Skip to content

Wdt 609 ssl db connection #1109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Apr 15, 2022
Merged

Wdt 609 ssl db connection #1109

merged 16 commits into from
Apr 15, 2022

Conversation

CarolynRountree
Copy link
Contributor

RCU SSL DB in WDT createDomain. I used the atp as a template and the code follows the atp code.

rakillen
rakillen approved these changes Mar 24, 2022
View reviewed changes
Copy link
Member

@rakillen rakillen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some conflicts with sonar changes, but 👍 once that passes

@jshum2479
Copy link
Member

Will there be any documentation update?

jshum2479
jshum2479 reviewed Mar 24, 2022
View reviewed changes
core/src/main/java/oracle/weblogic/deploy/create/RCURunner.java Outdated
if (keyStorePassword != null && keyStorePassword != "None") {
sslArgs.append(",javax.net.ssl.keyStorePassword="+ keyStorePassword);
}
sslArgs.append(",oracle.net.ssl_server_dn_match=false");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to make ssl_server_dn_match configurable ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was in a different branch and was already checked into the documentation main.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we do, from what I have seen everywhere, it is false.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I know in ATP we hard coded to false and probably we need to make it configurable - just in case user complains against it (most internal users have not much experience anyway, I don't know what it is until I read the doc) - we can make it default to false? I think this is an extra level of security to make sure talking to the right db server.

From the documentation,

https://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

The following property also needs to be used to force the JDBC Thin driver to verify the server’s DN:
props.setProperty("oracle.net.ssl_server_dn_match", "true");

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

documentation was in another branch and it got merged already into documentation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from what I read online it should always be false. I might be wrong.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most example doesn't want to have the hassle for user to handle error. The property exists for a reason, even though user may usually set it to false, why not provide a option for user?

https://blogs.oracle.com/developers/post/ssl-connection-to-oracle-db-using-jdbc-tlsv12-jks-or-oracle-wallets-122-and-lower

https://docs.oracle.com/en/middleware/fusion-middleware/data-integrator/12.2.1.4/odi-marketplace/known-issues-and-workarounds.html

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: I am saying setting it to true, I am just asking to make it a configurable property

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, I replied to your first comment twice. changing to a property

@rjeberhard
Copy link
Member

I reviewed the security hotspots and don't have any concerns. Derek, you should review these too please.

@CarolynRountree, can you please clean up the code smells? I think that those do look valid.

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@robertpatrick robertpatrick merged commit d130740 into main Apr 15, 2022
@robertpatrick robertpatrick deleted the WDT-609-SSL-DB-Connection branch April 15, 2022 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jshum2479 jshum2479 jshum2479 approved these changes

@robertpatrick robertpatrick robertpatrick approved these changes

@rakillen rakillen rakillen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@CarolynRountree @jshum2479 @rjeberhard @robertpatrick @rakillen