• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

DriverManager.getConnection(url, name, pw) for TLS

 
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello. If you have a minute, I have code using jdbc to connect to oracle db on aws instance....



they need to change the oracle from http to https. However, I don't see any reference to protocol in getConnection args, the url arg is stored as....



I also have a Tomcat config file for a separate app (to the same Oracle instance) but see nothing on protocol...

 <Resource name="jdbc/AcmeDev" auth="Container"
             type="javax.sql.DataSource" driverClassName="oracle.jdbc.OracleDriver"
             url="jdbc:oracle:thin:@dbacme.blah...blah.com:1521:dbacme"
             username="acme_developer" password="encoded_gibberish" maxActive="20" minIdle="0"
             maxWaitMillis="-1"/>

How could I change these to https protocol? I also think I need to set up a trust store with the oracle public key somewhere in Tomcat. I configured Tomcat as an https host last year, with a self-signed key store (intranet use) which is in everybody's browser trust store. But now, the Tomcat app is a browser-less client of an https server (oracle). thank you very much for reading.

Oh, I am using ojdbc8.jar so i am anticipating there might be TLS version issue. Is there an updated oracle driver?
 
Saloon Keeper
Posts: 28321
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oracle doesn't use the http or https protocols. It uses the "jdbc" protocol which is nothing like http.

Technically, "jdbc" means "via a jdbc driver" rather than defining a specific wire protocol standard, but that's another matter.

Yes, encryption was available as far back as the ojdbc8 driver. but it's not like there's a "jdbcs" protocol ID. Instead you request it as part of the query data in your connection URL. For more info, I refer you to the oracle hdbc8 docs, 'cause I forgot it all!

Having said that, encryption to a DBMS isn't a common thing. Ideally, the only systems talking to a DBMS are going to be on a secure subnet internal to your organization. Ideally, ideally, that means that not only ordinary employees, but even developers shouldn't be able to connect to your production Oracle DBMS at all. So you'd have to be really paranoid to feel the need of an encrypted JDBC channel running on an isolated LAN segment or VPN.
 
Thomas Griffith
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hello, Tim. just to confirm, the url arg isn't over http/https in



So this isn't a matter of having to store the public key for some Oracle PKI key store but just changing some stuff in the url connection string? ...and nothing needed in conf/server.xml?
 
Tim Holloway
Saloon Keeper
Posts: 28321
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thomas Griffith wrote:hello, Tim. just to confirm, the url arg isn't over http/https in



So this isn't a matter of having to store the public key for some Oracle PKI key store but just changing some stuff in the url connection string? ...and nothing needed in conf/server.xml?



Oracle might support a public/private key connection, but as I said, that sort of stuff is for people more paranoid than me.

When connection with a TLS JDBC URL, nothing needs to be altered in the server.xml file, no. Not as things are currently set up, anyway. It's all going to be done in the JDBC Connection Pool configuration, and that's generally done per-application. Although you can share a pool between apps by defining it in server,xml. Just never seen it done.
 
Sheriff
Posts: 4646
582
VSCode Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think that the URI for a TLS connection would look like this: jdbc:oracle:thin:@tcps://dbacme.blah...blah.com:1521:dbacme
 
Tim Holloway
Saloon Keeper
Posts: 28321
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I did a quick check and it appears that there are several different encryption options. Some of them are very ugly and in general, they are extremely non-portable. You have to cast specifically to class OracleDriver to even start in some cases.

So you'd have to be very, very paranoid about your LAN and absolutely certain that your employer was never going to switch database vendors like Amazon did.
 
Thomas Griffith
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ron McLeod wrote:I think that the URI for a TLS connection would look like this: jdbc:oracle:thin:@tcps://dbacme.blah...blah.com:1521:dbacme



yeah, I see a mixed bag on all this, like it's just a url thing with the thin driver, but then I see other stuff like Tim started getting into.
 
Thomas Griffith
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:So you'd have to be very, very paranoid about your LAN and absolutely certain that your employer was never going to switch database vendors like Amazon did.



i think it's the "zero trust" initiative where everything is going to have to e encrypted, even internally, presuming intrusion. i am supposed to meet with the oracle guy today, they don't seem to be concerned about major changes, maybe they tested and it is just a url thing, but I am skeptical like you started finding.
 
Thomas Griffith
Ranch Hand
Posts: 218
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:So you'd have to be very, very paranoid about your LAN and absolutely certain that your employer was never going to switch database vendors like Amazon did.



Ron McLeod wrote:I think that the URI for a TLS connection would look like this: jdbc:oracle:thin:@tcps://dbacme.blah...blah.com:1521:dbacme



guys, i just had the meeting. I think it was about the front end of the oracle db which I jdbc into converting from http to https, so I think the jdbc and connect strings should remain unchanged. I suspect the day will come with zero trust where all network connections will have to be encrypted, but that introduces more risk than reward with expiring certificates, trust stores, hiding private keys, etc so maybe not.
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic