I am new here and I am an Oracle database developer (admin/sql/plsql) mostly. I am not familiar with java/jetty.
I am currently trying to setup our web application to use tcps to connect to the oracle database. The existing web application is using tcp protocol and is working.
I have following some steps to setup the wallet on the Oracle database server, also setup the wallet on a LINUX (Oracle Linux 9) server which runs the web app, exchanged both servers’ certificates with each other, so I could do sqlplus connection from the application server to the oracle database using the tcps port (which is defined in the db server’s listener.ora and app server’s oracle client’s tnsnames.ora ). The Oracle database and Oracle client are Oracle 19c, and there is ojdbc8.jar in the Oracle client’s home $ORACLE_HOME/jdbc/lib
The app server has jetty and the jetty will start the webapp, so the .war file is put in jetty’s webapps directory. When the webapp tried to connect to the Oracle database, I see the following error :
java.lang.IllegalStateException: Failed to get connection to the DB: [ssvm_odb@jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=usatl-ssdb02)(PORT=1523))(CONNECT_DATA=(SERVICE_NAME=r19000)))]
Caused by: java.sql.SQLRecoverableException: IO Error: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
On the Oracle database server, I think I have listed the cipher suites in the sqlnet.ora file
SSL_CIPHER_SUITES = (TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA)
On the app server’s $ORACLE_HOME/network/admin/sqlnet.ora file, the same list of cipher suites are set.
In the java file, we have the following to set the url and username/password, and then connect to the database
url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=" + serverName + ")(PORT=" + portNumber + "))(CONNECT_DATA=(SERVICE_NAME=" + serviceName + ")))";
username = odb.getUsername();
odbConnectionData = new java.util.Properties();
odbConnectionData.put( "user", username );
odbConnectionData.put( "password", odb.getPassword() );
public Connection getConnection( )
{
Connection connection;
try
{
connection = DriverManager.getConnection( url, odbConnectionData );
}
catch ( SQLException e )
{
// Could not connect to the database
throw Debug.wrap(e, "Failed to get connection to the DB: [%s@%s]", username, url);
}
From the error, I would think it is more about “cipher suites are inappropriate” , it seems to me that the jdbc connection does not read the sqlnet.ora or the location of the wallet. I also tried to modify some configuration files in $JAVA_HOME/jre/lib/security like java.security but nothing works.
I am hoping someone with more knowledge in the encrypted communication area could give me some pointers and hints on how to make this work. I know it is a long post. I could provide more information on the setup if needed.
Thanks,
James
James is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You’re right: “jdbc:oracle:thin” driver won’t read sqlnet.ora. But it will read $TNS_ADMIN/tnsnames.ora. And it will also read $TNS_ADMIN/ojdbc.properties, which is sort of like Oracle JDBC’s equivalent to sqlnet.ora.
To configure cipher suites for Oracle JDBC, you’ll need to configure the “oracle.net.ssl_cipher_suites” connection property in your ojdbc.properties file. Make sure to configure the property with JSSE cipher suite names. Sometimes, the JSSE name will be different from the name used in sqlnet.ora
You can also put your wallet location in ojdbc.properties, configuring it with the “oracle.net.wallet_location” property.
So your file might end up looking like this:
# TODO: Add other cipher suite names
oracle.net.ssl_cipher_suites=TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256
oracle.net.wallet_location=/path/to/your/wallet.sso
Or, if your wallet.sso is in the TNS_ADMIN directory, you can use a “${environment-variable-name}” expression to configure wallet_location as the TNS_ADMIN environment variable:
# TODO: Add other cipher suite names
oracle.net.ssl_cipher_suites=TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256
oracle.net.wallet_location=${TNS_ADMIN}
All I’ve written so far is just addressing that Oracle JDBC doesn’t read sqlnet.ora, and that it reads connection properties instead, and these properties can be stored in an ojdbc.properties file.
However, I usually don’t need to configure cipher suites, so I’m now looking at the other side of the or condition in our error message:
protocol is disabled or cipher suites are inappropriate
Maybe the issue is TLS protocol version, and not the ciphers? It might be that your Java security provider is requiring TLS 1.3, and the database only supports 1.2. If you’re OK with using TLS 1.2, then you might try setting “oracle.net.ssl_version” in the properties file as well:
oracle.net.ssl_version=1.3 or 1.2
Please let me know if this helps.