Skip to content

Commit

Permalink
updating manifest
Browse files Browse the repository at this point in the history
  • Loading branch information
@bhenndricks
bhenndricks committed Mar 11, 2024
1 parent 35f0d8c commit ff55c9f
Show file tree
Hide file tree
Showing 4 changed files with 178 additions and 0 deletions.
0 common/jdbc/jdbc-thin-wallet → common/jdbc/jdbc-thin-wallet.md
View file
File renamed without changes.
17 changes: 17 additions & 0 deletions simba/jdbc-thin-wallet.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
## **Setting Up Oracle JDBC Thin Driver**



1. **Verify your JDK version**: If you are using JDK11, JDK10, or JDK9 then you don’t need to do anything for this step. If your JDK version is less than JDK8u162 then you need to download the JCE Unlimited Strength Jurisdiction Policy Files. For more information, see [here](https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/connect-jdbc-thin-wallet.html#GUID-1640CC02-BF3E-48C2-8FFE-A596614A6A40).

2. **Download Oracle JDBC Driver**: Download the 19.3 JDBC Thin driver (`ojdbc8.jar` and `ucp.jar`) from [Oracle Database 19c (19.3) JDBC Driver & UCP Downloads](https://www.oracle.com/ae/database/technologies/appdev/jdbc-downloads.html). Use the latest 19.3 JDBC driver, or newer. You also need the additional jars: `oraclepki.jar`, `osdt_core.jar`, and `osdt_cert.jar` for use with Oracle wallets.

3. Make sure you have all the JAR files in your `classpath` or in the location indicated by your application. For example:

`export CLASSPATH=` `./lib/ojdbc8.jar:./lib/ucp.jar:./lib/oraclepki.jar:./lib/osdt_core.jar:./lib/osdt_cert.jar`

`echo $CLASSPATH`



Note: You can update the `/home/userid/.bash_profile` with the classpath, and restart for the new jars to take effect.
61 changes: 61 additions & 0 deletions simba/no-wallet.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
## Connect with one-way TLS without a Wallet

You can connect your application to ADB without the wallet (mTLS) using one way TLS. There is no need to download the ADB wallet for TLS network access. You can connect your application securely from a public connection by setting ACLs or connect privately inside the VCN where your application is deployed by configuring a private endpoint. Both are configured during the ADB provisioning but you can also change and update the network access after provisioning.

### ACL Access

![acl](./images/acl1-diagram.png)


1. To configure the access control list (ACL) select Secure access from allowed IPs and VCNs only. Select the IP notation type. It can be IP Address, CIDR Block, or VCN.

2. Enter your values for the application connecting to ADB. It could be from a list of IP addresses, a CIDR block, or your VCN where the application will connect to ADB.

3. Uncheck the box Require mutual TLS (mTLS) authentication.

![adb](./images/acl1.png)


### Private Endpoint Access

![pe](./images/private-endpoint-diagram.png)


Applications deployed on an OCI VCN can access ADB from private endpoints. To do this you must configure a network security group (NSG) and define security rules for access to ADB. The source CIDR should be where your application is deployed, and the destination port should be 1521. An example is shown below. For more information about NSG, see [here](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/networksecuritygroups.htm).

![adb-nsg](./images/nsg-1.png)


Once you have configured the network security group, go back to ADB and configure network access with private endpoint.

1. Select Private endpoint access only.

2. Select your VCN and the subnet for the private endpoint.

3. Uncheck the box Require mutual TLS (mTLS) authentication.

4. Show advanced options and select your network security group.

![private-endpoint1](./images/private-endpoint1.png)


### Get the TLS Connection string

Your application can now use a TLS connection string to ADB without a wallet.

1. Click on Database connection from the ADB details.

2. Scroll down and select TLS in the TLS Authentication dropdown.

3. Copy the connection string you want to use to connect to ADB. Note the port is 1521 for TLS connections to ADB. mTLS or wallet connection uses 1522.

![db-connection1](./images/db-connection1.png)

![db-connection2](./images/db-connection2.png)


You're now ready to go back to your application and use the TLS connection string to connect to ADB.




100 changes: 100 additions & 0 deletions simba/wallet.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
## Secure Access from Everywhere to ADB using Wallet

A client can access ADB from everywhere using the wallet. The wallet contains certificates to securely authenticate to ADB.

![adb-wallet](./images/wallet-diagram1.png)


### Download and Configure the Wallet

After provisioning Oracle Autonomous Database (ADB), a wallet containing client credentials is required to connect to ADB.

![adb](./images/adb-ui-details.png)


1. Download the wallet to the client machine running your BI or ETL tool. Select Instance Wallet for the Wallet Type and click Download Wallet.

![adb-wallet](./images/adb-wallet-download.png)

2. Enter a password for your wallet. Some clients require a password to connect to ADB, other clients just use auto-login with the wallet.

![wallet-password](./images/wallet-password.png)

3. Navigate to where you downloaded the Oracle ADB wallet. Unzip the contents to a secure directory. Note: The screens shown are for a Windows system. The Linux procedures will be similar.

![wallet_dir](./images/wallet-directory.png)



![unzip_wallet](./images/unzip-wallet.png)



4. There are now two options to choose from:

4.1 From the unzipped wallet directory, copy the tnsnames.ora and sqlnet.ora to the Oracle Client directory `c:\<Oracle Home>\network\admin`

4.2 or copy them to the directory specified by your application or BI/ETL tool vendor. The tool vendor may have preferred location for these Oracle files.

Note: If you do not have an Oracle Client directory and your tool vendor does not specify where to put the files, you may create the directory.

For example: `mkdir C:\oracle\instantclient_19_3\network\admin`

Note: If you are using JDBC Thin, you do not need the Oracle Client software.

5. Edit sqlnet.ora to point to the directory of the wallet directory containing the unzipped files. For sqlnet.ora, an example follows. For tnsnames.ora see below.

```
WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="C:\DATA\WALLET\Wallet_ADWBI")))
SSL_SERVER_DN_MATCH=yes
```

### Add TNS_ADMIN variable

6. This is optional with some applications. In the Windows user environment variables dialog, create the `TNS_ADMIN` variable. Set its value to the directory location to where the sqlnet.ora and tnsnames.ora files are. For example: `c:\<Oracle Home>\network\admin`. In Linux, use export path `TNS_ADMIN`.

![win-env](./images/win-env-variables.png)



The tnsnames.ora file contains the net service names that will be used to connect to ADB.

### Connecting to multiple ADBs with different wallets

If you are connecting to multiple ADBs from the client machine with a different wallet for each one, add the parameter `MY_WALLET_DIRECTORY` to the connect descriptor with each descriptor’s specific wallet location. Note: Setting this parameter will take precedence over the sqlnet.ora wallet location and sqlnet.ora wallet location will not be used.

For example:

```
adwptr_high = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(connect_data=(service_name=bk8ui2h_adwptr_high.adwc.oraclecloud.com))(security=(ssl_server_cert_dn="CN=adwc.uscom-east-1.oraclecloud.com, OU=Oracle BMCS US, O=Oracle Corporation, L=Redwood City, ST=California, C=US")(MY_WALLET_DIRECTORY=C:\DATA\WALLET\Wallet_ADWPTR)))
adwbi_low = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(connect_data=(service_name=bk8uqvi2h_adwbi_low.adb.oraclecloud.com))(security=(ssl_server_cert_dn="CN=adwc.uscom-east-1.oraclecloud.com, OU=Oracle BMCS US, O=Oracle Corporation, L=Redwood City, ST=California, C=US")(MY_WALLET_DIRECTORY=C:\DATA\WALLET\Wallet_ADWBI)))
```



7. Open the TNSNAMES.ora file in the wallet directory to see which ADB net service names are available to connect to. Below you see three different ones: `adwptr_high`, `adwptr_low`, and `adwptr_medium`. Your ADB net service names will likely be named differently.

![tns_ora](./images/tnsnames-ora.png)



## **Troubleshooting**

Check your TNS_ADMIN variable. Make sure it points to the directory containing your tnsnames.ora.

`C:\WINDOWS\system32>echo %TNS_ADMIN%`

`C:\<Oracle Home>\network\admin`

Note: A restart of the Windows OS or your BI/ETL application may be needed for the environment variables to take effect.

Check your sqlnet.ora is set to the directory of your wallet or you are setting the directory using the parameter `MY_WALLET_DIRECTORY` in tnsnames.ora as explained above.

sqlnet.ora example with wallet directory:

```
WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="C:\Oracle\Wallets\Wallet_ADBPH")))
SSL_SERVER_DN_MATCH=yes
```

0 comments on commit ff55c9f

Please sign in to comment.