使用JDBC Thin和JKS的Oracle Database TLS1.2/SSL连接 [英] Oracle Database TLS1.2 / SSL connection using JDBC thin and JKS
问题描述
当尝试使用12.1.0.2 JDBC Thin驱动程序连接到Oracle Database 12c时,我们遇到了异常.我们正在将TLSv1.2与JKS证书一起使用.但是,我们无法成功连接到数据库.
线程主"中的异常java.sql.SQLRecoverableException:IO错误: 收到致命警报:handshake_failure
以下是配置Oracle JDBC瘦驱动程序以使用TLS v1.2连接到数据库的步骤(假设您的数据库配置正确). /p>
步骤1:为错误19030178应用补丁(从12.2.0.1开始不需要)
您将需要应用补丁程序以修复允许TLSv1.2的错误19030178.请注意,该修补程序允许TLSv1.2,但默认情况下不启用它.因此,使用12.1.0.2修补的驱动程序,您还需要设置oracle.net.ssl_version ='1.2'.可以将此属性设置为系统属性(使用-D),也可以通过数据源属性设置.
第2步:安装JCE文件
没有Java密码扩展(JCE)文件,则不会启用强密码套件(例如TLS_RSA_WITH_AES_256_CBC_SHA256).因此,无论您使用的是JDK7还是JDK8,都应安装JCE无限强度管辖权策略文件.这些文件可以在Oracle网站上找到.
第3步:始终使用JDK的最新更新
请确保使用JDK7或JDK8的最新更新,因为已修复TLSv1.2所需的错误.
第4步:使用JKS文件代替钱包
您似乎已经做到了,但仅供其他用户使用:钱包在配置和使用Oracle JDBC瘦驱动程序时很复杂,因为它们需要额外的jar和额外的属性.另一方面,JRE本身支持JKS文件,根据我的经验,它们始终运行良好.
步骤5:使用JDK7时,明确启用强密码套件
使用JDK8时不需要此步骤.对于JDK7,如果使用的是强密码套件,例如TLS_RSA_WITH_AES_256_CBC_SHA256,则必须通过oracle.net.ssl_cipher_suites连接属性启用它.
第6步:使用-Djavax.net.debug = all
进行调试最后,如果遇到更多问题,可以使用-Djavax.net.debug = all打开跟踪以查明问题所在.
==== JDK7和12.1.0.2修补薄驱动程序的示例=====
java -Doracle.net.ssl_version='1.2' -Doracle.net.ssl_cipher_suites='(TLS_RSA_WITH_AES_256_CBC_SHA256)' -Doracle.net.ssl_server_dn_match='true' -Djavax.net.ssl.trustStore='truststore.jks' -Djavax.net.ssl.trustStorePassword='welcome1' -Djavax.net.ssl.keyStore='keystore.jks' -Djavax.net.ssl.keyStorePassword='welcome1' JDBCTest 'jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=myservice))(security=(ssl_server_cert_dn="CN=name,O=org,L=city,ST=state,C=country")))' 'pdb1' 'welcome1'
==== JDK8和12.1.0.2修补薄驱动程序的示例=====
java -Doracle.net.ssl_version='1.2' -Doracle.net.ssl_server_dn_match='true' -Djavax.net.ssl.trustStore='truststore.jks' -Djavax.net.ssl.trustStorePassword='welcome1' -Djavax.net.ssl.keyStore='keystore.jks' -Djavax.net.ssl.keyStorePassword='welcome1' JDBCTest 'jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=myservice))(security=(ssl_server_cert_dn="CN=name,O=org,L=city,ST=state,C=country")))' 'pdb1' 'welcome1'
When tried to connect to Oracle Database 12c using 12.1.0.2 JDBC Thin driver, we are getting an exception. We are using TLSv1.2 with JKS certificates. But, we are unable to connect to the database successfully.
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: Received fatal alert: handshake_failure
Here are the steps to follow to configure the Oracle JDBC thin driver to connect to the Database using TLS v1.2 (assuming your Database configuration is correct).
Step 1: Apply patch for bug 19030178 (not needed starting in 12.2.0.1)
You will need to apply the patch for bug 19030178 which allows TLSv1.2. Note that the patch allows TLSv1.2 but doesn't enable it by default. So with the 12.1.0.2 patched driver you also need to set oracle.net.ssl_version='1.2'. This property can be set either as a system property (using -D) or through the datasource properties.
Step 2: Install JCE files
Without the Java Cryptography Extension (JCE) files, the strong cipher suites (for example TLS_RSA_WITH_AES_256_CBC_SHA256) won't be enabled. So whether you're using JDK7 or JDK8, you should install the JCE Unlimited Strength Jurisdiction Policy Files. These files can be found on the Oracle website.
Step 3: Always use the latest update of the JDK
Be sure to use the latest update of either JDK7 or JDK8 because bugs have been fixed that are required for TLSv1.2.
Step 4: Use JKS files instead of wallets
It looks like you have already done that but just for others to see: wallets are complicated to configure and use with the Oracle JDBC thin driver because they require extra jars and extra properties. JKS files on the other hand are supported natively in the JRE and, in my experience, have always worked nicely.
Step 5: When using JDK7, explicitly enable strong cipher suites
This step is not required when using JDK8. With JDK7, if you're using a strong cipher suite such as TLS_RSA_WITH_AES_256_CBC_SHA256, then you must enable it through the oracle.net.ssl_cipher_suites connection property.
Step 6: Debug with -Djavax.net.debug=all
Finally if you run into more issues, you can turn on tracing to find out what's going using -Djavax.net.debug=all.
==== EXAMPLE WITH JDK7 AND THE 12.1.0.2 PATCHED THIN DRIVER =====
java -Doracle.net.ssl_version='1.2' -Doracle.net.ssl_cipher_suites='(TLS_RSA_WITH_AES_256_CBC_SHA256)' -Doracle.net.ssl_server_dn_match='true' -Djavax.net.ssl.trustStore='truststore.jks' -Djavax.net.ssl.trustStorePassword='welcome1' -Djavax.net.ssl.keyStore='keystore.jks' -Djavax.net.ssl.keyStorePassword='welcome1' JDBCTest 'jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=myservice))(security=(ssl_server_cert_dn="CN=name,O=org,L=city,ST=state,C=country")))' 'pdb1' 'welcome1'
==== EXAMPLE WITH JDK8 AND THE 12.1.0.2 PATCHED THIN DRIVER =====
java -Doracle.net.ssl_version='1.2' -Doracle.net.ssl_server_dn_match='true' -Djavax.net.ssl.trustStore='truststore.jks' -Djavax.net.ssl.trustStorePassword='welcome1' -Djavax.net.ssl.keyStore='keystore.jks' -Djavax.net.ssl.keyStorePassword='welcome1' JDBCTest 'jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=myservice))(security=(ssl_server_cert_dn="CN=name,O=org,L=city,ST=state,C=country")))' 'pdb1' 'welcome1'
这篇关于使用JDBC Thin和JKS的Oracle Database TLS1.2/SSL连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
