5 Replies Latest reply on May 9, 2014 3:22 PM by JaysonHanes

    encrypt listener connection to DB?

    JaysonHanes

      I have an installation that works fine. However, I need to encrypt traffic from the ORDS/TOMCAT server to the Oracle DB on the back-end (the traffic that is normally over port 1521).. passwords etc from apex applications are sent over the wire in clear-text on the LAN (I have SSL on the browser->tomcat configured okay).. Does anyone have any experience with how to configure SSL like this? I've found docs on configuring a wallet on the DB server, as well as how to configure the tnsnames etc with TCPS (all DB configs) -- but I cannot find anything at all about configuring the Apex Listener (ORDS) to complement it (except changing to the new TCPS port).

       

      Thoughts? Thank you for anything you can share on this subject.

        • 1. Re: encrypt listener connection to DB?
          Mike Kutz

          I haven't gotten that far yet.  (I just have my app servers <-> DB servers communication on a separate vLAN)

           

          A quick google search, it looks like you just need to use the "Adv. Settings" with a "Custom JDBC URL"

          source:   http://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

          jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))

           

          In SQL*Developer, connect to the ORDS/APEX Listener server.

          Listener -> Administration -> Database Settings -> {database service} -> Connections:

          set the Connection Type to "Advanced"

          and fill out the appropriate jdbc setting as above.

           

          let us know if this worked.

           

          MK

          1 person found this helpful
          • 2. Re: encrypt listener connection to DB?
            JaysonHanes

            Thanks Mike.. I have that document.. my problem is that I don't use SQL Developer to configure the listener settings (I haven't anyway, since SQL Developer 3.2, and now I'm using 4).. I've just always edited the files as needed. I do not see those "Advanced" JDBC settings in the Listener docs (About the Configuration File)

             

            However, I do now see it listed like this:

            db.customURL

            string

            The JDBC URL connection to connect to the database.

            jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP) (HOST=myhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ora111.us.example.com)))

             

            thank you for the push in the right direction.. I'll give that a try and update this post with my results. FWIW, it seems that I cannot connect anymore to my listener's with SQL Devloper 3.2 or 4.0, I get "cannot connect to <server> 301 Moved Permanently".. ugh.

             

            I'll do it the manual way for now.

            1 person found this helpful
            • 3. Re: encrypt listener connection to DB?
              Mike Kutz

              side note/suggestion:

              FWIW, it seems that I cannot connect anymore to my listener's with SQL Devloper 3.2 or 4.0, I get "cannot connect to <server> 301 Moved Permanently".. ugh.

              If you have a support contract, you may want to fill out an SR.

               

              MK

              • 4. Re: encrypt listener connection to DB?
                JaysonHanes

                Mike, I've not made much progress with this. I am finding it really tough to uncover documentation that explains all that is clearly necessary to make this work, and even less is specifically "out there" with regards to the APEX listener, etc.

                 

                In testing a Listener connection from SQL Developer 4, on the machine running ORDS, I get this error:

                 

                Cannot connect to APEX_PUBLIC_USER. IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                 

                There is a wallet on the oracle DB that is working for SSL connectivity to LDAP on 636 (for authentication).. and there is an SSL certificate on the tomcat server that works fine for client connections.. I've imported certs on both sides.. but now I'm thinking that I might need to separately install an Oracle Client with it's own listener.ora configuration with a client wallet configuration on this same server?? Oracle sure does a great job in allowing this to be complicated!

                • 5. Re: encrypt listener connection to DB?
                  JaysonHanes

                  I think I have it working. I need to conduct more tests, but, it has to do with the various versions of Java on the machine, which one Tomcat uses, and the default cacerts file that it uses, and the keystore that I created on the ORDS server and omfg my head's gonna explode.. but.. I have an ssl connection via 2484 to the database, and SSL is still working in the browser, and my apex apps are working at this time..