diff --git a/core/src/main/python/wlsdeploy/aliases/model_constants.py b/core/src/main/python/wlsdeploy/aliases/model_constants.py index 9ad7ec6b18..414a804f9c 100644 --- a/core/src/main/python/wlsdeploy/aliases/model_constants.py +++ b/core/src/main/python/wlsdeploy/aliases/model_constants.py @@ -356,6 +356,7 @@ DESTINATION_SERVER = 'DestinationServer' DRIVER_NAME = 'DriverName' DRIVER_PARAMS_PROPERTY_VALUE = 'Value' +DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED = 'EncryptedValueEncrypted' DRIVER_PARAMS_USER_PROPERTY = 'user' DRIVER_PARAMS_TRUSTSTORE_PROPERTY = 'javax.net.ssl.trustStore' DRIVER_PARAMS_kEYSTORE_PROPERTY = 'javax.net.ssl.keyStore' diff --git a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py index 55c0d50798..7c20aa67b8 100644 --- a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py +++ b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py @@ -34,6 +34,7 @@ from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_SSL_VERSION from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY @@ -941,7 +942,7 @@ def __create_other_domain_artifacts(self, location, mbean_type_list): self.logger.exiting(class_name=self.__class_name, method_name=_method_name) return - def __set_atp_connection_property(self, root_location, property_name, property_value): + def __set_atp_connection_property(self, root_location, property_name, property_value, encrypted=False): create_path = self.aliases.get_wlst_create_path(root_location) self.wlst_helper.cd(create_path) @@ -959,14 +960,18 @@ def __set_atp_connection_property(self, root_location, property_name, property_v wlst_path = self.aliases.get_wlst_attributes_path(root_location) self.wlst_helper.cd(wlst_path) - + + if encrypted: + value_property = DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED + else: + value_property = DRIVER_PARAMS_PROPERTY_VALUE + wlst_name, wlst_value = \ - self.aliases.get_wlst_attribute_name_and_value(root_location, DRIVER_PARAMS_PROPERTY_VALUE, - property_value) + self.aliases.get_wlst_attribute_name_and_value(root_location, value_property, property_value) self.wlst_helper.set(wlst_name, wlst_value) root_location.remove_name_token(property_name) - + def __retrieve_atp_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): """ Check and return atp connection info and make sure atp rcudb info is complete @@ -1044,6 +1049,9 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): truststore = rcu_db_info.get_truststore() truststore_type = rcu_db_info.get_truststore_type() truststore_pwd = rcu_db_info.get_truststore_password() + keystore = rcu_db_info.get_keystore() + keystore_type = rcu_db_info.get_keystore_type() + keystore_pwd = rcu_db_info.get_keystore_password() if check_admin_pwd: admin_pwd = rcu_db_info.get_admin_password() @@ -1053,7 +1061,7 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): "'rcu_admin_password']") raise ex - return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore + return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore def __configure_fmw_infra_database(self): """ @@ -1098,10 +1106,12 @@ def __configure_fmw_infra_database(self): keystore_pwd = None truststore_type = None truststore = None + keystore_type = None + keystore = None if has_atp: tns_admin, rcu_database, keystore_pwd, truststore_pwd = self.__retrieve_atp_rcudbinfo(rcu_db_info) else: - tns_admin, rcu_database, truststore_pwd, truststore_type, truststore = self.__retrieve_ssl_rcudbinfo(rcu_db_info) + tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore = self.__retrieve_ssl_rcudbinfo(rcu_db_info) # Need to set for the connection property for each datasource fmw_database = self.wls_helper.get_jdbc_url_from_rcu_connect_string(rcu_database) @@ -1168,7 +1178,15 @@ def __configure_fmw_infra_database(self): self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY, truststore_type) if truststore_pwd is not None and truststore_pwd != 'None': - self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd) + self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd, encrypted=True) + if keystore is not None and keystore != 'None': + self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep + + keystore) + if keystore_type is not None and keystore_type != 'None': + self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY, + keystore_type) + if keystore_pwd is not None and keystore_pwd != 'None': + self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd, encrypted=True) else: rcu_database = rcu_db_info.get_preferred_db() if rcu_database is None: diff --git a/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py b/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py index 65621d1347..ac2b98fa34 100644 --- a/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py +++ b/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py @@ -8,6 +8,8 @@ from wlsdeploy.aliases.model_constants import ATP_TEMPORARY_TABLESPACE from wlsdeploy.aliases.model_constants import ATP_TNS_ENTRY from wlsdeploy.aliases.model_constants import DOMAIN_INFO +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_kEYSTORE_PROPERTY +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTORETYPE_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTOREPWD_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY @@ -61,6 +63,12 @@ def get_rcu_schema_password(self): password = dictionary_utils.get_element(self.rcu_properties_map, RCU_SCHEMA_PASSWORD) return self.aliases.decrypt_password(password) + def get_keystore(self): + return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_kEYSTORE_PROPERTY) + + def get_keystore_type(self): + return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY) + def get_keystore_password(self): password = dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY) return self.aliases.decrypt_password(password) diff --git a/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py b/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py index 9a721e7d68..97db5c3bcd 100644 --- a/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py +++ b/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py @@ -13,7 +13,7 @@ _logger = PlatformLogger('wlsdeploy.create') -def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password): +def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password): ''' Add SSL config properties to the specified XML document. :param xml_doc: The XML document @@ -31,6 +31,12 @@ def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, tru set_property(dom_tree, prop, 'oracle.net.tns_admin', atp_creds_path) if truststore_password is not None: set_property(dom_tree, prop, 'javax.net.ssl.trustStorePassword', truststore_password) + if keystore is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStore', atp_creds_path + '/' + keystore) + if keystore_type is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStoreType', keystore_type) + if keystore_password is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStorePassword', keystore_password) # Persist the changes in the xml file file_handle = open(xml_doc,"w") dom_tree.writexml(file_handle) @@ -57,12 +63,14 @@ def fix_jps_config(rcu_db_info, model_context): truststore = rcu_db_info.get_truststore() truststore_type = rcu_db_info.get_truststore_type() truststore_password = rcu_db_info.get_truststore_password() + keystore = rcu_db_info.get_keystore() + keystore_type = rcu_db_info.get_keystore_type() + keystore_password = rcu_db_info.get_keystore_password() jsp_config = model_context.get_domain_home() + '/config/fmwconfig/jps-config.xml' jsp_config_jse = model_context.get_domain_home() + '/config/fmwconfig/jps-config-jse.xml' - set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password) - set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password) - + set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password) + set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password) def get_ssl_connect_string(tnsnames_ora_path, tns_sid_name): try: diff --git a/documentation/2.0/content/rcuinfo.md b/documentation/2.0/content/rcuinfo.md index d3ddcaabc0..3ce813cc56 100644 --- a/documentation/2.0/content/rcuinfo.md +++ b/documentation/2.0/content/rcuinfo.md @@ -47,12 +47,12 @@ Or, by specifying the unzipped root directory of the ATP wallet ZIP file in `ora #### SSL database using SSO for authentication -For an SSL database, with an `SSO` wallet, use the following example: +For an Oracle SSL database with TW0_WAY SSL enabled, with an `SSO` wallet, use the following example: ```yaml domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: @@ -64,14 +64,31 @@ domainInfo: oracle.net.tns_admin: ``` + +For an Oracle SSL database with ONE_WAY SSL enabled, with an `SSO` wallet, use the following example: +```yaml +domainInfo: + RCUDbInfo: + useSSL : true + rcu_db_conn_string: + rcu_prefix : DEV + rcu_admin_password: + rcu_schema_password: + tns.alias: + javax.net,ssl.trustStore: + javax.net.ssl.trustStoreType: SSO + oracle.net.tns_admin: + +``` + #### SSL database using PKCS12 for authentication -For an SSL database, with a `PKCS12` wallet, use the following example: +For an Oracle SSL database with TW0_WAY SSL enabled, with a `PKCS12` wallet, use the following example: ```yaml domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: @@ -84,6 +101,22 @@ domainInfo: javax.net.ssl.trustStorePassword: oracle.net.tns_admin: +``` +For an Oracle SSL database with ONE_WAY SSL enabled, with a `PKCS12` wallet, use the following example: +```yaml +domainInfo: + RCUDbInfo: + useSSL : true + rcu_db_conn_string: + rcu_prefix : DEV + rcu_admin_password: + rcu_schema_password: + tns.alias: + javax.net.ssl.trustStore: + javax.net.ssl.trustStoreType: PKCS12 + javax.net.ssl.trustStorePassword: + oracle.net.tns_admin: + ``` When using a PKCS12 wallet, you must include the Oracle PKI provider to access your wallet. Add the Oracle PKI provider to your Java `java.security` file. For more information, see Section 2.2.4 "How can Oracle wallets be used in Java" in [SSL with Oracle JDBC Thin Driver](https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf).