Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Database Performance Analyzer (DPA) > SSL connections from DPA to Oracle monitored instance

SSL connections from DPA to Oracle monitored instance

Table of contents

Updated March 22, 2017

Overview

This article addresses the issue where a user is unable to connect to DPA to monitor an Oracle instance that requires SSL connections.

Environment

  • All versions of DPA
  • Oracle monitored instance that requires an SSL connection

Steps

  1. If you need the TLS 1.1 or TLS 1.2 protocols, you must first patch the Oracle JDBC driver that DPA uses.
    1. Log in to your Oracle support account.
    2. Download Patch 19030178: ADD TLSV1.1 AND TLSV1.2 IN JDBC THIN, and select Release: Oracle 11.2.0.4.0.
    3. Shut down DPA.
    4. Extract p19030178_112040_Generic.zip into a temporary directory.
    5. Navigate to the <temp_dir>\19030178\files\jdbc\lib directory.
    6. Extract the ojdbc5.jar file, which will result in an oracle subdirectory.
    7. Copy the entire oracle directory to <DPA_install_dir>\iwc\tomcat\webapps\iwc\WEB-INF\classes.

      The result should be:

      <DPA_install_dir>\iwc\tomcat\webapps\iwc\WEB-INF\classes\oracle\net\nt\TcpsConfigure.class

    8. Start DPA.
  2. Export the Oracle certifcate from the Oracle server.
    1. Download the Amazon RDS root CA certificate.
    2. Convert it to DER format using openssl.
      1. For Windows, download openssl.
      2. Open a command prompt as Administrator.
      3. Set OPENSSL_CONF=<openssl_path>\bin\openssl.cfg.
      4. In the <openssl path>\bin directory, issue the following command:

         

        openssl x509 -outform der -in rds-ca-2015-root.pem -out rds-ca-2015-root.der

         

    3. In the <openssl path>\bin directory, there should now be a file called:

      rds-ca-2015-root.pem-out rds-ca-2015-root.der

  3. Make DPA trust the Oracle certificate by creating a new trust store containing the Oracle certificate.

    Use the Portecle utility

    1. Download, install, and open Portecle.
    2. Click File > New Keystore, and select the JKS keystore type.
    3. Click Tools > Import Trusted Certificate, and select the file from Step 1.
    4. Confirm that you trust the certificate and proceed with the import.
    5. After the certificate successfully imports, save the trust store to a file.
      • Windows: <DPA_home>\iwc\tomcat\ignite_config\security\oracle-truststore.jks
      • Linux: <DPA_home>/iwc/tomcat/ignite_config/security/oracle-truststore.jks
    6. During the save, Portecle will ask for a password to encrypt the keystore. By default, Java applications use changeit as password.
    7. Close Portecle.

    Use the keytool command

    1. Use the keytool utility in the following directory:
      • Windows: dpa_home\iwc\jre\bin\
      • Linux: dpa_home/iwc/jre_linux/bin/
      • Solaris: dpa_home/iwc/jre_unix/bin/
    2. Run the following command:

       

      <path_to_keytool>/keytool -import -keystore <path_to_DPA_trust_store> -alias <specify_alias_for_certificate> -file <path_to_certificate> -storepass <password_to_DPA_trust_store>

       

      The <path_to_DPA_trust_store> will be:

      • Windows: <DPA_home>\iwc\tomcat\ignite_config\security\oracle-truststore.jks
      • Linux: <DPA_home>/iwc/tomcat/ignite_config/security/oracle-truststore.jks

      The <password_to_DPA_trust_store> will be changeit by default.

      An example command is:

       

      C:\Program Files\SolarWinds\DPA\iwc\jre\bin\keytool -import -keystore "C:\Program Files\SolarWinds\DPA\iwc\tomcat\ignite_config\security\oracle-truststore.jks" -alias oracle_cert -file "C:\OpenSSL\bin\rds-ca-2015-root.der" -storepass changeit

       

  4. If you are using strong encryption (key size is 256 or greater, Amazon RDS uses strong encryption), then the Java policy jars must be updated.
    1. Go to <DPA_home>/iwc/jre/lib/security.
    2. Rename the following files:
      • local_policy.jar to local_policy.jar.sav
      • US_export_policy.jar to US_export_policy.jar.sav
    3. Download the jce_policy-8.zip file.
    4. Extract the following files from the ZIP, and place them in <DPA_home>/iwc/jre/lib/security directory:
      • local_policy.jar
      • US_export_policy.jar
  5. Restart DPA for the changes to take effect.
  6. Register the Oracle instance in DPA.
    1. On Step 2 of the of the database registration wizard, select the TNS Connect Descriptor option.
    2. In the Connect Descriptor field, specify tcps as the protocol. For example:

       

      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<host_name>)(PORT=<port>))(CONNECT_DATA=(SERVICE_NAME=<service_name>)))

       

    3. Click Advanced Connection Properties.
    4. In the Connection Properties field, enter the following:

       

      javax.net.ssl.trustStore=<DPA_home>/iwc/tomcat/ignite_config/security/oracle-truststore.jks;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.trustStorePassword=changeit

       

Last modified
11:08, 22 Mar 2017

Tags

Classifications

Public