Set up Oracle database in Certificate Manager
This article describes how to install and set up the Oracle database, used in Smart ID Certificate Manager.
For detailed information about how to install an Oracle database, see the Oracle documentation available at http://www.oracle.com/.
Prerequisites
When Oracle is used for the CMDB database, tables and users must be created before the CM server is installed.
Download the Oracle Database installation package.
During installation of the Oracle database, do the following:
Extract the Oracle database scripts located at program_files/install/Oracle, from the server installation zip file, cm_server_<version>.zip.
Decide whether the table spaces should be stored in the ordinary file system on the Oracle server or in the ASM (Automatic Storage Management).
If they are to be stored in ASM, create_tablespace_and_user_cm.sql has to be adjusted. Make changes according to the following example:
CODECreate tablespace CMDB datafile 'cmdb.dbf' size 100m reuse autoextend on next 100m;
should be changed to:
CODECreate tablespace CMDB datafile '+DATA' size 100m reuse autoextend on next 100m;
DATA is just an example name of an ASM disk group. Read more about ASM groups on http://www.oracle.com/ .
Step-by-step instruction
Edit settings on the Oracle server
Login as an Oracle database administrator (
dba
) user in the operating system and run the script, that creates the tablespace and thelcmadmin
user:CODEsqlplus sysdba/<password> @create_tablespace_and_user_cm.sql >create_tsu.log
Check the log file.
Run the script for creating the CMDB tables:
CODEsqlplus lcmadmin/REQreq01 @create_cmdb.sql >create_cmdb.log
Check the log file.
Edit settings on the CM server
When installing the CM server, include the JDBC component to create the Oracle database connection parameters, which are stored in the cm.conf configuration file. The instance name is usually orcl
, in Oracle Express it is XE
.
Secure the connection
Enable TLS support for the connection to the Oracle database server.
Oracle database supports client authentication for the TLS connection based on certificates. Enable this feature to further enhance the security between CM and the Oracle database. A complete guide on how to enable TLS with client authentication can be found here: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-secure-sockets-layer-authentication.html .After completing the guide and installing the database's certificate and the trusted issuer's certificate on the Oracle database, additional changes are required in the cm.conf file in order for CM and the Oracle JDBC driver to be able to connect to the database. A detailed explanation of relevant parameters of the Oracle JDBC driver can be found here: http://www.oracle.com/technetwork/
Follow these steps:Change the
Database.name
parameter to provide the whole connection information as defined in the Oracle database file tnsnames.ora.
For example:Example: Change Database.name
CODEDatabase.name = jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS= (PROTOCOL=tcps) (HOST=localhost) (PORT=1521) ) (CONNECT_DATA= (SERVER = DEDICATED)(SERVICE_NAME=XE)))
To pass any additional required parameter to the Oracle JDBC driver, add new
Database.security
parameters.
For example:Example: Additional parameters
CODEDatabase.security.# = <parameter_name> = <parameter_value>
In order for the Oracle JDBC to trust the Oracle database's certificate, the certificate's issuer has to be trusted. To achieve this, add the issuer's certificate in a keystore with trusted certificates.
For example:Example: Add issuer's certificate in keystore with trusted certificates
CODEDatabase.security.1 = javax.net.ssl.trustStore = <path_to_keystore_file> Database.security.2 = javax.net.ssl.trustStoreType = JKS Database.security.3 = javax.net.ssl.trustStorePassword = <keystore_password>
If TLS client authentication is also activated on the server, the Oracle JDBC driver needs to be provided with the key and certificate to be used for authenticating to the Oracle database. This certificate has to be signed by an issuer trusted by the Oracle database.
For example:Example: Sign certificate by an issuer trusted by the Oracle database
CODE;If PKCS12 file is used as storage for key and certificate Database.security.4 = javax.net.ssl.keyStore = <path_to_p12_file> Database.security.5 = javax.net.ssl.keyStoreType = PKCS12 Database.security.6 = javax.net.ssl.keyStorePassword = <p12_password> ;If JKS keystore file is used ;Database.security.4 = javax.net.ssl.keyStore = <path_to_JKS_file> ;Database.security.5 = javax.net.ssl.keyStoreType = JKS ;Database.security.6 = javax.net.ssl.keyStorePassword = <keystore_password>