Tomcat 8 and Oracle Wallet

Getting Tomcat 8 connect over encrypted TCPS to an Oracle Database using Oracle Wallet.

Tomcat 8 and Oracle Wallet

Protecting sensitive data of your customers has always been important.

GDPR suggests to apply encryption wherever possible to limit the risks of a data breach.

For a project at a customer, encrypting the connection between a Tomcat application and its Oracle Database server became a requirement.

I have been struggling with setting up Tomcat to use the Oracle Wallet without success.

Many websites and blog posts are either outdated, oversimplify the solution or are full of unanswered/unsolved help cries, or opted to implement the solution in code rather than using JNDI.

No matter what I tried, I was always saluted with the following exception when Tomcat starts to initialize the connections:

Caused by: oracle.net.ns.NetException: Unable to initialize the key store.
at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:642)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:547)
... 41 more
Caused by: java.security.KeyStoreException: SSO not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at oracle.net.nt.CustomSSLSocketFactory.getKeyManagerArray(CustomSSLSocketFactory.java:628)
... 42 more
Caused by: java.security.NoSuchAlgorithmException: SSO KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 43 more

Thanks to a member of the Tomcat User Mailinglist I was able to make it work by using the original Java KeyStore which was used for creating the Oracle Wallet in the first place.

Here are the steps I made to get Tomcat working with TCPS to the Oracle Database:

  1. Add the following jar files in lib/ of Tomcat:
    ojdbcX.jar (X = relevant major version of Java, vbl: 8)
  2. In ./jre/lib/security/java.security add the following:
    security.provider.10=oracle.security.pki.OraclePKIProvider
  3. In context.xml:
  • url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=< SERVICE NAME >)))"
  • connectionProperties="javax.net.ssl.trustStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.trustStorePassword=changeme;javax.net.ssl.trustStoreType=JKS;javax.net.ssl.keyStore=./keystores/oracle_keystore/mykeystore.jks;javax.net.ssl.keyStorePassword=changeme;javax.net.ssl.keyStoreType=JKS;"

Mastodon