Configuring the batch processor for an SSL-enabled Oracle database

You can configure the batch processor to communicate with your Oracle database over SSL.

About this task

Because of a limitation in the Oracle data source implementation, you can only configure the batch processor to connect to an SSL-enabled MDM database by using a JDBC driver.

Procedure

  1. Configure or add the following properties in the $home/properties/Batch.properties file:
    • database.jdbc.driver - Set the value to the Oracle JDBC driver class name. For example: 
      database.jdbc.driver = oracle.jdbc.driver.OracleDriver
    • mdm.database.uri - Set the value to a type 4 JDBC database connection URI that uses the SSL protocol. For example: 
      mdm.database.uri = jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=mdmdbtst)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=MDM12ORA)));user=MDMSSL1;password={xor})z4yMS8wMzY8Jg==
      Refer to the Oracle database documentation for the syntax of the connection URI. Refer to the section "Installing additional batch processor instances" for information about encrypting the database user password.
    • mdm.database.prop.javax.net.ssl.trustStore - Set the value to the equivalent value of the property javax.net.ssl.trustStore in the $home/properties/ssl.client.props file. For example, if the $home/properties/ssl.client.props file has the following settings: 
      user.root=/user/IBM/MDM/BatchProcessor1
javax.net.ssl.trustStore=${user.root}/etc/trust.p12
      Then set the value of mdm.database.prop.javax.net.ssl.trustStore to 
      mdm.database.prop.javax.net.ssl.trustStore=/usr/IBM/MDM/BatchProcessor1/etc/trust.p12
    • mdm.database.prop.javax.net.ssl.trustStoreType - Set the value to the same value of the property javax.net.ssl.trustStoreType in the $home/properties/ssl.client.props file. For example:
      mdm.database.prop.javax.net.ssl.trustStoreType=PKCS12
    • mdm.database.prop.javax.net.ssl.trustStorePassword - Set the value to the same value of the property javax.net.ssl.trustStorePassword in the $home/properties/ssl.client.props file. For example: 
      mdm.database.prop.javax.net.ssl.trustStorePassword={xor}PDc+MTg6Nis=
    • mdm.database.prop.javax.net.ssl.keyStore - Set the value to the equivalent value of the property javax.net.ssl.keyStore in the $home/properties/ssl.client.props file. For example, if the $home/properties/ssl.client.props file has the following setting: 
      user.root=/user/IBM/MDM/BatchProcessor1 javax.net.ssl.keyStore=${user.root}/etc/key.p12
      Then set the value of mdm.database.prop.javax.net.ssl.keyStore to: 
      mdm.database.prop.javax.net.ssl.keyStore=/usr/IBM/MDM/BatchProcessor1
/etc/key.p12
    • mdm.database.prop.javax.net.ssl.keyStoreType - Set the value to the same value of the property javax.net.ssl.keyStoreType in the $home/properties/ssl.client.props file. For example: 
      mdm.database.prop.javax.net.ssl.keyStoreType=PKCS12
    • mdm.database.prop.javax.net.ssl.keyStorePassword - Set the value to the same value of the property javax.net.ssl.keyStorePassword in the $home/properties/ssl.client.props file. For example: 
      mdm.database.prop.javax.net.ssl.keyStorePassword={xor}PDc+MTg6Nis=
    • mdm.database.prop.oracle.net.ssl_version - Set the value to the SSL protocol version you would like to use. For example: 
      mdm.database.prop.oracle.net.ssl_version=1.0
    • mdm.database.prop.oracle.net.ssl_server_dn_match - Set the value to TRUE if you want to force the distinguished name (dn) of the server to match its service name. The default value is FALSE: 
      mdm.database.prop.oracle.net.ssl_server_dn_match=FALSE
  2. Obtain the server signer certificate from the database administrator and copy the certificate to a folder. For example, copy the certificate to $home/etc/mdm12ora.der.
  3. Import the certificate into the trust store specified by mdm.database.prop.javax.net.ssl.trustStore. The store type is specified with mdm.database.prop.javax.net.ssl.trustStoreType. For example: 
    $WAS_HOME\java\jre\bin\keytool.exe -import -alias ora_ca -keystore $home\etc\trust.p12 -storetype PKCS12 -file $home\etc\mdm12ora.der
    or 
    $WAS_HOME/java/jre/bin/keytool -import -alias ora_ca -keystore $home/etc/trust.p12 -storetype PKCS12 -file $home/etc/mdm12ora.der
    $WAS_HOME represents the home folder of the WebSphere® Application Server.
    Note:
    You will be prompted for the trust store password. Reply with the unencrypted version of the value of mdm.database.prop.javax.net.ssl.trustStorePassword. If you did not change the password of the trust store, use the default password, which is WebAS.

What to do next

You can run the $home/bin/ivt.sh script to verify that batch processor installation was successful. If the verification test fails, see the troubleshooting link at the end of this topic.