Home » RDBMS Server » Security » JDBC connections on TLS/2484 and TCP/1521 (Oracle 12g)
JDBC connections on TLS/2484 and TCP/1521 [message #670805] Thu, 26 July 2018 21:22 Go to next message
tax_man
Messages: 10
Registered: March 2002
Junior Member
We have an Oracle 12g installation that came as bundled within another system, which is a Call Center application by Avaya.

The Avaya app can only connect to this Oracle RDBMS via unsecured TCP on port 1521 - it cannot support secure connections on TLS/2484. This Avaya app is up and running and successfully writing data to the DB.

We recently had another new external client app - call this app X - that wanted to connect via JDBC to the Oracle 12g instance. We set it up using a JDBC THIN driver and using TCP on 1521 - which is working OK.

However, we have been told that this connection from app X --> Oracle must be ENCRYPTED i.e. encryption-in-transit is a MUST, encryption-of-data-at-rest is NOT required. I imagine this would require app X to use TLS/2484 in the JDBC connection properties (as opposed to just TCP).

My question is - can the Oracle RDBMS be configured to support connections on both TCP and TLS concurrently? (from diff clients of course, as stated above) (I understand the port numbers may be configurable I am just referring to the commonly used ones of 1521 and 2484)

Thanks!
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670806 is a reply to message #670805] Thu, 26 July 2018 21:41 Go to previous messageGo to next message
BlackSwan
Messages: 26640
Registered: January 2009
Location: SoCal
Senior Member
Here is a free clue.
The world has the wonderous new invention call GOOGLE.
Please consider to take a training class on it & proceed to actually use it yourself in the future.
Please click on the link provided below

http://lmgtfy.com/?q=connect+to+oracle+db+using+tls+2484
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670807 is a reply to message #670806] Thu, 26 July 2018 22:00 Go to previous messageGo to next message
tax_man
Messages: 10
Registered: March 2002
Junior Member
BlackSwan, I have done research on this. But I couldn't find anything where someone wants to use both types of connections concurrently. I did find this one statement, but I am not sure if I am interpreting it correctly:
"•U.S. government regulations prohibit double encryption. Accordingly, if you configure Oracle Advanced Security to use SSL encryption and another encryption method concurrently, then the connection fails. You also cannot configure SSL authentication concurrently with non-SSL authentication."
Because, I am only after SSL and non-SSL encryption, not necessarily authentication.

Hence I was after some help...
Thanks
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670808 is a reply to message #670807] Thu, 26 July 2018 22:15 Go to previous messageGo to next message
BlackSwan
Messages: 26640
Registered: January 2009
Location: SoCal
Senior Member
The Oracle listener can & does support multiple database, of multiple versions, using multiple IP# & multiple port#s.
Realize that the listener ONLY task is to take initial connection request from a client & pass it on to the desired database.
In other words, the listener plays no part in ongoing packet exchange after the initial connection has been made.
This means that you can experiment with different configurations of the listener by changing the listener.ora file & stopping and starting the listener & this activity won't disturb any existing sessions working against the database.
I personally have never done what you want to do, but you should just add the TLS & new port into the listener.ora file without disturbing existing content.
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670809 is a reply to message #670805] Fri, 27 July 2018 02:16 Go to previous messageGo to next message
John Watson
Messages: 8075
Registered: January 2010
Location: Global Village
Senior Member
If you can configure Avaya to use the JDBC OCI driver, rather than the thin driver, then you can set up AES encryption over port 1521 in seconds: it is just adding one line to the sqlnet.ora file.
You can certainly configure TCPS on whatever port you please in addition to your existing unencrypted listening end point, but it is more hassle.

You really need to talk to Avaya, or your implementation consultants, about this. Also, if the database is "bundled" you do need to be careful. For example, if it is the Embedded Software Licence you are not allowed to use any of the Oracle supplied admin tools.
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670810 is a reply to message #670809] Fri, 27 July 2018 03:04 Go to previous messageGo to next message
tax_man
Messages: 10
Registered: March 2002
Junior Member
John, Thanks for your reply. I cannot change the Avaya application in any way at all, it wont be supported then.

Could you please provide some more detail (even if just high level pointers) on - "You can certainly configure TCPS on whatever port you please in addition to your existing unencrypted listening end point, but it is more hassle".

Is it simply a matter of setting up diff listeners as BlackSwan said above? Any help much appreciated!
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670811 is a reply to message #670810] Fri, 27 July 2018 03:11 Go to previous messageGo to next message
John Watson
Messages: 8075
Registered: January 2010
Location: Global Village
Senior Member
If you cannot change anything on the Avaya side, then you cannot convert to SSL. The client has to know what to do.
If Avaya will not support you for this, you had better ask for your money back.
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670812 is a reply to message #670811] Fri, 27 July 2018 03:15 Go to previous messageGo to next message
tax_man
Messages: 10
Registered: March 2002
Junior Member
John, I am confused by your second reply. I thought you implied that I *can* have TCPS in addition to the existing unencrypted listening end point, but it will be harder to setup. I'd just like to enable the 3rd party client to be able to talk over TLS whilst keeping the existing working connections on TCP as-is.

Thanks
Re: JDBC connections on TLS/2484 and TCP/1521 [message #670813 is a reply to message #670812] Fri, 27 July 2018 04:09 Go to previous message
John Watson
Messages: 8075
Registered: January 2010
Location: Global Village
Senior Member
You have said "I cannot change the Avaya application in any way at all". Therefore you cannot adjust it to use TCPS.

If you can't get your money back from Avaya, perhaps you can at least sell the server on eBay.
Previous Topic: Authentication and passwordfile
Next Topic: AUDIT tracking for ROLLBACK and COMMIT
Goto Forum:
  


Current Time: Fri Dec 06 14:50:24 CST 2019