Enabling data encryption for a JDBC connection
Encryption of JDBC connection is managed by parameters passed to the third party JDBC client jars that are supplied by the JDBC provider. You can use the IBM® Integration Bus JDBCProviders configurable service or a vendor-specific configuration file to pass the parameters.
About this task
Encryption parameters are specific to a JDBC provider. Refer to the documentation issued by your JDBC provider for the details of the Java™ encryption parameters that you require in your runtime environment.
Using the IBM Integration Bus JDBCProviders configurable service to enable data encryption for JDBC connections
About this task
For information about how configurable services are used to enable JDBC connections, see Enabling JDBC connections to the databases.
The encryption parameters are set in the environmentParms property of the JDBCProviders configurable service; the property applies extra parameters to the JDBC connection URL.
- ORACLE.NET.ENCRYPTION_CLIENT=REQUIRED
- ORACLE.NET.ENCRYPTION_TYPES_CLIENT(AES256)
- ORACLE.NET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
- ORACLE.NET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256,SHA1)
This configuration method is particularly suitable when there is a limited set of parameters, or when different parameters need to be customized for multiple JDBCProviders configurable services.
Procedure
-
On Windows, Linux®, or UNIX platforms, set the encryption parameters as name-value pairs separated by a semicolon by issuing the mqsichangeproperties command. For example:
mqsichangeproperties integrationNodeName -c JDBCProviders -o Oracle -n environmentParms -v oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=AES256;oracle.net.crypto_checksum_client=REQUIRED;oracle.crypto_checksum_types_client=SHA256,SHA1 - On z/OS®, run the command by customizing and submitting the BIPCHPR utility in the integration node PDSE. If the values expressed in the -v parameter are long, remember to split the values across multiple lines by using the continuation character _ (underscore) in column 72, and ensuring that the next line starts in column 1.
Using a vendor-specific configuration file to enable data encryption for JDBC connections
About this task
Alternatively, you can use a vendor-specific configuration file that contains the encryption parameters. The location of this file is specified by a JVM system property that is runtime environment of the integration server. Update the JDBCProviders configurable service to refer to the relevant part of the configuration file.
The encryption parameters can be set as stanzas in an Oracle configuration file called TNSNAMES.ORA. The location of the configuration file is made available to an integration server by using a Java system property.
Procedure
-
On Windows, Linux, or UNIX platforms:
- Make available the location of the configuration file to the integration server by specifying a Java system property on the mqsichangeproperties command. For example:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmJVMManager -n jvmSystemProperty -v "-Doracle.net.tns_admin=Location of TNSNAMES.ORA file" - Issue the mqsichangeproperties command to update the serverName property of the JDBCProviders configurable service to specify the name of the Oracle Net service in the TNSNAMES.ORA file. For example:
mqsichangeproperties integrationNodeName -c JDBCProviders -o Oracle -n serverName -v Name of Oracle Net service
- Make available the location of the configuration file to the integration server by specifying a Java system property on the mqsichangeproperties command. For example:
- On z/OS, run the commands by customizing and submitting the BIPCHPR utility in the integration node PDSE. If the values expressed in the -v parameter are long, remember to split the values across multiple lines by using the continuation character _ (underscore) in column 72, and ensuring that the next line starts in column 1.