Background
Need to enable End to End encryption for connectivity between Apps to RDS DB.
On Oracle RDS side
When creating the Oracle instance, configure the Option group SSL setting like below.
On weblogic side
- After connection pool is created, update the below URL field. For example,
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<weblogic-host>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=DEMOWLST)))
- In the connection Properties, add the following
user=wlsdbuser
databaseName=DEMOWLST
javax.net.ssl.trustStore=/prod/applc/wls/domain/base_domain/certs/trust.jks
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStorePassword=<password, default to Admin password>
Creating trusted JKS/Wallet
- To extract the RDS cert,
openssl s_client -showcerts -connect "{{ datasource.rdsHostName }}:{{ datasource.rdsSSLPort }}" </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/rds.pem
csplit -z -f tmpRDScert- /tmp/rds.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
cp `ls -1 tmpRDScert-* | tail -1` /tmp/rdsRoot.pem
- To import the root cert to JKS keystore,
keytool -import -alias rds-rootcert -file /tmp/rdsRoot.pem -keystore /prod/applc/wls/domain/base_domain/certs/trust.jks -storepass {{ domain_password }} -noprompt
- To import the root cert to Oracle Wallet (DMS endpoint require this),
/prod/applc/wls/oracle_common/bin/orapki wallet create -wallet /tmp/ssl_wallet -auto_login_only
/prod/applc/wls/oracle_common/bin/orapki wallet add -wallet /tmp/ssl_wallet -trusted_cert -cert /tmp/rdsRoot.pem -auto_login_only
For Oracle DMS endpoint, you will need to select rds-oracle-wallet when enabling the SSL with โverify-caโ option and point the port to the SSL enabled port.
Top comments (0)