Search code examples
oracletomcat9mtlsoracle-wallet

Oracle ADB TLS connection error in Tomcat

It fails with different errors when I connect to an OCI ADB instance from a Tomcat-hosted [version 9.0.65] / [jdk8 - 202 build] application using the TLS mechanism. However, when I download the Wallet file and set the JVM argument with the wallet location it works-
The code snippet below

PoolDataSource ds = PoolDataSourceFactory.getPoolDataSource();
        try {
            ds.setConnectionFactoryClassName("oracle.jdbc.pool.OracleDataSource");
            ds.setURL(
                    "jdbc:oracle:thin:@(description= (address=(protocol=tcps)(port=1521)(host=ip.address.of.adb))(connect_data=(service_name=$service_name))(security=(ssl_server_dn_match=no)))");
            ds.setUser("myUser");
            ds.setPassword("********");
            ds.setInitialPoolSize(5);
            ds.setMinPoolSize(5);
            ds.setMaxPoolSize(10);
        } catch (Exception ignore) {
            throw new IllegalArgumentException("Error occurred while trying to configure datasource");
        }

it works with following wallet VM args

-Doracle.net.wallet_location=/path/to/wallet
-Doracle.net.tns_admin=/path/to/wallet

An example of an error is when I don't set the wallet location. I need a TLS connection only and not the wallet

Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.
    at oracle.net.nt.CustomSSLSocketFactory.trustStoreFailure(CustomSSLSocketFactory.java:766)
    at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:417)
    ... 32 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
    at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at oracle.net.nt.CustomSSLSocketFactory.loadFileBasedKeyStore(CustomSSLSocketFactory.java:1153)
    at oracle.net.nt.CustomSSLSocketFactory.loadKeyStore(CustomSSLSocketFactory.java:1125)
    at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:408)
    ... 32 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
    ... 39 more
Solution

  • The ADB TLS connection doesn't need certificates or a Wallet with jks files. My tomcat was configured with -

    javax.net.ssl.trustStore= my private certificate

    when I removed it, the app connected with the ADB without issues. However, if you need to specify the trutsStore, then import the oracle certificate from the wallet to your local trust store and also pass the password to your local trustStore

     javax.net.ssl.trustStorePassword= my-password