This article describes how to install and set up the Oracle database, used in Smart ID Certificate Manager.
For detailed information about how to install an Oracle database, see the Oracle documentation available at http://www.oracle.com/.
Prerequisites
Prerequisites
- Download the Oracle Database installation package.
- During installation of the Oracle database, do the following:
- Extract the Oracle database scripts located at program_files/install/Oracle, from the server installation zip file, cm_server_<version>.zip.
Decide whether the table spaces should be stored in the ordinary file system on the Oracle server or in the ASM (Automatic Storage Management).
If they are to be stored in ASM, create_tablespace_and_user_cm.sql has to be adjusted. Make changes according to the following example:
Create tablespace CMDB datafile 'cmdb.dbf' size 100m reuse autoextend on next 100m;
should be changed to:
Create tablespace CMDB datafile '+DATA' size 100m reuse autoextend on next 100m;
DATA is just an example name of an ASM disk group. Read more about ASM groups on http://www.oracle.com/.
Step-by-step instruction
Do settings on the Oracle server
Login as an Oracle database administrator (dba
) user in the operating system and run the script, that creates the tablespace and the lcmadmin
user:
sqlplus sysdba/<password> @create_tablespace_and_user_cm.sql >create_tsu.log
Check the log file.
Run the script for creating the CMDB tables:
sqlplus lcmadmin/REQreq01 @create_cmdb.sql >create_cmdb.log
Check the log file.
Do settings on the CM server
- When installing the CM server, include the JDBC component to create the Oracle database connection parameters, which are stored in the cm.conf configuration file. The instance name is usually
orcl
, in Oracle Express it is XE
.
Secure the connection
- Enable TLS support for the connection to the Oracle database server.
Oracle database supports client authentication for the TLS connection based on certificates. Enable this feature to further enhance the security between CM and the Oracle database. A complete guide on how to enable TLS with client authentication can be found here: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-secure-sockets-layer-authentication.html. - After completing the guide and installing the database's certificate and the trusted issuer's certificate on the Oracle database, additional changes are required in the cm.conf file in order for CM and the Oracle JDBC driver to be able to connect to the database. A detailed explanation of relevant parameters of the Oracle JDBC driver can be found here: http://www.oracle.com/technetwork/ database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf
Follow these steps:Change the Database.name
parameter to provide the whole connection information as defined in the Oracle database file tnsnames.ora.
For example:
Database.name = jdbc:oracle:thin:@(DESCRIPTION=
(ADDRESS= (PROTOCOL=tcps)
(HOST=localhost) (PORT=1521) ) (CONNECT_DATA= (SERVER =
DEDICATED)(SERVICE_NAME=XE)))
To pass any additional required parameter to the Oracle JDBC driver, add new Database.security
parameters.
For example:
Database.security.# = <parameter_name> = <parameter_value>
In order for the Oracle JDBC to trust the Oracle database's certificate, the certificate's issuer has to be trusted. To achieve this, add the issuer's certificate in a keystore with trusted certificates.
For example:
Database.security.1 = javax.net.ssl.trustStore = <path_to_keystore_file>
Database.security.2 = javax.net.ssl.trustStoreType = JKS
Database.security.3 = javax.net.ssl.trustStorePassword = <keystore_password>
If TLS client authentication is also activated on the server, the Oracle JDBC driver needs to be provided with the key and certificate to be used for authenticating to the Oracle database. This certificate has to be signed by an issuer trusted by the Oracle database.
For example:
;If PKCS12 file is used as storage for key and certificate
Database.security.4 = javax.net.ssl.keyStore = <path_to_p12_file>
Database.security.5 = javax.net.ssl.keyStoreType = PKCS12
Database.security.6 = javax.net.ssl.keyStorePassword = <p12_password>
;If JKS keystore file is used
;Database.security.4 = javax.net.ssl.keyStore = <path_to_JKS_file>
;Database.security.5 = javax.net.ssl.keyStoreType = JKS
;Database.security.6 = javax.net.ssl.keyStorePassword = <keystore_password>