From 23816b18d65dd530ccfabb9622a5a977ab9a1c97 Mon Sep 17 00:00:00 2001 From: "ganesh.subramanya@oracle.com" Date: Wed, 24 Aug 2022 13:01:41 +0000 Subject: [PATCH 1/5] Added changes to support TWO-Way Authentication while connecting to oracle DB --- .../wlsdeploy/aliases/model_constants.py | 1 + .../wlsdeploy/tool/create/domain_creator.py | 46 +++++++++++++++++-- .../wlsdeploy/tool/create/rcudbinfo_helper.py | 8 ++++ .../wlsdeploy/tool/create/ssl_helper.py | 16 +++++-- 4 files changed, 64 insertions(+), 7 deletions(-) diff --git a/core/src/main/python/wlsdeploy/aliases/model_constants.py b/core/src/main/python/wlsdeploy/aliases/model_constants.py index 9ad7ec6b18..d370c8e840 100644 --- a/core/src/main/python/wlsdeploy/aliases/model_constants.py +++ b/core/src/main/python/wlsdeploy/aliases/model_constants.py @@ -356,6 +356,7 @@ DESTINATION_SERVER = 'DestinationServer' DRIVER_NAME = 'DriverName' DRIVER_PARAMS_PROPERTY_VALUE = 'Value' +DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED = 'Encrypted' DRIVER_PARAMS_USER_PROPERTY = 'user' DRIVER_PARAMS_TRUSTSTORE_PROPERTY = 'javax.net.ssl.trustStore' DRIVER_PARAMS_kEYSTORE_PROPERTY = 'javax.net.ssl.keyStore' diff --git a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py index 55c0d50798..50d9096385 100644 --- a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py +++ b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py @@ -34,6 +34,7 @@ from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_SSL_VERSION from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY @@ -966,6 +967,32 @@ def __set_atp_connection_property(self, root_location, property_name, property_v self.wlst_helper.set(wlst_name, wlst_value) root_location.remove_name_token(property_name) + + def __set_atp_connection_property_encrypted(self, root_location, property_name, property_value): + create_path = self.aliases.get_wlst_create_path(root_location) + + self.wlst_helper.cd(create_path) + + token_name = self.aliases.get_name_token(root_location) + + if token_name is not None: + root_location.add_name_token(token_name, property_name) + + mbean_name = self.aliases.get_wlst_mbean_name(root_location) + mbean_type = self.aliases.get_wlst_mbean_type(root_location) + + self.wlst_helper.create(mbean_name, mbean_type) + + wlst_path = self.aliases.get_wlst_attributes_path(root_location) + + self.wlst_helper.cd(wlst_path) + + wlst_name, wlst_value = \ + self.aliases.get_wlst_attribute_name_and_value(root_location, DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED, + property_value) + self.wlst_helper.set(wlst_name, wlst_value) + + root_location.remove_name_token(property_name) def __retrieve_atp_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): """ @@ -1044,6 +1071,9 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): truststore = rcu_db_info.get_truststore() truststore_type = rcu_db_info.get_truststore_type() truststore_pwd = rcu_db_info.get_truststore_password() + keystore = rcu_db_info.get_keystore() + keystore_type = rcu_db_info.get_keystore_type() + keystore_pwd = rcu_db_info.get_keystore_password() if check_admin_pwd: admin_pwd = rcu_db_info.get_admin_password() @@ -1053,7 +1083,7 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): "'rcu_admin_password']") raise ex - return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore + return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore def __configure_fmw_infra_database(self): """ @@ -1098,10 +1128,12 @@ def __configure_fmw_infra_database(self): keystore_pwd = None truststore_type = None truststore = None + keystore_type = None + keystore = None if has_atp: tns_admin, rcu_database, keystore_pwd, truststore_pwd = self.__retrieve_atp_rcudbinfo(rcu_db_info) else: - tns_admin, rcu_database, truststore_pwd, truststore_type, truststore = self.__retrieve_ssl_rcudbinfo(rcu_db_info) + tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore = self.__retrieve_ssl_rcudbinfo(rcu_db_info) # Need to set for the connection property for each datasource fmw_database = self.wls_helper.get_jdbc_url_from_rcu_connect_string(rcu_database) @@ -1168,7 +1200,15 @@ def __configure_fmw_infra_database(self): self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY, truststore_type) if truststore_pwd is not None and truststore_pwd != 'None': - self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd) + self.__set_atp_connection_property_encrypted(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd) + if keystore is not None and keystore != 'None': + self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep + + keystore) + if keystore_type is not None and keystore_type != 'None': + self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY, + keystore_type) + if keystore_pwd is not None and keystore_pwd != 'None': + self.__set_atp_connection_property_encrypted(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd) else: rcu_database = rcu_db_info.get_preferred_db() if rcu_database is None: diff --git a/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py b/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py index 65621d1347..ac2b98fa34 100644 --- a/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py +++ b/core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py @@ -8,6 +8,8 @@ from wlsdeploy.aliases.model_constants import ATP_TEMPORARY_TABLESPACE from wlsdeploy.aliases.model_constants import ATP_TNS_ENTRY from wlsdeploy.aliases.model_constants import DOMAIN_INFO +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_kEYSTORE_PROPERTY +from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTORETYPE_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTOREPWD_PROPERTY from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY @@ -61,6 +63,12 @@ def get_rcu_schema_password(self): password = dictionary_utils.get_element(self.rcu_properties_map, RCU_SCHEMA_PASSWORD) return self.aliases.decrypt_password(password) + def get_keystore(self): + return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_kEYSTORE_PROPERTY) + + def get_keystore_type(self): + return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY) + def get_keystore_password(self): password = dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY) return self.aliases.decrypt_password(password) diff --git a/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py b/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py index 9a721e7d68..97db5c3bcd 100644 --- a/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py +++ b/core/src/main/python/wlsdeploy/tool/create/ssl_helper.py @@ -13,7 +13,7 @@ _logger = PlatformLogger('wlsdeploy.create') -def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password): +def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password): ''' Add SSL config properties to the specified XML document. :param xml_doc: The XML document @@ -31,6 +31,12 @@ def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, tru set_property(dom_tree, prop, 'oracle.net.tns_admin', atp_creds_path) if truststore_password is not None: set_property(dom_tree, prop, 'javax.net.ssl.trustStorePassword', truststore_password) + if keystore is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStore', atp_creds_path + '/' + keystore) + if keystore_type is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStoreType', keystore_type) + if keystore_password is not None: + set_property(dom_tree, prop, 'javax.net.ssl.keyStorePassword', keystore_password) # Persist the changes in the xml file file_handle = open(xml_doc,"w") dom_tree.writexml(file_handle) @@ -57,12 +63,14 @@ def fix_jps_config(rcu_db_info, model_context): truststore = rcu_db_info.get_truststore() truststore_type = rcu_db_info.get_truststore_type() truststore_password = rcu_db_info.get_truststore_password() + keystore = rcu_db_info.get_keystore() + keystore_type = rcu_db_info.get_keystore_type() + keystore_password = rcu_db_info.get_keystore_password() jsp_config = model_context.get_domain_home() + '/config/fmwconfig/jps-config.xml' jsp_config_jse = model_context.get_domain_home() + '/config/fmwconfig/jps-config-jse.xml' - set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password) - set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password) - + set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password) + set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password) def get_ssl_connect_string(tnsnames_ora_path, tns_sid_name): try: From 339229e82e6db126695443e480cbabbd9751f935 Mon Sep 17 00:00:00 2001 From: "ganesh.subramanya@oracle.com" Date: Wed, 24 Aug 2022 13:30:52 +0000 Subject: [PATCH 2/5] Added changes to support TWO-Way Authentication while connecting to oracle DB --- core/src/main/python/wlsdeploy/aliases/model_constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/python/wlsdeploy/aliases/model_constants.py b/core/src/main/python/wlsdeploy/aliases/model_constants.py index d370c8e840..414a804f9c 100644 --- a/core/src/main/python/wlsdeploy/aliases/model_constants.py +++ b/core/src/main/python/wlsdeploy/aliases/model_constants.py @@ -356,7 +356,7 @@ DESTINATION_SERVER = 'DestinationServer' DRIVER_NAME = 'DriverName' DRIVER_PARAMS_PROPERTY_VALUE = 'Value' -DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED = 'Encrypted' +DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED = 'EncryptedValueEncrypted' DRIVER_PARAMS_USER_PROPERTY = 'user' DRIVER_PARAMS_TRUSTSTORE_PROPERTY = 'javax.net.ssl.trustStore' DRIVER_PARAMS_kEYSTORE_PROPERTY = 'javax.net.ssl.keyStore' From a36c9beb953fd07bdac5202dec2cab87782fab0c Mon Sep 17 00:00:00 2001 From: "ganesh.subramanya@oracle.com" Date: Thu, 25 Aug 2022 10:15:11 +0000 Subject: [PATCH 3/5] Made changes to re-use existing function --- .../wlsdeploy/tool/create/domain_creator.py | 42 +++++-------------- 1 file changed, 10 insertions(+), 32 deletions(-) diff --git a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py index 50d9096385..7c20aa67b8 100644 --- a/core/src/main/python/wlsdeploy/tool/create/domain_creator.py +++ b/core/src/main/python/wlsdeploy/tool/create/domain_creator.py @@ -942,7 +942,7 @@ def __create_other_domain_artifacts(self, location, mbean_type_list): self.logger.exiting(class_name=self.__class_name, method_name=_method_name) return - def __set_atp_connection_property(self, root_location, property_name, property_value): + def __set_atp_connection_property(self, root_location, property_name, property_value, encrypted=False): create_path = self.aliases.get_wlst_create_path(root_location) self.wlst_helper.cd(create_path) @@ -960,40 +960,18 @@ def __set_atp_connection_property(self, root_location, property_name, property_v wlst_path = self.aliases.get_wlst_attributes_path(root_location) self.wlst_helper.cd(wlst_path) - + + if encrypted: + value_property = DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED + else: + value_property = DRIVER_PARAMS_PROPERTY_VALUE + wlst_name, wlst_value = \ - self.aliases.get_wlst_attribute_name_and_value(root_location, DRIVER_PARAMS_PROPERTY_VALUE, - property_value) + self.aliases.get_wlst_attribute_name_and_value(root_location, value_property, property_value) self.wlst_helper.set(wlst_name, wlst_value) root_location.remove_name_token(property_name) - def __set_atp_connection_property_encrypted(self, root_location, property_name, property_value): - create_path = self.aliases.get_wlst_create_path(root_location) - - self.wlst_helper.cd(create_path) - - token_name = self.aliases.get_name_token(root_location) - - if token_name is not None: - root_location.add_name_token(token_name, property_name) - - mbean_name = self.aliases.get_wlst_mbean_name(root_location) - mbean_type = self.aliases.get_wlst_mbean_type(root_location) - - self.wlst_helper.create(mbean_name, mbean_type) - - wlst_path = self.aliases.get_wlst_attributes_path(root_location) - - self.wlst_helper.cd(wlst_path) - - wlst_name, wlst_value = \ - self.aliases.get_wlst_attribute_name_and_value(root_location, DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED, - property_value) - self.wlst_helper.set(wlst_name, wlst_value) - - root_location.remove_name_token(property_name) - def __retrieve_atp_rcudbinfo(self, rcu_db_info, check_admin_pwd=False): """ Check and return atp connection info and make sure atp rcudb info is complete @@ -1200,7 +1178,7 @@ def __configure_fmw_infra_database(self): self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY, truststore_type) if truststore_pwd is not None and truststore_pwd != 'None': - self.__set_atp_connection_property_encrypted(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd) + self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd, encrypted=True) if keystore is not None and keystore != 'None': self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep + keystore) @@ -1208,7 +1186,7 @@ def __configure_fmw_infra_database(self): self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY, keystore_type) if keystore_pwd is not None and keystore_pwd != 'None': - self.__set_atp_connection_property_encrypted(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd) + self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd, encrypted=True) else: rcu_database = rcu_db_info.get_preferred_db() if rcu_database is None: From b06ffcbcdab53b31b346b0c04ef2ad804dfcca87 Mon Sep 17 00:00:00 2001 From: ganeshs05 <111895655+ganeshs05@users.noreply.github.com> Date: Thu, 25 Aug 2022 22:53:14 +0530 Subject: [PATCH 4/5] Update rcuinfo.md --- documentation/2.0/content/rcuinfo.md | 37 ++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/documentation/2.0/content/rcuinfo.md b/documentation/2.0/content/rcuinfo.md index d3ddcaabc0..408045eea8 100644 --- a/documentation/2.0/content/rcuinfo.md +++ b/documentation/2.0/content/rcuinfo.md @@ -47,7 +47,7 @@ Or, by specifying the unzipped root directory of the ATP wallet ZIP file in `ora #### SSL database using SSO for authentication -For an SSL database, with an `SSO` wallet, use the following example: +For an Oracle SSL database with TW0_WAY SSL enabled, with an `SSO` wallet, use the following example: ```yaml domainInfo: RCUDbInfo: @@ -64,9 +64,26 @@ domainInfo: oracle.net.tns_admin: ``` + +For an Oracle SSL database with ONE_WAY SSL enabled, with an `SSO` wallet, use the following example: +```yaml +domainInfo: + RCUDbInfo: + useSSL : true + rcu_db_conn_string: + rcu_prefix : DEV + rcu_admin_password: + rcu_schema_password: + tns.alias: + javax.net,ssl.trustStore: + javax.net.ssl.trustStoreType: SSO + oracle.net.tns_admin: + +``` + #### SSL database using PKCS12 for authentication -For an SSL database, with a `PKCS12` wallet, use the following example: +For an Oracle SSL database with TW0_WAY SSL enabled, with a `PKCS12` wallet, use the following example: ```yaml domainInfo: RCUDbInfo: @@ -84,6 +101,22 @@ domainInfo: javax.net.ssl.trustStorePassword: oracle.net.tns_admin: +``` +For an Oracle SSL database with ONE_WAY SSL enabled, with a `PKCS12` wallet, use the following example: +```yaml +domainInfo: + RCUDbInfo: + useSSL : true + rcu_db_conn_string: + rcu_prefix : DEV + rcu_admin_password: + rcu_schema_password: + tns.alias: + javax.net.ssl.trustStore: + javax.net.ssl.trustStoreType: PKCS12 + javax.net.ssl.trustStorePassword: + oracle.net.tns_admin: + ``` When using a PKCS12 wallet, you must include the Oracle PKI provider to access your wallet. Add the Oracle PKI provider to your Java `java.security` file. For more information, see Section 2.2.4 "How can Oracle wallets be used in Java" in [SSL with Oracle JDBC Thin Driver](https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf). From 1ca79537f9e0343f4d62b449e655ab1b90aaee58 Mon Sep 17 00:00:00 2001 From: ganeshs05 <111895655+ganeshs05@users.noreply.github.com> Date: Fri, 26 Aug 2022 00:08:43 +0530 Subject: [PATCH 5/5] Update rcuinfo.md --- documentation/2.0/content/rcuinfo.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/2.0/content/rcuinfo.md b/documentation/2.0/content/rcuinfo.md index 408045eea8..3ce813cc56 100644 --- a/documentation/2.0/content/rcuinfo.md +++ b/documentation/2.0/content/rcuinfo.md @@ -52,7 +52,7 @@ For an Oracle SSL database with TW0_WAY SSL enabled, with an `SSO` wallet, use t domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: @@ -70,7 +70,7 @@ For an Oracle SSL database with ONE_WAY SSL enabled, with an `SSO` wallet, use t domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: @@ -88,7 +88,7 @@ For an Oracle SSL database with TW0_WAY SSL enabled, with a `PKCS12` wallet, use domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: @@ -107,7 +107,7 @@ For an Oracle SSL database with ONE_WAY SSL enabled, with a `PKCS12` wallet, use domainInfo: RCUDbInfo: useSSL : true - rcu_db_conn_string: + rcu_db_conn_string: rcu_prefix : DEV rcu_admin_password: rcu_schema_password: