Forum Stats

  • 3,734,235 Users
  • 2,246,916 Discussions


ORDS standalone encryption of database connection

We are using ORDS using the standalone server migrated from mod_plsql. 

We're on version 19.4 but will be upgrading to the latest version. We are moving to cloud and need to ensure that all network traffic is encrypted. I've been reading a lot of Oracle Notes and documentation and thought at first that the default was a jdbc connection that would be encrypted by defualt, but now I am not so sure. I read too much. I can't find any documentation or evidence in our configuration tha jdbc is being used. We are using basic authentication in our defaults.xml


<comment>Saved on Fri Aug 21 15:05:15 ADT 2020</comment>

<entry key="db.hostname">xxxx.xxxx.xx</entry>

<entry key="db.port">1521</entry>

<entry key="db.servicename">XXXXX.XXXX.XX</entry>

<entry key="">true</entry>


Is this using a jdbc connection and minimal change would be to set a parameter in the database servers sqlnet.ora? I'm concerned that changing the DB server settings will affect other applications connections.



Do I need to use the tomcat server instead of standalone jetty on the ORDS server?

Do I need to install a jdbc client on the ORDs server (for standalone jetty server or tomcat)?

I am looking for minimal viable product, but will do what needs to be done to secure the traffic of course.



  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon


    Did you ever get this to work? Like you, our databases are set up for native sqlnet encryption (sqlnet.ora properties).

    I have tried changing ords defaults.xml to use TNS connection type instead of BASIC/JDBC but it is still not using encryption.





  • nahunter
    nahunter Member Posts: 7 Blue Ribbon
    edited Jun 8, 2021 1:18PM

    The solution we used was to download the oracle thin client to the client server and update the defaults.xml to use tns and script to include the new Java parameters on the command line:

    defaults.xml needs tns connectionType and to point to the thin driver tnsnames location

    <entry key="db.connectionType">tns</entry>

    <entry key="db.tnsAliasName">XXXXXXX</entry>

    <entry key="db.tnsDirectory">/u01/app/oracle/products/instantclient/network/admin</entry>

    We added the Java encryption parameters to our start script:



    export JAVA_OPTIONS="$ENCRYPT_CLIENT $TNS_OPTION -Dorg.eclipse.jetty.server.Request.maxFormContentSize=3000000"

    nohup java ${JAVA_OPTIONS} -jar /u1/opt/ords-19.4/ords.war standalone >> $LOGFILE 2>&1 &


  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon

    THANK YOU SO MUCH nahunter!!!

    I got it working thanks to you.

    We are using ORDS on WebLogic and I added the encryption properties to the managed server, Server Start, Arguments section:

    For standalone ORDS:

    java -jar apex.war standalone

    And of course, add the three parameters in defaults.xml:

    db.connectionType --> tns

    db.tnsAliasName --> CAPEXQ2

    db.tnsDirectory --> /u01/app/oracle/product/19.0.0/client_1/network/admin

  • nahunter
    nahunter Member Posts: 7 Blue Ribbon

    Great. You can test it using tcpdump and wireshark.

  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon

    Yes, wireshark to test. Also like to add for a quick verify on the database, you can query gv$session_connect_info:

    select s.inst_id, s.sid, s.serial#, s.username,s.machine,

        e.client_version, e.client_driver, e.authentication_type, e.osuser, e.banner

    from gv$session s,

    (select inst_id, sid, serial#, client_version, client_driver, authentication_type, osuser, substr(network_service_banner,1,18) banner

    from gv$session_connect_info

    where network_service_banner like 'AES%') e

    where s.inst_id = e.inst_id(+)

    and s.sid = e.sid(+)

    and s.serial# = e.serial#(+)

    and s.username is not null

    order by s.username


Sign In or Register to comment.