This article describes how to install and set up the Oracle database, used in Smart ID Certificate Manager.
For detailed information about how to install an Oracle database, see the Oracle documentation available at http://www.oracle.com/.
When Oracle is used for the CMDB database, tables and users must be created before the CM server is installed.
- Download the Oracle Database installation package.
- During installation of the Oracle database, do the following:
- Extract the Oracle database scripts located at program_files/install/Oracle, from the server installation zip file, cm_server_<version>.zip.
Decide whether the table spaces should be stored in the ordinary file system on the Oracle server or in the ASM (Automatic Storage Management).
If they are to be stored in ASM, create_tablespace_and_user_cm.sql has to be adjusted. Make changes according to the following example:CODE
Create tablespace CMDB datafile 'cmdb.dbf' size 100m reuse autoextend on next 100m;
should be changed to:CODE
Create tablespace CMDB datafile '+DATA' size 100m reuse autoextend on next 100m;
DATA is just an example name of an ASM disk group. Read more about ASM groups on http://www.oracle.com/.
Login as an Oracle database administrator (
dba) user in the operating system and run the script, that creates the tablespace and the
sqlplus sysdba/<password> @create_tablespace_and_user_cm.sql >create_tsu.log
Check the log file.
Run the script for creating the CMDB tables:CODE
sqlplus lcmadmin/REQreq01 @create_cmdb.sql >create_cmdb.log
Check the log file.
- When installing the CM server, include the JDBC component to create the Oracle database connection parameters, which are stored in the cm.conf configuration file. The instance name is usually
orcl, in Oracle Express it is
- Enable TLS support for the connection to the Oracle database server.
Oracle database supports client authentication for the TLS connection based on certificates. Enable this feature to further enhance the security between CM and the Oracle database. A complete guide on how to enable TLS with client authentication can be found here: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-secure-sockets-layer-authentication.html.
- After completing the guide and installing the database's certificate and the trusted issuer's certificate on the Oracle database, additional changes are required in the cm.conf file in order for CM and the Oracle JDBC driver to be able to connect to the database. A detailed explanation of relevant parameters of the Oracle JDBC driver can be found here: http://www.oracle.com/technetwork/ database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf
Follow these steps:
Database.nameparameter to provide the whole connection information as defined in the Oracle database file tnsnames.ora.
Example: Change Database.nameCODE
Database.name = jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS= (PROTOCOL=tcps) (HOST=localhost) (PORT=1521) ) (CONNECT_DATA= (SERVER = DEDICATED)(SERVICE_NAME=XE)))
To pass any additional required parameter to the Oracle JDBC driver, add new
Example: Additional parametersCODE
Database.security.# = <parameter_name> = <parameter_value>
In order for the Oracle JDBC to trust the Oracle database's certificate, the certificate's issuer has to be trusted. To achieve this, add the issuer's certificate in a keystore with trusted certificates.
Example: Add issuer's certificate in keystore with trusted certificatesCODE
Database.security.1 = javax.net.ssl.trustStore = <path_to_keystore_file> Database.security.2 = javax.net.ssl.trustStoreType = JKS Database.security.3 = javax.net.ssl.trustStorePassword = <keystore_password>
If TLS client authentication is also activated on the server, the Oracle JDBC driver needs to be provided with the key and certificate to be used for authenticating to the Oracle database. This certificate has to be signed by an issuer trusted by the Oracle database.
Example: Sign certificate by an issuer trusted by the Oracle databaseCODE
;If PKCS12 file is used as storage for key and certificate Database.security.4 = javax.net.ssl.keyStore = <path_to_p12_file> Database.security.5 = javax.net.ssl.keyStoreType = PKCS12 Database.security.6 = javax.net.ssl.keyStorePassword = <p12_password> ;If JKS keystore file is used ;Database.security.4 = javax.net.ssl.keyStore = <path_to_JKS_file> ;Database.security.5 = javax.net.ssl.keyStoreType = JKS ;Database.security.6 = javax.net.ssl.keyStorePassword = <keystore_password>