Introduction

• JS7 offers two levels of integration with an Oracle DBMS:
  • JS7 supports use of Oracle as the JS7 - Database.
  • JS7 offers job templates from JS7 - JITL Database Jobs that can be used to access Oracle databases, for this scenario see JS7 - How to make JITL Jobs connect to an Oracle database without using passwords.

• For both scenarios users might prefer not to provide a user account and password for authentication with the DBMS from readable files..

  • Use of passwords is considered insecure when passwords are stored in clear text in external files or in job parameters.
  • JS7 offers JS7 - Use of Credential Store with JITL Jobs as an alternative way to store and to retrieve passwords.
  • The Oracle Wallet® provides a means to connect to an Oracle database without specifying a user account and password.

Oracle Wallet®

The Oracle Wallet® configuration is explained with the Oracle documentation:

• Configuring clients to use the External Password Store e.g. in http://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm#CBHEHGCE
• Or as a more condensed version from the Oracle-Base web site e.g. in https://oracle-base.com/articles/10g/secure-external-password-store-10gr2
• The location of the docs depends on the specific Oracle version in use.

Using Oracle Wallet® for JOC Cockpit

Prerequisites

Oracle Wallet®

No Oracle Client installation is required at run-time for use of a wallet with JOC Cockpit. However, users need an Oracle Client to set up and to configure the wallet.

• The wallet does not necessarily have to be created on the machine where JOC Cockpit is located. The wallet preferably consists of a number of keystore and truststore files that can be copied from a remote machine to the server that hosts JOC Cockpit.

• Typical commands to create a wallet include for example:
  
  

  Example how to set up a wallet

  # create the wallet in an arbitrary location
  mkstore -wrl /home/js7/wallet -create
  
  # add credentials to the wallet; specify key, user account and password for database access
  mkstore -wrl /home/js7/wallet/ -createCredential js7 some_account some_password

Oracle JDBC Driver

• Check the Oracle JDBC Driver version that ships with the JS7 release, see JS7 - Database, chapter: Individual JDBC Driver Versions. A newer JDBC Driver might be available for download from Oracle.
• Oracle JDBC Drivers that ship for release 18c of the DBMS are reported to work. Previous Oracle JDBC Driver releases, for example 12c, are reported not to work with Oracle Wallet® when used by JS7. If in doubt use the Oracle JDBC Driver version that matches the version of the DBMS.
• To apply a version of the Oracle JDBC Driver that is different from the version that ships with JS7, see JS7 - Database, chapter: Individual JDBC Driver Versions.

Oracle PKI Libraries

• The Oracle PKI libraries are required and have to match the version of the Oracle DBMS and Oracle JDBC Driver.
• The .jar files are offered by Oracle for download and are available from an Oracle Client installation for example from:
  • ORACLE_HOME/jlib/oraclepki.jar
  • ORACLE_HOME/jlib/osdt_cert.jar
  • ORACLE_HOME/jlib/osdt_core.jar
• For on premises installations store the Oracle PKI libraries to the JETTY_HOME/lib/user_lib directory of the JOC Cockpit installation directory.
• When running JOC Cockpit containers for Docker® consider to store the Oracle PKI libraries to the JETTY_BASE/resources/joc/lib directory.

Configuration

JOC Cockpit is configured to connect to an Oracle database by use of Hibernate. In addition the locations of Oracle configuration files and of the wallet have to be specified.

Hibernate hibernate.cfg.xml Configuration File

• Location: JETTY_BASE/resources/joc/hibernate.cfg.xml, see JS7 - Database.

• The Hibernate configuration file can look like this:
  
  

  Example of a Hibernate configuration file Expand source

  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  <hibernate-configuration>
   <session-factory>
    <property name="hibernate.connection.driver_class">oracle.jdbc.OracleDriver</property>
    <property name="hibernate.connection.password"></property>
    <property name="hibernate.connection.url">jdbc:oracle:thin:@/js7?tns_admin=/home/js7/wallet</property>
    <property name="hibernate.connection.username"></property>
    <property name="hibernate.dialect">org.hibernate.dialect.Oracle12cDialect</property>
    <property name="hibernate.show_sql">false</property>
    <property name="hibernate.connection.autocommit">false</property>
    <property name="hibernate.format_sql">true</property>
    <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
    <property name="hibernate.connection.provider_class">org.hibernate.hikaricp.internal.HikariCPConnectionProvider</property>
    <property name="hibernate.hikari.maximumPoolSize">10</property>
   </session-factory>
  </hibernate-configuration>

  
  
  

• Consider the empty elements that are used for the account and password. Do not delete the respective elements from the Hibernate configuration file.
• The connection URL specifies js7 as the key to an entry in the wallet.
• The URL parameter tns_admin is used to specify the directory of the tnsnames.ora configuration file. JDBC Connections usually do not require this configuration file as connection details (Listener, Service Name, Service ID) are specified with the URL. However, due to use of the js7 key to the wallet in the URL it is preferable to manage connection details from a tnsnames.ora configuration file.
• In the above example this file is located in the /home/js7/wallet directory that in fact is the directory where the wallet is located. This location is not authoritative as the file can reside in any directory that is accessible to JOC Cockpit.
• Consider that an sqlnet.ora configuration file is not used with the above setup of a JDBC connection.

Oracle tnsnames.ora Configuration File

The following example is not authoritative but is intended to explain a few basic settings:

# tnsnames.ora Network Configuration File: /home/js7/product/18.0.0/dbhomeXE/NETWORK/ADMIN/tnsnames.ora
# Generated by Oracle configuration tools.

JS7 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.11.0.99)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = JS7)
    )
  )

LISTENER_JS7 =
  (ADDRESS = (PROTOCOL = TCP)(HOST = 192.11.0.99)(PORT = 1521))


ORACLR_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (CONNECT_DATA =
      (SID = CLRExtProc)
      (PRESENTATION = RO)
    )
  )

Explanation:

• Line 4: The name JS7 of the first entry in this file corresponds to the key for which credentials have been stored to the wallet.
• Line 5-9: The settings indicate the Listener's host and port and the database Service Name or Service ID.

Wallet Location for Java

The wallet location is identified from a Java define.

• Configure the location of the wallet by use of a Java define like this: 
  -Doracle.net.wallet_location=/home/js7/wallet. This setting should point to the directory where the wallet files are located. This setting can be specified with one of the following options:
  • specify the Java define with the jettyOptions setting of the joc_install_xml installer response file like this:
    <entry key="jettyOptions" value="-Doracle.net.wallet_location=/home/js7/wallet"/>
    
  • alternatively, for Unix use one of the following options:
    • specify the JAVA_OPTIONS environment variable before running the JOC Cockpit jetty.sh start script.
    • create/modify and make executable the /home/js7/.jocrc file, assuming that js7 is the JOC Cockpit run-time account. This file should export the JAVA_OPTIONS environment variable like this:
      export JAVA_OPTIONS="-Doracle.net.wallet_location=/home/js7/wallet"
      
    • add the JAVA_OPTIONS environment variable to the systemd service file, see JS7 - systemd Service Files for automated Startup / Shutdown with Unix Systems
  • Find further details from JS7 - How To - Apply Java Options.