Added changes to support TWO-WAY Authentication while connecting to oracle DB while bringing up JRF domain (#1181)

* Added changes to support TWO-Way Authentication while connecting to oracle DB

* Added changes to support TWO-Way Authentication while connecting to oracle DB

* Made changes to re-use existing function

* Update rcuinfo.md

* Update rcuinfo.md

Co-authored-by: [email protected] <ganeshs@cagbu-phx-491.snphxprshared1.gbucdsint02phx.oraclevcn.com>

Author: ganeshs05

core/src/main/python/wlsdeploy/aliases/model_constants.py

@@ -356,6 +356,7 @@
 DESTINATION_SERVER = 'DestinationServer'
 DRIVER_NAME = 'DriverName'
 DRIVER_PARAMS_PROPERTY_VALUE = 'Value'
+DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED = 'EncryptedValueEncrypted'
 DRIVER_PARAMS_USER_PROPERTY = 'user'
 DRIVER_PARAMS_TRUSTSTORE_PROPERTY = 'javax.net.ssl.trustStore'
 DRIVER_PARAMS_kEYSTORE_PROPERTY = 'javax.net.ssl.keyStore'

core/src/main/python/wlsdeploy/tool/create/domain_creator.py

@@ -34,6 +34,7 @@
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_SSL_VERSION
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE
+from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY
@@ -941,7 +942,7 @@ def __create_other_domain_artifacts(self, location, mbean_type_list):
         self.logger.exiting(class_name=self.__class_name, method_name=_method_name)
         return
 
-    def __set_atp_connection_property(self, root_location, property_name, property_value):
+    def __set_atp_connection_property(self, root_location, property_name, property_value, encrypted=False):
         create_path = self.aliases.get_wlst_create_path(root_location)
 
         self.wlst_helper.cd(create_path)
@@ -959,14 +960,18 @@ def __set_atp_connection_property(self, root_location, property_name, property_v
         wlst_path = self.aliases.get_wlst_attributes_path(root_location)
 
         self.wlst_helper.cd(wlst_path)
-
+        
+        if encrypted:
+            value_property = DRIVER_PARAMS_PROPERTY_VALUE_ENCRYPTED
+        else:
+            value_property = DRIVER_PARAMS_PROPERTY_VALUE
+       
         wlst_name, wlst_value = \
-            self.aliases.get_wlst_attribute_name_and_value(root_location, DRIVER_PARAMS_PROPERTY_VALUE,
-                                                           property_value)
+            self.aliases.get_wlst_attribute_name_and_value(root_location, value_property, property_value)
         self.wlst_helper.set(wlst_name, wlst_value)
 
         root_location.remove_name_token(property_name)
-
+    
     def __retrieve_atp_rcudbinfo(self, rcu_db_info, check_admin_pwd=False):
         """
         Check and return atp connection info and make sure atp rcudb info is complete
@@ -1044,6 +1049,9 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False):
         truststore = rcu_db_info.get_truststore()
         truststore_type = rcu_db_info.get_truststore_type()
         truststore_pwd = rcu_db_info.get_truststore_password()
+        keystore = rcu_db_info.get_keystore()
+        keystore_type = rcu_db_info.get_keystore_type()
+        keystore_pwd = rcu_db_info.get_keystore_password()
 
         if check_admin_pwd:
             admin_pwd = rcu_db_info.get_admin_password()
@@ -1053,7 +1061,7 @@ def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False):
                                                               "'rcu_admin_password']")
                 raise ex
 
-        return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore
+        return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore   
 
     def __configure_fmw_infra_database(self):
         """
@@ -1098,10 +1106,12 @@ def __configure_fmw_infra_database(self):
             keystore_pwd = None
             truststore_type = None
             truststore = None
+            keystore_type = None
+            keystore = None
             if has_atp:
                 tns_admin, rcu_database, keystore_pwd, truststore_pwd = self.__retrieve_atp_rcudbinfo(rcu_db_info)
             else:
-                tns_admin, rcu_database, truststore_pwd, truststore_type, truststore = self.__retrieve_ssl_rcudbinfo(rcu_db_info)
+                tns_admin, rcu_database, truststore_pwd, truststore_type, truststore, keystore_pwd, keystore_type, keystore = self.__retrieve_ssl_rcudbinfo(rcu_db_info)
             # Need to set for the connection property for each datasource
 
             fmw_database = self.wls_helper.get_jdbc_url_from_rcu_connect_string(rcu_database)
@@ -1168,7 +1178,15 @@ def __configure_fmw_infra_database(self):
                     self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY,
                                                          truststore_type)
                     if truststore_pwd is not None and truststore_pwd != 'None':
-                        self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd)
+                        self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd, encrypted=True)
+                    if keystore is not None and keystore != 'None':
+                        self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep
+                                                       + keystore)
+                    if keystore_type is not None and keystore_type != 'None':
+                        self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY,
+                                                       keystore_type)
+                    if keystore_pwd is not None and keystore_pwd != 'None':
+                        self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd, encrypted=True)
         else:
             rcu_database = rcu_db_info.get_preferred_db()
             if rcu_database is None:

core/src/main/python/wlsdeploy/tool/create/rcudbinfo_helper.py

@@ -8,6 +8,8 @@
 from wlsdeploy.aliases.model_constants import ATP_TEMPORARY_TABLESPACE
 from wlsdeploy.aliases.model_constants import ATP_TNS_ENTRY
 from wlsdeploy.aliases.model_constants import DOMAIN_INFO
+from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_kEYSTORE_PROPERTY
+from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTORETYPE_PROPERTY
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_KEYSTOREPWD_PROPERTY
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_NET_TNS_ADMIN
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_TRUSTSTORE_PROPERTY
@@ -61,6 +63,12 @@ def get_rcu_schema_password(self):
         password = dictionary_utils.get_element(self.rcu_properties_map, RCU_SCHEMA_PASSWORD)
         return self.aliases.decrypt_password(password)
 
+    def get_keystore(self):
+        return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_kEYSTORE_PROPERTY)
+
+    def get_keystore_type(self):
+        return dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY)
+
     def get_keystore_password(self):
         password = dictionary_utils.get_element(self.rcu_properties_map, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY)
         return self.aliases.decrypt_password(password)

core/src/main/python/wlsdeploy/tool/create/ssl_helper.py

@@ -13,7 +13,7 @@
 
 _logger = PlatformLogger('wlsdeploy.create')
 
-def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password):
+def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password):
     '''
     Add SSL config properties to the specified XML document.
     :param xml_doc:                  The XML document
@@ -31,6 +31,12 @@ def set_ssl_properties(xml_doc, atp_creds_path, truststore, truststore_type, tru
             set_property(dom_tree, prop, 'oracle.net.tns_admin', atp_creds_path)
             if truststore_password is not None:
                 set_property(dom_tree, prop, 'javax.net.ssl.trustStorePassword', truststore_password)
+            if keystore is not None:
+                set_property(dom_tree, prop, 'javax.net.ssl.keyStore', atp_creds_path + '/' + keystore)
+            if keystore_type is not None:
+                set_property(dom_tree, prop, 'javax.net.ssl.keyStoreType', keystore_type)
+            if keystore_password is not None:
+                set_property(dom_tree, prop, 'javax.net.ssl.keyStorePassword', keystore_password)
             # Persist the changes in the xml file
             file_handle = open(xml_doc,"w")
             dom_tree.writexml(file_handle)
@@ -57,12 +63,14 @@ def fix_jps_config(rcu_db_info, model_context):
     truststore = rcu_db_info.get_truststore()
     truststore_type = rcu_db_info.get_truststore_type()
     truststore_password = rcu_db_info.get_truststore_password()
+    keystore = rcu_db_info.get_keystore()
+    keystore_type = rcu_db_info.get_keystore_type()
+    keystore_password = rcu_db_info.get_keystore_password()
 
     jsp_config = model_context.get_domain_home() + '/config/fmwconfig/jps-config.xml'
     jsp_config_jse = model_context.get_domain_home() + '/config/fmwconfig/jps-config-jse.xml'
-    set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password)
-    set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password)
-
+    set_ssl_properties(jsp_config, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password)
+    set_ssl_properties(jsp_config_jse, tns_admin, truststore, truststore_type, truststore_password, keystore, keystore_type, keystore_password)
 
 def get_ssl_connect_string(tnsnames_ora_path, tns_sid_name):
     try:

documentation/2.0/content/rcuinfo.md

@@ -47,12 +47,12 @@ Or, by specifying the unzipped root directory of the ATP wallet ZIP file in `ora
 
 #### SSL database using SSO for authentication
 
-For an SSL database, with an `SSO` wallet, use the following example:
+For an Oracle SSL database with TW0_WAY SSL enabled, with an `SSO` wallet, use the following example:
 ```yaml
 domainInfo:
     RCUDbInfo:
       useSSL : true
-      rcu_db_conn_string: <reuired URL string for use with -run_rcu>
+      rcu_db_conn_string: <required URL string for use with -run_rcu>
       rcu_prefix : DEV
       rcu_admin_password: <required with -run_rcu flag>
       rcu_schema_password: <required with -run_rcu flag>
@@ -64,14 +64,31 @@ domainInfo:
       oracle.net.tns_admin: <absolute path of the unzipped wallet root directory>
 
 ```
+
+For an Oracle SSL database with ONE_WAY SSL enabled, with an `SSO` wallet, use the following example:
+```yaml
+domainInfo:
+    RCUDbInfo:
+      useSSL : true
+      rcu_db_conn_string: <required URL string for use with -run_rcu>
+      rcu_prefix : DEV
+      rcu_admin_password: <required with -run_rcu flag>
+      rcu_schema_password: <required with -run_rcu flag>
+      tns.alias: <alias of ssl db in the tnsnames.ora file>
+      javax.net,ssl.trustStore: <truststore found in unzipped wallet, i.e cwallet.sso>
+      javax.net.ssl.trustStoreType: SSO
+      oracle.net.tns_admin: <absolute path of the unzipped wallet root directory>
+
+```
+
 #### SSL database using PKCS12 for authentication
 
-For an SSL database, with a `PKCS12` wallet, use the following example:
+For an Oracle SSL database with TW0_WAY SSL enabled, with a `PKCS12` wallet, use the following example:
 ```yaml
 domainInfo:
     RCUDbInfo:
       useSSL : true
-      rcu_db_conn_string: <reuired URL string for use with -run_rcu>
+      rcu_db_conn_string: <required URL string for use with -run_rcu>
       rcu_prefix : DEV
       rcu_admin_password: <required with -run_rcu flag>
       rcu_schema_password: <required with -run_rcu flag>
@@ -84,6 +101,22 @@ domainInfo:
       javax.net.ssl.trustStorePassword: <password of the truststore>
       oracle.net.tns_admin: <absolute path of the unzipped wallet root directory>
 
+```
+For an Oracle SSL database with ONE_WAY SSL enabled, with a `PKCS12` wallet, use the following example:
+```yaml
+domainInfo:
+    RCUDbInfo:
+      useSSL : true
+      rcu_db_conn_string: <required URL string for use with -run_rcu>
+      rcu_prefix : DEV
+      rcu_admin_password: <required with -run_rcu flag>
+      rcu_schema_password: <required with -run_rcu flag>
+      tns.alias: <alias of ssl db in the tnsnames.ora file>
+      javax.net.ssl.trustStore: <truststore found in the unzipped wallet, i.e ewallet.p12>
+      javax.net.ssl.trustStoreType: PKCS12
+      javax.net.ssl.trustStorePassword: <password of the truststore>
+      oracle.net.tns_admin: <absolute path of the unzipped wallet root directory>
+
 ```
 When using a PKCS12 wallet, you must include the Oracle PKI provider to access your wallet. Add the Oracle PKI provider to your Java `java.security` file. For more information, see Section 2.2.4 "How can Oracle wallets be used in Java" in [SSL with Oracle JDBC Thin Driver](https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf).