYMENT_PLAN} -Djavax.net.debug=all -Dhttps.protocols=TLSv1.2 | tee ${DEPLOYMENT_LOGFILE}

    It might be that the deployment task is creating a separate JVM instance that is not inheriting the options... you can also try...

    JAVA_TOOL_OPTIONS=-Djavax.net.debug=all

    JAVA_OPTS=-Djavax.net.debug=all

    Cheers,

    Vlad

    3783434
  • 3783434
    3783434 Member Posts: 5
    edited May 31, 2019 11:45AM

    I will try and post the results

  • 3783434
    3783434 Member Posts: 5
    edited Jun 3, 2019 2:35PM

    Vald,

    So far no luck and we have raised Sev-1 SR with Oracle and raised a bug. Meanwhile, management asked to back off the TLS 1.2 changes at the application level and deployment composite using the non-SSL port.

    I was able to figure out that jps-config.xml need to have keystore setup for mds to work. I did test it in JDeveloper 12c successfully but for JDeveloper 11.1.1.7/11.1.1.9 not working

    Any  Idea if TLS1.2 DB connection works with JDeveloper 11.1.1.7/11.1.1.9

    Thanks,

    Tarak.