Tomcat JDBCRealm using Oracle database over SSL (PROTOCOL=TCPS)
https://stackoverflow.com/questions/7890439
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I'm trying to implement JDBCRealm in tomcat (as described in http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html#Configuring%20a%20Realm) to check credential agains Oracle Database. The thing is that I want database to communicate over SSL. So I configured listener to use TCPS. Like that:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))<br>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<hostname>)(PORT=1512)))
Generated certificates, etc. I have no problem connecting to database using tcps from sqlplus or from WLS (I can use connection property oracle.net.ssl_cipher_suites=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA) there without any problem).
However, I cant get JDBCRealm to work with the database over TCPS. If I configure realm like this:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = <hostname>)(PORT = 1512)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = <service name>)))" connectionName="<login>" connectionPassword="<password>" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
I'm getting following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I imported certificates in JKS store which I configured in Tomcat like this:
With no success.
I'm not a professional in Tomcat (more in databases). I'll appreciate any help or pointing me in right direction. Thanks in advance!
解决方案
Error seems to indicate that SSL certificate is not trusted.
I suggest to verify that you indeed have certificate in your trust store (there is a command line tool in JDK to list trust store content, you can Google it) and then add following parameter in Tomcat startup script:
javax.net.ssl.trustStore=<path to trust store>
