Tomcat 8 JNDI and Oracle using Oracle Wallet

Question

At work I'm trying to have a Tomcat 8.5.34 application connect to an Oracle DB 12.2.0.1 through TCPS using Oracle Wallet.

I followed a number of different guids and did the following:

Added oraclepki.jar, ojdbc8.jar, osdt_core.jar and osdt_core.jar in the catalina lib/ folder.

Modified the java.security provider to include oracle.security.pki.OraclePKIProvider at the bottom of the listed providers.

I configured the JNDI connectors to connect to the database via alias.

In the setenvs.sh of Tomcat, I added the following:

-Doracle.net.tns_admin=< wallet files location with tnsora>
-Doracle.net.wallet_location="(SOURCE=(METHOD=FILE) (METHOD_DATA = (DIRECTORY=< wallet files location with tnsora>)))"

Yet, the logs say:

Caused by: oracle.net.ns.NetException: Unable to initialize the key store.
        at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:642)
        at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:547)
        ... 41 more
Caused by: java.security.KeyStoreException: SSO not found
        at java.security.KeyStore.getInstance(KeyStore.java:851)
        at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:628)
        ... 42 more
Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:695)
        at java.security.KeyStore.getInstance(KeyStore.java:848)
        ... 43 more

Curiously enough, I wrote a quick test application in Java which did succedded in connecting!

java -Doracle.net.tns_admin="< wallet files location with tnsora>" -Doracle.net.wallet_location="(SOURCE=(METHOD=FILE) (METHOD_DATA = (DIRECTORY=< wallet files location with tnsora>)))" -cp ./lib/ojdbc8.jar:/root:./lib/oraclepki.jar:./lib/osdt_core.jar:./lib/osdt_cert.jar  DataSourceSample
AArray = [B@6328d34a
AArray = [B@145eaa29
AArray = [B@15bb6bea
AArray = [B@52aa2946
AArray = [B@4de5031f
AArray = [B@67e2d983
Driver Name: Oracle JDBC driver
Driver Version: 12.2.0.1.0
Default Row Prefetch Value is: 20
Database Username is: <Name of the Database>
....
....
Results

I ran out of all possible options.

** Update 1 **

I ran a strace on Tomcat. And I can confirm that Tomcat does see the wallet files:

[pid 21880] lstat("/cwallet.sso", {st_mode=S_IFREG|0700, st_size=4741, ...}) = 0 [pid 21880] stat("/cwallet.sso.lck", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 [pid 21880] stat("/oracle_wallets/cwallet.sso.lck", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 [pid 21880] stat("/cwallet.sso.lck", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 [pid 21880] chmod("/cwallet.sso.lck", 0100200) = 0

Answer 1

I think you might have missed telling it the type of your wallet file (SSO/JKS):

-Djavax.net.ssl.trustStoreType="SSO"

Answer 2

Finally solved the issue by not using the Oracle Wallet files, but instead, use the same JKS file used to create the Oracle Wallets in the first place.

The Oracle Database uses the Oracle Wallets itself, but on the Tomcat side you can use the JKS methode.

1. Add the following jar files in lib/ of Tomcat: ojdbcx.jar (x = relevante major versie van Java, vbl: 8)
2. In ./jre/lib/security/java.security add the following: security.provider.10=oracle.security.pki.OraclePKIProvider
3. In context.xml:
   • url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=< SERVICE NAME >)))"
   • connectionProperties="javax.net.ssl.trustStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.trustStorePassword=changeme;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.keyStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.keyStorePassword=changeme;javax.net.ssl.keyStoreType=JKS;"