Setting a Secure Connection with Oracle Server Database (Optional)

Enabling encrypted connection to the Oracle server increases the security of data transmitted across networks between the ActivID CMS Server and the Oracle Server instance.

Note: By default, the connection with the Oracle database is not secure.

Oracle supports:

  • two types of encryption: SSL Encryption and Advanced Security Option (ASO) network encryption.

  • a message integrity protocol.

Important: Do not activate Both Secure Socket Layer (SSL) encryption and ASO native encryption (or checksum) at the same time. Activate only one of the 3 configurations described in this documentation, that is, SSL Encryption, ASO Native Encryption, or Data Integrity.

Configuring Secure Socket Layer (SSL) Encryption

SSL communication is configured in Oracle by creating two wallets (client and server) that will store certificates, and by modifying the sqlnet.ora, tnsnames.ora and listener.ora configuration files.

The wallets can be created using the orapki utility, or using the Oracle Wallet Manager GUI tool (as indicated in this section).

Optional: Configuring Oracle Advanced Security Network Encryption (ASO Native Encryption)

Important: It is prohibited to activate Both Secure Socket Layer (SSL) encryption and ASO native encryption (or checksum) at the same time. If want to use ASO native encryption, you must disable SSL encryption.

Encryption and integrity parameters are defined by modifying an sqlnet.ora file on both the clients and the servers on the network.

The default value for each of the parameters is ACCEPTED.

  1. To enable the encryption, start the Net Manager on the Client.

  2. Select Profile -> Network Security -> Encryption.

  3. Require encryption from the client; set the encryption methods; and, optionally, set a seed that is 10-70 characters in length.

Note: The GUI interface requires you to set a seed, but it can be deleted in the sqlnet.ora file after saving the configuration.

Optional: Configuring Secure Data Integrity (Checksum)

Important: Do not activate Both Secure Socket Layer (SSL) encryption and Security Data Integrity (or checksum) at the same time. If want to use Security Data Integrity (checksum), need to disable SSL encryption.

The default value for each of the parameters is ACCEPTED.

  1. To enable the encryption, start the Net Manager on the Client.

  2. Select the Profile -> Network Security -> Integrity and set the configuration as shown above.

Checking the Database Configuration

  1. From the client, check if the database connection is OK:

  2. Check if the connection is TCPS:

    1. Connect to the database using encrypted connection:

      Copy 
      sqlplus system@cmsdbssl 

    1. Enter the password.

    2. Execute this query:

      Copy 
      SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;

    3. If you are connected via an encrypted connection, you will get the response:

      Copy 
      NETWORK_PROTOCOL
      ----------------
      tcps

Installing ActivID CMS Server Using a Secure Database Connection

  1. During the ActivID CMS set-up, select the database service with a secure connection (in this example, cmsdbSSL):

  2. After ActivID CMS installation, check and update the Oracle URL in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\database.properties.

  3. Edit the file cms_installation_dir\wildfly\bin\standalone.conf.bat (for example, using Notepad).

  4. Add the following lines at the very end of that file:

    Copy 
    set "JAVA_HOME=%JAVA_HOME% -Doracle.net.authentication_services=TCPS"
    set "JAVA_HOME=%JAVA_HOME% -Doracle.net.ssl_version=1.2"
    set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStore=%PROGRAMDATA%\HID Global\Credential Management System\Shared Files\Certificates\CMSStore.jks"
    set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStoreType=JKS"
    set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStorePassword=<password>"

  1. In this configuration:

    • The CMSStore.jks file is a Java keystore containing the Oracle database public certificate or the root of the CA that issued this certificate. It is advised to put that file in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\Certificates directory.

    • <password> is the keystore password.

  2. Start the ActivID CMS server.