Submit a ticketCall us

WebinarWebinar: A checklist for planning your Network Performance Monitor (NPM) upgrade

Are you ready for your next upgrade? To help you plan smoothly, join this webcast to learn more about, SolarWinds® Orion® Installer, SolarWinds Upgrade Advisor, Upgrades Guides, Training Videos, and other resources available. We’ll share key upgrade planning considerations, lessons learned from customers with practical advice from SolarWinds Product Experts. We’ll also give practical tips to identify the estimated time needed and resources, how to prepare the business and IT staff for changes, ways to plan for required system changes, and more.

Register now.

Home > Success Center > Database Performance Analyzer (DPA) > DPA - Knowledgebase Articles > SSL connections from DPA to Oracle monitored instance

SSL connections from DPA to Oracle monitored instance

Table of contents

Updated March 22, 2017


This article addresses the issue where a user is unable to connect to DPA to monitor an Oracle instance that requires SSL connections.


  • All versions of DPA
  • Oracle monitored instance that requires an SSL connection


  1. If you need the TLS 1.1 or TLS 1.2 protocols, you must first patch the Oracle JDBC driver that DPA uses.
    1. Log in to your Oracle support account.
    2. Download Patch 19030178: ADD TLSV1.1 AND TLSV1.2 IN JDBC THIN, and select Release: Oracle
    3. Shut down DPA.
    4. Extract into a temporary directory.
    5. Navigate to the <temp_dir>\19030178\files\jdbc\lib directory.
    6. Extract the ojdbc5.jar file, which will result in an oracle subdirectory.
    7. Copy the entire oracle directory to <DPA_install_dir>\iwc\tomcat\webapps\iwc\WEB-INF\classes.

      The result should be:


    8. Start DPA.
  2. Export the Oracle certifcate from the Oracle server.
    1. Download the Amazon RDS root CA certificate.
    2. Convert it to DER format using openssl.
      1. For Windows, download openssl.
      2. Open a command prompt as Administrator.
      3. Set OPENSSL_CONF=<openssl_path>\bin\openssl.cfg.
      4. In the <openssl path>\bin directory, issue the following command:


        openssl x509 -outform der -in rds-ca-2015-root.pem -out rds-ca-2015-root.der


    3. In the <openssl path>\bin directory, there should now be a file called:

      rds-ca-2015-root.pem-out rds-ca-2015-root.der

  3. Make DPA trust the Oracle certificate by creating a new trust store containing the Oracle certificate.

    Use the Portecle utility

    1. Download, install, and open Portecle.
    2. Click File > New Keystore, and select the JKS keystore type.
    3. Click Tools > Import Trusted Certificate, and select the file from Step 1.
    4. Confirm that you trust the certificate and proceed with the import.
    5. After the certificate successfully imports, save the trust store to a file.
      • Windows: <DPA_home>\iwc\tomcat\ignite_config\security\oracle-truststore.jks
      • Linux: <DPA_home>/iwc/tomcat/ignite_config/security/oracle-truststore.jks
    6. During the save, Portecle will ask for a password to encrypt the keystore. By default, Java applications use changeit as password.
    7. Close Portecle.

    Use the keytool command

    1. Use the keytool utility in the following directory:
      • Windows: dpa_home\iwc\jre\bin\
      • Linux: dpa_home/iwc/jre_linux/bin/
      • Solaris: dpa_home/iwc/jre_unix/bin/
    2. Run the following command:


      <path_to_keytool>/keytool -import -keystore <path_to_DPA_trust_store> -alias <specify_alias_for_certificate> -file <path_to_certificate> -storepass <password_to_DPA_trust_store>


      The <path_to_DPA_trust_store> will be:

      • Windows: <DPA_home>\iwc\tomcat\ignite_config\security\oracle-truststore.jks
      • Linux: <DPA_home>/iwc/tomcat/ignite_config/security/oracle-truststore.jks

      The <password_to_DPA_trust_store> will be changeit by default.

      An example command is:


      C:\Program Files\SolarWinds\DPA\iwc\jre\bin\keytool -import -keystore "C:\Program Files\SolarWinds\DPA\iwc\tomcat\ignite_config\security\oracle-truststore.jks" -alias oracle_cert -file "C:\OpenSSL\bin\rds-ca-2015-root.der" -storepass changeit


  4. If you are using strong encryption (key size is 256 or greater, Amazon RDS uses strong encryption), then the Java policy jars must be updated.
    1. Go to <DPA_home>/iwc/jre/lib/security.
    2. Rename the following files:
      • local_policy.jar to local_policy.jar.sav
      • US_export_policy.jar to US_export_policy.jar.sav
    3. Download the file.
    4. Extract the following files from the ZIP, and place them in <DPA_home>/iwc/jre/lib/security directory:
      • local_policy.jar
      • US_export_policy.jar
  5. Restart DPA for the changes to take effect.
  6. Register the Oracle instance in DPA.
    1. On Step 2 of the of the database registration wizard, select the TNS Connect Descriptor option.
    2. In the Connect Descriptor field, specify tcps as the protocol. For example:




    3. Click Advanced Connection Properties.
    4. In the Connection Properties field, enter the following:



Last modified