oracle-databasetomcat9mtlsoracle-wallet

Oracle ADB TLS connection error in Tomcat


It fails with different errors when I connect to an OCI ADB instance from a Tomcat-hosted [version 9.0.65] / [jdk8 - 202 build] application using the TLS mechanism. However, when I download the Wallet file and set the JVM argument with the wallet location it works-
The code snippet below

PoolDataSource ds = PoolDataSourceFactory.getPoolDataSource();
        try {
            ds.setConnectionFactoryClassName("oracle.jdbc.pool.OracleDataSource");
            ds.setURL(
                    "jdbc:oracle:thin:@(description= (address=(protocol=tcps)(port=1521)(host=ip.address.of.adb))(connect_data=(service_name=$service_name))(security=(ssl_server_dn_match=no)))");
            ds.setUser("myUser");
            ds.setPassword("********");
            ds.setInitialPoolSize(5);
            ds.setMinPoolSize(5);
            ds.setMaxPoolSize(10);
        } catch (Exception ignore) {
            throw new IllegalArgumentException("Error occurred while trying to configure datasource");
        }

it works with following wallet VM args

-Doracle.net.wallet_location=/path/to/wallet
-Doracle.net.tns_admin=/path/to/wallet

An example of an error is when I don't set the wallet location. I need a TLS connection only and not the wallet

Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.
    at oracle.net.nt.CustomSSLSocketFactory.trustStoreFailure(CustomSSLSocketFactory.java:766)
    at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:417)
    ... 32 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
    at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at oracle.net.nt.CustomSSLSocketFactory.loadFileBasedKeyStore(CustomSSLSocketFactory.java:1153)
    at oracle.net.nt.CustomSSLSocketFactory.loadKeyStore(CustomSSLSocketFactory.java:1125)
    at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:408)
    ... 32 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
    ... 39 more

Solution

  • The ADB TLS connection doesn't need certificates or a Wallet with jks files. My tomcat was configured with -

    javax.net.ssl.trustStore= my private certificate 
    

    when I removed it, the app connected with the ADB without issues. However, if you need to specify the trutsStore, then import the oracle certificate from the wallet to your local trust store and also pass the password to your local trustStore

     javax.net.ssl.trustStorePassword= my-password