jdbc ssl

I already wrote about jdbc hello world and listener with tcps.

Let’s combine both technologies !
TCPS.java
import java.util.Properties;
import java.security.Security;
import java.sql.*;
import javax.net.ssl.*;

public class TCPS {
public static void main(String argv[]) throws SQLException {
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))";
Properties props = new Properties();
props.setProperty("user", "scott");
props.setProperty("password", "tiger");
props.setProperty("javax.net.ssl.trustStore","cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType","SSO");
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
Connection conn = DriverManager.getConnection(url, props);
ResultSet res = conn.
prepareCall("select 'Hello SSL World' txt from dual").
executeQuery();
res.next();
System.out.println(res.getString("TXT"));
}
}

I have an auto-login wallet (cwallet.sso) with the trusted certificate from the server.

There are a few jar’s to use:

$ CLASSPATH=$ORACLE_HOME/jdbc/lib/ojdbc5.jar
$ CLASSPATH=$CLASSPATH:$ORACLE_HOME/jlib/oraclepki.jar
$ CLASSPATH=$CLASSPATH:$ORACLE_HOME/jlib/osdt_cert.jar
$ CLASSPATH=$CLASSPATH:$ORACLE_HOME/jlib/osdt_core.jar
$ CLASSPATH=$CLASSPATH:.
$ export CLASSPATH
$ javac TCPS.java
$ java TCPS
Hello SSL World

Greatly inspired by Jean de Lavarene’s white paper : SSL With Oracle JDBC Thin Driver

6 thoughts on “jdbc ssl

  1. Shrinath

    Hi,
    Have you faced issues with JRE1.7 with Oracle11g release 2 for SSL with JDBC Thin Driver.
    I tried to write a simple program to establish connection but am getting the following error. The same code works with JRE1.6 but fails with JRE 1.7.
    The thin driver used is ojdbc6.jar
    The error wihch I get is :
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    Regards,
    Shrinath.

  2. Laurent Schneider Post author

    I have not tested it yet, but read note 1498108.1

    SSL weak algorithm suites have been removed from the JDK (in other words, JDK 7 is more strict)

  3. Shrinath

    Would that be an issue? Since I am using the oraclepki.jar as the registered security provider to establish connection in 1.6
    Let me know the link which you were referring to for this one.
    Regards,
    Shrinath.

  4. Pingback: SSL with PKCS12 truststore | Laurent Schneider

Comments are closed.