Tomcat 8 and Oracle Wallet
Getting Tomcat 8 connect over encrypted TCPS to an Oracle Database using Oracle Wallet.
Protecting sensitive data of your customers has always been important.
GDPR suggests to apply encryption wherever possible to limit the risks of a data breach.
For a project at a customer, encrypting the connection between a Tomcat application and its Oracle Database server became a requirement.
I have been struggling with setting up Tomcat to use the Oracle Wallet without success.
Many websites and blog posts are either outdated, oversimplify the solution or are full of unanswered/unsolved help cries, or opted to implement the solution in code rather than using JNDI.
No matter what I tried, I was always saluted with the following exception when Tomcat starts to initialize the connections:
Caused by: oracle.net.ns.NetException: Unable to initialize the key store.
at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:642)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:547)
... 41 more
Caused by: java.security.KeyStoreException: SSO not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:628)
... 42 more
Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 43 more
Thanks to a member of the Tomcat User Mailinglist I was able to make it work by using the original Java KeyStore which was used for creating the Oracle Wallet in the first place.
Here are the steps I made to get Tomcat working with TCPS to the Oracle Database:
- Add the following jar files in lib/ of Tomcat:
ojdbcX.jar (X = relevant major version of Java, vbl: 8) - In ./jre/lib/security/java.security add the following:
security.provider.10=oracle.security.pki.OraclePKIProvider - In context.xml:
- url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=< SERVICE NAME >)))"
- connectionProperties="javax.net.ssl.trustStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.trustStorePassword=changeme;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.keyStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.keyStorePassword=changeme;javax.net.ssl.keyStoreType=JKS;"