6 Replies Latest reply: Jul 19, 2012 10:24 AM by 950521 RSS

    JDBC Thin driver is not connecting over SSL connection with SunPKCS11

    950521

      Hi All,

      To enforce FIPS compliance, I removed default providers and added SunPKCS11 which is configured to work with NSS.
      Whenever I try to connect to Oracle Database using Thin JDBC driver with SSL enabled I get following exception:

      java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:517) at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:557) at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:233) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:29) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:556) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) . . . . Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:389) at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:431) at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:882) at oracle.net.ns.NSProtocol.connect(NSProtocol.java:267) at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1625) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:365) ... 25 more Caused by: oracle.net.ns.NetException: Unable to initialize ssl context. at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:324) at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:114) at oracle.net.nt.ConnOption.connect(ConnOption.java:130) at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:367) ... 30 more Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available at sun.security.jca.GetInstance.getInstance(Unknown Source) at javax.net.ssl.SSLContext.getInstance(Unknown Source) at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:310) ... 33 more

      Looks like it's generated by call:

      javax.net.ssl.SSLContext.getInstance("SSL");

      I have tried with couple of other databases and respective JDBC drivers, I didn't get any such issue. Being curious I looked at PostgreSQL JDBC driver code and found it uses default SSLContext using

      javax.net.ssl.SSLContext.getDefault(); 

      and works without any issue.

      In my code, call

      javax.net.ssl.SSLContext.getInstance("TLS");

      goes through without any issue.

      URL used to connect:

      jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.16.254.1)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))

      Does it mean that Thin JDBC driver doesn't support TLS protocol or not yet ready to work in FIPS compliant environment?

      If it supports, is there any way to enforce driver to use TLS instead of SSL?