Configuring SSL Encryption with an Oracle Database Server

This procedure describes how to configure SSL encryption between Control-M/EM, Control-M/Server, and Workload Archiving with an Oracle database server.

Before You Begin

Ensure you have met the following requirements:

  • Install Control-M/EM, Control-M/Server, and Workload Archiving with an Oracle database.

  • (Optional) Configure Kerberos authentication, as described in Configuring Kerberos Authentication with an Oracle Database Server.

  • Verify that the site Oracle DBA has done the following:

    • Created a wallet on the server site.

    • Created and signed a database certificate.

    • Imported all Control-M/EM and Control-M/Server certificates that you provided.

    • Set the Oracle server to listen on a non-default TCPS port.

Begin

  1. Shut down Control-M/EM and Control-M/Server components.

  2. Verify that you can run ssl_api.sh --help, by running the following commands:

    • ~/ctm_server /exe_Linux-x86_64/DBUData/scripts/ssl_api.sh --help

    • ~/ctm_em/bin/DBUData/scripts/ssl_api.sh --help

  3. Copy the database self-signed certificate provided by the DBA to the Control-M/EM machine.

  4. Navigate to the following DBUtils scripts folder:

    • ~/ctm_server /exe_Linux-x86_64/DBUData/scripts

    • ~/ctm_em/bin/DBUData/scripts

  5. Do the following:

    1. Create a wallet by running the following command:

      ssl_api.sh --CREATE_WALLET --WALLET_PASSWD <WALLET_PASSWD>

    2. Verify that a wallet has been created by running the following command:

      ssl_api.sh --DISPLAY_WALLET

      A self signed certificate is created in the wallet folder. Send this certificate to the Oracle DBA.

  6. Run the following command:

    ssl_api.sh --CONFIG_FILES --TCPS_PORT TCPS_PORT

    The secured port number (TCPS_PORT) is provided by the Oracle DBA.

  7. Run the following command:

    ssl_api.sh --IMPORT_TRUSTED_CERT

    ssl_api.sh --IMPORT_TRUSTED_CERT --WALLET_PASSWD <mypass> --CERT_FILE <…./ora_db_server.cert>

  8. Verify the SSL connection, as follows:

    • If you are not using Kerberos validation, run the following command:

      ssl_api.sh --TEST_CONNECTION --DB_USER_PASSWD <DB_USER_PASSWD>

    • If you are using Kerberos validation, run the following command:

      ssl_api.sh --TEST_CONNECTION

    • Run DBUStatus.

If you want to disable SSL, run the following command:

ssl_api.sh --DISABLE_SSL --TCP_PORT <non-secured port>