Setting a Secure Connection with Oracle Server Database (Optional)
Enabling encrypted connection to the Oracle server increases the security of data transmitted across networks between the ActivID CMS Server and the Oracle Server instance.
Oracle supports:
-
two types of encryption: SSL Encryption and Advanced Security Option (ASO) network encryption.
-
a message integrity protocol.
Configuring Secure Socket Layer (SSL) Encryption
SSL communication is configured in Oracle by creating two wallets (client and server) that will store certificates, and by modifying the sqlnet.ora, tnsnames.ora and listener.ora configuration files.
The wallets can be created using the orapki utility, or using the Oracle Wallet Manager GUI tool (as indicated in this section).
Optional: Configuring Oracle Advanced Security Network Encryption (ASO Native Encryption)
Encryption and integrity parameters are defined by modifying an sqlnet.ora file on both the clients and the servers on the network.
The default value for each of the parameters is ACCEPTED.
-
To enable the encryption, start the Net Manager on the Client.
-
Select Profile -> Network Security -> Encryption.
-
Require encryption from the client; set the encryption methods; and, optionally, set a seed that is 10-70 characters in length.
Optional: Configuring Secure Data Integrity (Checksum)
The default value for each of the parameters is ACCEPTED.
-
To enable the encryption, start the Net Manager on the Client.
-
Select the Profile -> Network Security -> Integrity and set the configuration as shown above.
Checking the Database Configuration
-
From the client, check if the database connection is OK:
-
Check if the connection is TCPS:
-
Connect to the database using encrypted connection:
Copysqlplus system@cmsdbssl
-
Installing ActivID CMS Server Using a Secure Database Connection
-
During the ActivID CMS set-up, select the database service with a secure connection (in this example, cmsdbSSL):
-
After ActivID CMS installation, check and update the Oracle URL in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\database.properties.
-
Edit the file cms_installation_dir\wildfly\bin\standalone.conf.bat (for example, using Notepad).
-
Add the following lines at the very end of that file:
Copyset "JAVA_HOME=%JAVA_HOME% -Doracle.net.authentication_services=TCPS"
set "JAVA_HOME=%JAVA_HOME% -Doracle.net.ssl_version=1.2"
set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStore=%PROGRAMDATA%\HID Global\Credential Management System\Shared Files\Certificates\CMSStore.jks"
set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStoreType=JKS"
set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStorePassword=<password>"
-
In this configuration:
-
The CMSStore.jks file is a Java keystore containing the Oracle database public certificate or the root of the CA that issued this certificate. It is advised to put that file in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\Certificates directory.
-
<password> is the keystore password.
-
-
Start the ActivID CMS server.