Merge pull request #276412 from Clare-Zheng82/0524-Update_Oracle_and_TSG_doc

v-ccolin · web-flow · commit 6d18b176bdca · 2024-05-29T08:27:55.000+01:00
[Doc update] Update Oracle TLS set up and add TSG
diff --git a/articles/data-factory/connector-oracle.md b/articles/data-factory/connector-oracle.md
@@ -7,7 +7,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 05/15/2024
+ms.date: 05/27/2024
 ms.author: jianleishen
 ---
 
@@ -109,43 +109,43 @@ To enable encryption on Oracle connection, you have two options:
 
 -	To use **Triple-DES Encryption (3DES) and Advanced Encryption Standard (AES)**, on the Oracle server side, go to Oracle Advanced Security (OAS) and configure the encryption settings. For details, see this [Oracle documentation](https://docs.oracle.com/cd/E11882_01/network.112/e40393/asointro.htm#i1008759). The Oracle Application Development Framework (ADF) connector automatically negotiates the encryption method to use the one you configure in OAS when establishing a connection to Oracle.
 
--	To use **TLS**:
+-	To use **TLS**, set up `truststore` for SSL server authentication by applying one of the following three methods:
 
-    1.	Get the TLS/SSL certificate info. Get the Distinguished Encoding Rules (DER)-encoded certificate information of your TLS/SSL cert, and save the output (----- Begin Certificate … End Certificate -----) as a text file.
+    - **Method 1 (recommended)**:
 
-        ```
-        openssl x509 -inform DER -in [Full Path to the DER Certificate including the name of the DER Certificate] -text
-        ```
+        1.	Install the TLS/SSL certificate by importing it into the local certificate store. The built-in Oracle driver is able to load the needed certificate from the certificate store. 
 
-        **Example:** Extract cert info from DERcert.cer, and then save the output to cert.txt.
+        2.	In the service, configure the Oracle connection string with `EncryptionMethod=1`.
 
-        ```
-        openssl x509 -inform DER -in DERcert.cer -text
-        Output:
-        -----BEGIN CERTIFICATE-----
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXX
-        -----END CERTIFICATE-----
-        ```
-    
-    2.	Build the `keystore` or `truststore`. The following command creates the `truststore` file, with or without a password, in PKCS-12 format.
+    - **Method 2**:
 
-        ```
-        openssl pkcs12 -in [Path to the file created in the previous step] -out [Path and name of TrustStore] -passout pass:[Keystore PWD] -nokeys -export
-        ```
+        1. Get the TLS/SSL certificate information. Get the Distinguished Encoding Rules (DER)-encoded or Privacy Enhanced Mail (PEM)-encoded certificate information of your TLS/SSL cert.
 
-        **Example:** Create a PKCS12 `truststore` file, named MyTrustStoreFile, with a password.
+            ```
+            openssl x509 -inform (DER|PEM) -in [Full Path to the DER/PEM Certificate including the name of the DER/PEM Certificate] -text
+            ```
 
-        ```
-        openssl pkcs12 -in cert.txt -out MyTrustStoreFile -passout pass:ThePWD -nokeys -export  
-        ```
+        2.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore` value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore= data:// -----BEGIN CERTIFICATE-----<certificate content>-----END CERTIFICATE-----`
 
-    3.	Place the `truststore` file on the self-hosted IR machine. For example, place the file at C:\MyTrustStoreFile.
-    4.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore`/`TrustStorePassword`value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore=C:\\MyTrustStoreFile;TrustStorePassword=<trust_store_password>`.
+            >[!Note]
+            >- The value of the `TrustStore` field should be prefixed with `data://`.
+            >- When specifying content for multiple certificates, specify the content of each certificate between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. The number of dashes (`-----`) should be the same before and after both `BEGIN CERTIFICATE` and `END CERTIFICATE`. For example:<br>
+            >`-----BEGIN CERTIFICATE-----<certificate content 1>-----END CERTIFICATE-----`<br>
+            >`-----BEGIN CERTIFICATE-----<certificate content 2>-----END CERTIFICATE-----`<br>
+            >`-----BEGIN CERTIFICATE-----<certificate content 3>-----END CERTIFICATE-----`
+            > - The `TrustStore` field supports content up to 8192 characters in length.
 
+    - **Method 3**:
+        1. Create the `truststore` file with strong ciphers like AES256.
+        
+            ```
+            openssl pkcs12 -in [Full Path to the DER/PEM Certificate including the name of the DER/PEM Certificate] -out [Path and name of TrustStore] -passout pass:[Keystore PWD] -keypbe AES-256-CBC -certpbe AES-256-CBC -nokeys -export
+            ```
+        2.	Place the `truststore` file on the self-hosted integration runtime machine. For example, place the file at `C:\MyTrustStoreFile`. 
+        
+        3.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore`/`TrustStorePassword` value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore=C:\\MyTrustStoreFile;TrustStorePassword=<trust_store_password>`.
+    
+    
 **Example:**
 
 ```json
diff --git a/articles/data-factory/connector-troubleshoot-oracle.md b/articles/data-factory/connector-troubleshoot-oracle.md
@@ -6,7 +6,7 @@ author: jianleishen
 ms.service: data-factory
 ms.subservice: data-movement
 ms.topic: troubleshooting
-ms.date: 04/30/2024
+ms.date: 05/27/2024
 ms.author: jianleishen
 ms.custom: has-adal-ref, synapse
 ---
@@ -51,6 +51,35 @@ This article provides suggestions to troubleshoot common problems with the Oracl
         - SHA384 
         - SHA512
     
+## Error code: UserErrorFailedToConnectOdbcSource
+
+There are three error messages associated with this error code. Check the cause and recommendation for each error message correspondingly.
+
+- **Message**: `"Cannot load trust store", or "SSL Handshake Failure reason [error:OA000086:SSL routines::certificate verify failed]"` 
+
+- **Cause**: The `truststore` is not appropriate for OpenSSL 3.0, as the `truststore` file is generated using weak ciphers like RC4, MD5 and SHA1.
+
+- **Recommendation**: You need to re-create the `truststore` using the strong ciphers like AES256. Refer to this [section](connector-oracle.md#linked-service-properties) for details about setting up the TLS connection using `truststore`.
+
+<br>
+
+- **Message**: <br>
+    `SSL Handshake Failure reason[Unknown SSL Error]`  
+    `SSL Handshake Failure reason [error:OA000410:SSL routines::sslv3 alert handshake failure]`
+
+- **Cause**: The server is not configured with strong ciphers for SSL communication. OpenSSL 3.0 should use either TLS 1.0 and higher as it deprecated SSL protocol versions. For example, the server might accept connections with TLS protocol versions until TLS 1.0.
+
+- **Recommendation**: Revise the server configuration to use stronger TLS versions.
+
+<br>
+
+- **Message**: `SSL Handshake Failure reason [error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported].` 
+
+- **Cause**: CryptoProtocolVersion is set to use deprecated TLS protocol versions with OpenSSL 3.0.
+
+- **Recommendation**: Specify the connection string property `CryptoProtocolVersion=TLSv1.2`.
+
+
 ## Related content
 
 For more troubleshooting help, try these resources:
