Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This article describes how to install and set up the Oracle database, used in Smart ID Certificate Manager.

For detailed information about how to install an Oracle database, see the Oracle documentation available at http://www.oracle.com/.

Prerequisites

 Prerequisites

When Oracle is used for the CMDB database, tables and users must be created before the CM server is installed.

  1. Download the Oracle Database installation package.
  2. During installation of the Oracle database, do the following:
    1. Extract the Oracle database scripts located at program_files/install/Oracle, from the server installation zip file, cm_server_<version>.zip.
    2. Decide whether the table spaces should be stored in the ordinary file system on the Oracle server or in the ASM (Automatic Storage Management).

    3. If they are to be stored in ASM, create_tablespace_and_user_cm.sql has to be adjusted. Make changes according to the following example:

      Create tablespace CMDB datafile 'cmdb.dbf' size 100m reuse autoextend on next 100m;

      should be changed to:

      Create tablespace CMDB datafile '+DATA' size 100m reuse autoextend on next 100m;

      DATA is just an example name of an ASM disk group. Read more about ASM groups on http://www.oracle.com/.

Step-by-step instruction

 Do settings on the Oracle server
  1. Login as an Oracle database administrator (dba) user in the operating system and run the script, that creates the tablespace and the lcmadmin user:

    sqlplus sysdba/<password> @create_tablespace_and_user_cm.sql >create_tsu.log
  2. Check the log file.

  3. Run the script for creating the CMDB tables:

    sqlplus lcmadmin/REQreq01 @create_cmdb.sql >create_cmdb.log
  4. Check the log file.

 Do settings on the CM server
  1. When installing the CM server, include the JDBC component to create the Oracle database connection parameters, which are stored in the cm.conf configuration file. The instance name is usually orcl, in Oracle Express it is XE.
 Secure the connection
  1. Enable TLS support for the connection to the Oracle database server. 
    Oracle database supports client authentication for the TLS connection based on certificates. Enable this feature to further enhance the security between CM and the Oracle database. A complete guide on how to enable TLS with client authentication can be found here: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-secure-sockets-layer-authentication.html.
  2. After completing the guide and installing the database's certificate and the trusted issuer's certificate on the Oracle database, additional changes are required in the cm.conf file in order for CM and the Oracle JDBC driver to be able to connect to the database. A detailed explanation of relevant parameters of the Oracle JDBC driver can be found here: http://www.oracle.com/technetwork/ database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf
    Follow these steps:
    1. Change the Database.name parameter to provide the whole connection information as defined in the Oracle database file tnsnames.ora.
      For example:

      Example: Change Database.name
      Database.name = jdbc:oracle:thin:@(DESCRIPTION=
      (ADDRESS= (PROTOCOL=tcps)
      (HOST=localhost) (PORT=1521) ) (CONNECT_DATA= (SERVER =
      DEDICATED)(SERVICE_NAME=XE)))
    2. To pass any additional required parameter to the Oracle JDBC driver, add new Database.security parameters.
      For example:

      Example: Additional parameters
      Database.security.# = <parameter_name> = <parameter_value>
    3. In order for the Oracle JDBC to trust the Oracle database's certificate, the certificate's issuer has to be trusted. To achieve this, add the issuer's certificate in a keystore with trusted certificates.
      For example:

      Example: Add issuer's certificate in keystore with trusted certificates
      Database.security.1 = javax.net.ssl.trustStore = <path_to_keystore_file>
      Database.security.2 = javax.net.ssl.trustStoreType = JKS
      Database.security.3 = javax.net.ssl.trustStorePassword = <keystore_password>
    4. If TLS client authentication is also activated on the server, the Oracle JDBC driver needs to be provided with the key and certificate to be used for authenticating to the Oracle database. This certificate has to be signed by an issuer trusted by the Oracle database.
      For example:

      Example: Sign certificate by an issuer trusted by the Oracle database
      ;If PKCS12 file is used as storage for key and certificate
      Database.security.4 = javax.net.ssl.keyStore = <path_to_p12_file>
      Database.security.5 = javax.net.ssl.keyStoreType = PKCS12
      Database.security.6 = javax.net.ssl.keyStorePassword = <p12_password>
      ;If JKS keystore file is used
      ;Database.security.4 = javax.net.ssl.keyStore = <path_to_JKS_file>
      ;Database.security.5 = javax.net.ssl.keyStoreType = JKS
      ;Database.security.6 = javax.net.ssl.keyStorePassword = <keystore_password>
  • No labels