IBM Support

How do we enable MDM Virtual to work with Oracle Advanced Security (OAS) non SSL

Technote (FAQ)


Question

Oracle OAS and SSL used to go hand-in-hand however, there is a native network encryption provided by Oracle OAS to encrypt the data and validate data integrity without the use of SSL. When the Oracle database has the below setting within the server side sqlnet.ora, specifically the properties set to "REQUIRED" (the algorithm types can be multiple or single) and the SSL port is closed, the MDM deployment will fail with an error message from DataDirect driver odbc and jdbc queries. The native Oracle driver however, continues to work.

sqlnet.ora
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(MD5)
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER= (3DES168)
SQLNET.CRYPTO_SEED = <your setting here>

Cause

By default, Oracle native driver OAS parameters default to accepted
ORACLE.NET.ENCRYPTION_CLIENT
ORACLE.NET.CRYPTO_CHECKSUM_CLIENT

While the Data Direct driver EncryptionLevel and DataIntegrityLevel parameters default to rejected. This produces the following error within the logs.

[Oracle JDBC Driver]ORA-12660: Encryption or crypto-checksumming parameters incompatible DSRA0010E: SQL State = HY000, Error Code = 0.
[ODBC Oracle Wire Protocol driver][Oracle]Connection Dead. This may have occurred because the server requires Oracle Advanced Security. To enable the driver to use OAS, please use the DataIntegrityLevel and/or EncryptionLevel connect options.


Answer

Note: The following is compatible with MDM version 11.4 FixPack 4 and above. You must have ran through the initial steps to update to the latest DataDirect drivers before applying the steps described in this Technote. If you have not already done so, use steps 1-16 (omit the SSL section below step 16) of the following Technote to update the driver. If you have already applied the latest driver then you may skip the link and proceed to the steps below.


http://www-01.ibm.com/support/docview.wss?uid=swg21971003

To work with Oracle's OAS parameters, the following needs to be set within MDM.

1. Add the following (case sensitive) to the odbc.ini file in two locations (if more than one node, repeat for each node).
EncryptionLevel=1
DataIntegrityLevel=1

Location 1:
<WAS_PROFILE_DIR>/installedApps/<cellName>/MDM-native-<instanceId>.ear/native.war/conf

Location 2:
<MDM_INSTALL_DIR>/mds/conf

2. Add the following (case sensitive) to the end of the com.ibm.mdm.mds.jdbc.cfg file in two locations (if more than one node, repeat for each node).
encryptionLevel=accepted
dataIntegrityLevel=accepted

Location 1:
<WAS_PROFILE_DIR>/installedApps/<cellName>/MDM-native-<instanceId>.ear/native.war/conf

Location 2:
<MDM_INSTALL_DIR>/mds/conf

3. In the WAS Admin console under Resources → JDBC → Data sources → MDM → Custom Properties , add two new properties (case sensitive).

property name “dataIntegrityLevel” value “accepted”
property name “encryptionLevel” value “accepted”

4. If you are using MDDM WebReports, add the following 2 parameters to your webreports.properties file.

jdbc.encryptionLevel=accepted
jdbc.dataIntegrityLevel=accepted

5. If your Oracle server mandates encryption algorithms like 3DES168, You must install the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files. Otherwise, you will see the following error:

Error:
AbstractServi E org.apache.aries.blueprint.container.AbstractServiceReferenceRecipe$Listener invokeMethods Error calling listener method public void com.initiatesystems.hub.event.work.manager.$EvtWrkMgr1514314184.addIEventHandler(com.initiatesystems.hub.event.handler.IEventHandler,java.util.Map)
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:297)
at org.apache.aries.blueprint.container.AbstractServiceReferenceRecipe$Listener.invokeMethods(AbstractServiceReferenceRecipe.java:561)
at org.apache.aries.blueprint.container.AbstractServiceReferenceRecipe$Listener.bind(AbstractServiceReferenceRecipe.java:526)

Link to apply java patch:
http://www-01.ibm.com/support/knowledgecenter/SSWPVP_2.5.0.3/com.ibm.sklm.doc_2.5.0.3/admin/tsk/tsk_ic_admin_backup_jce_policy_files.html

6. Restart your WebSphere application server

Document information

More support for: Initiate Master Data Service

Software version: 11.4.0, 11.5

Operating system(s): Platform Independent

Software edition: Standard

Reference #: 1976585

Modified date: 26 February 2016