Skip to main content
Delphix

Configuring TCPS in Oracle JDBC Masking Connectors (KBA6327)

 

KBA

KBA# 6327

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

How to Task

There is a requirement to facilitate TCPS/TLS/SSL based connections from the Delphix Masking Engine to Oracle Databases to enable encryption of data sent across the network between the two environments. The Masking Engine utilizes the Oracle JDBC driver to connect to Oracle Database.  In order to establish a Masking Connector that utilizes JDBC and TCPS the certificate used by the Oracle Listener must be imported into the Delphix Masking Engine and an advanced Masking Connector JDBC string be configured for the database schema required.

Prerequisites

  • An Oracle Listener configured with a TCPS endpoint enabled.
  • An Oracle database with services registered against this same listener and TCPS endpoint.
  • SSL/TLS certificates available to the Oracle Listener that can be imported into the Delphix Masking Engine using the process detailed in this knowledge base article.

Delphix Knowledge Base article "Configuring Oracle Listeners for TCPS/TLS based connections KBA-6321" provides an example of this listener configuration and steps on testing TCPS enabled Oracle Listeners and end user connections through these. 

Before attempting to configure a Delphix Masking Engine connector TCPS based connections to the Oracle database and schema in question, communication MUST be succeeding through sqlplus and the TCPS listener outside of the Delphix context.

Enabling

To Complete Enabling Of Masking Oracle JDBC TCPS Connectors.

Using the testing techniques in Delphix knowledge base article KBA 6321, ensure a sqlplus connection using the TCPS enabled listener can be made successfully before moving through further steps.

Import

Import the target host and listeners certificate:

  1. Login to the Delphix Masking Engine Setup using the sysadmin user or an equivalently privileged Delphix User.

clipboard_e24f6ab464c4b507e23e2a0af8d6e1683.png 

  1. Click on Modify to enter the Engine Authentication configuration workflow. This will open the following dialog.clipboard_e58358acc35e57ad50f3497642beb32f2.png

 

  1. Select the Use LDAP check box.
  2. Select the Protect LDAP traffic with SSL/TLS check box
  3. Enter the target TCPS enabled listeners IP Address/Hostname and Listening Port Endpoint.

For Example:

clipboard_e2824ed2da70c4b4e7847f72fa8f53171.png

 

  1. Using the Import Server Certificate button import the certificate directly from the TCPS enabled Oracle Listener.
Note

Note:

Do NOT use the Clear Certificate or Test Connection buttons.

A successful import of the certificate will present the following screen in the GUI indicating the listener was located and the certificate obtained from this TCPS enabled listener.

clipboard_eaf0aff44a5635683fe28ff0e07374276.png

  1. Click the Accept button to complete the import of the certificate into the truststore in the Delphix Engine.

clipboard_e3154e423947833afbe011b5cb8ccd4ca.png

important

Important:

Always use the "Cancel" button to halt the LDAP configuration without altering LDAP or the Delphix Engine configuration other than importing the new certificate.
DO NOT use the "Save" button.

 

Configure

To configure the Masking Connector:

  1. Select the connector you wish to configure to utilise JDBC and TCPS if it exists.  If it does not exist a new advanced connector will need to be created.
    In this example, an existing connector is going to be altered to enable TCPS, the connector Environment named "OracleTCPS". 

clipboard_eaa000c8c045b441ec5e1f7e07ff9d194.png

  1. Using the Connector Tab locate the connector and edit the item.

clipboard_e8e3b8b999fdf4f5e99997f0b85d9077c.png

  1. Alter the JDBC URL to include a TCPS based JDBC connect string to the Oracle database through the TCPS enabled listening endpoint.

clipboard_e4814da8d17a95228eb83981e44788c47.png

The complete JDBC URL will look like the following example.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=oel7si1.plb.internal)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=pdb122.plb.internal)))

  1. The Test Connection button can be used to test the new connection.  This must succeed for the connection through a TCPS enabled JDBC connect string to be considered correctly configured.

 

 

Related Articles

The following articles may provide more information or related information to this article:

Configuring Oracle Listeners for TCPS/TLS Based Connections (KBA6321)