Configuring Secure Communication to Oracle

from PowerCenter on UNIX
©
2014 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any
means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other
company and product names may be trade names or trademarks of their respective owners and/or copyrighted
materials of such owners.
Abstract
You can enable secure communication with SSL encryption from PowerCenter to third-party databases, such as
Oracle. This article describes how you can configure secure communication from PowerCenter to Oracle with a native
connection on UNIX.
Supported Versions
• PowerCenter 9.6.0
Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuring Oracle Wallets on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Exporting Oracle Client SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Importing the Oracle Server SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Configuring SQLNET.ORA and TNSNAMES.ORA Files with Wallet Information. . . . . . . . . . . . . . . . . . . . 4
Verifying Connectivity from Oracle Client to Oracle Server with SQL Plus. . . . . . . . . . . . . . . . . . . . . . . . 5
Creating an Oracle Connection in PowerCenter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview
You can enable secure communication from PowerCenter to third-party databases, such as Oracle. When you read or
write data to a third-party database, you can secure the communication with SSL encryption provided by the third-party
database. In PowerCenter, you can configure secure communication to Oracle when you run a mapping with Oracle
sources or targets.
For SSL encryption, an Oracle database uses wallets. A wallet stores authentication credentials and certificates for
SSL, such as private keys and trusted certificates. You can use an Oracle Wallet Manager to manage the security
credentials for the Oracle client on the machine where the PowerCenter Integration Service runs. You can set up
multiple third-party configurations to establish secure connections to Oracle from PowerCenter with a native
connection.
To configure secure communication to Oracle on the machine where you install the Oracle client, perform the following
tasks:
1. Configure an Oracle wallet.
2. Export a client SSL certificate.
3. Import the server SSL certificate.
4. Configure the SQLNET.ORA and TNSNAMES.ORA files.
5. Create the Oracle connection in PowerCenter and run the mapping.
Configuring Oracle Wallets on UNIX
1. Install the Oracle client on the UNIX machine where the PowerCenter Integration Service runs.
2. Navigate to the Oracle client installation directory in the following location to open the Oracle wallet manager:
cd <OracleInstallationDir>/owm
For example, cd /data/app/oracle/product/client/11.2.0/owm
2
3. Create a wallet folder.
For example, you can create a wallet folder as follows: mkdir -p /data/app/oracle/product/client/
11.2.0/owm/wallets/oracle
4. Navigate to the newly created wallet folder.
For example, you can navigate to the following location: cd /data/app/oracle/product/client/
11.2.0/owm/wallets/oracle
5. Create an Oracle wallet in the wallet folder with a strong password that contains alphabetic characters and
numbers as follows: orapki wallet create -wallet <wallet_directory> -auto_login -pwd
<wallet_password>
For example, orapki wallet create -wallet /data/app/oracle/product/client/11.2.0/owm/wallets/
oracle -auto_login -pwd oracle4u
The command creates two files in the wallet folder, such as ewallet.p12 and cwallet.sso.
Exporting Oracle Client SSL Certificate
1. Create an Oracle client SSL certificate on the UNIX machine where the PowerCenter Integration Service
runs. To create an Oracle client SSL certificate, enter the command in the following format: orapki wallet
add -wallet <wallet_directory> -dn "CN=<Unique_Name_Identifier_for_Client_Host_Machine>,
OU=<dept>, O=<company_name>, L=<city>, ST=<state>, C=<country>" -keysize <keysize> -
self_signed -validity <ValidityinDays> -pwd <wallet_password>
For example, enter the following command to create an Oracle client SSL certificate: orapki wallet add -
wallet /data/app/oracle/product/client/11.2.0/owm/wallets/oracle -dn "CN=SSLCLIENT2, OU=IT,
O=infa, L=blr, ST=ka, C=IN" -keysize 2048 -self_signed -validity 30 -pwd <wallet_password>
Note: Work with your database administrator for correct values on OU, O, L, ST, C, and keysize for the
Oracle server instance. Verify with your database administrator that the CN value that you plan to use is
unique.
2. To view the Oracle client SSL certificates previously created, enter the command in the following format:
orapki wallet display -wallet <OracleInstallationDir>/owm/wallets/oracle -pwd
<wallet_password>
3. To import the client certificate into the Oracle server wallet, export the client wallet in the following format:
orapki wallet export -wallet <wallet_directory> -dn
"CN=<NameofClientInstallationonOracleServer>, OU=<dept>, O=<company_name>, L=<city>,
ST=<state>, C=<country>" -cert <client_certificate_name.crt>
For example, enter the following command:orapki wallet export -wallet /data/app/oracle/product/
client/11.2.0/owm/wallets/oracle -dn "CN=SSLCLIENT2, OU=IT, O=infa, L=blr, ST=ka, C=IN" -
cert client_ca.cert
The command creates the client certificate in the wallet folder.
4. Send the client certificate to your Oracle database administrator through a secured channel, such as SFTP.
Your database administrator can then import the client certificate into the Oracle server wallet.
Importing the Oracle Server SSL Certificate
1. Work with your database administrator to provide you with the Oracle server SSL certificate.
3
2. After you get the Oracle server SSL certificate from the database administrator, you can import it into the
client wallet with the following command: orapki wallet add -wallet <wallet_directory> -
trusted_cert -cert <server_certificate.cert> -pwd <wallet_password>
For example, enter the following command: orapki wallet add -wallet /data/app/oracle/product/
client/11.2.0/owm/wallets/oracle -trusted_cert -cert server_ca.cert -pwd <wallet_password>
Configuring SQLNET.ORA and TNSNAMES.ORA Files with
Wallet Information
1. Navigate to the Oracle client network location as follows: <OracleInstallationDir>\Network\admin.
The folder contains the sqlnet.ora file and the tnsnames.ora file.
2. Edit the sqlnet.ora file to enter the values similar to the following sample syntax:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, NTS, BEQ)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.EXPIRE_TIME=0

#SSL Connection configuration
SSL_CLIENT_AUTHENTICATION = TRUE

#Specify the client wallet location
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /data/app/oracle/product/client/11.2.0/owm/wallets/oracle)
)
)

#This is an optional parameter. Set the version of the SSL connection. The valid values
are undetermined | 2.0 | 3.0
SSL_VERSION = 3.0

#Set this parameter ON so that SSL_SERVER_CERT_DN in tnsnames.ora is effective
SSL_SERVER_DN_MATCH = ON

#tracing options
#trace_level_client = ADMIN
#trace_file_client = /data/app/oracle/product/client/11.2.0/trace/SSL.trc
3. Save and close the sqlnet.ora file.
4. Edit the tnsnames.ora file to enter the values similar to the following sample syntax:
orassl =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = <hostname>)(PORT = <port_number>))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = <service_name>))
(SECURITY=
(SSL_SERVER_CERT_DN="CN=ORASSL,OU=IT,O=infa,L=blr,ST=ka,C=IN"))
)
5. Save and close the tnsnames.ora file.
4
Verifying Connectivity from Oracle Client to Oracle Server with
SQL Plus
1. Enter the following command from the Oracle client machine: sqlplus <username>/
<password>@<connection_string_for_Oracle>.
Ensure that you are able to connect to the database.
2. If the connection fails, contact your database administrator to resolve the connectivity issues.
Creating an Oracle Connection in PowerCenter
1. Log in to the Workflow Manager.
2. Click Connections > Relational.
The Relational Connection Browser dialog box appears.
3. Click New.
The Select Subtype dialog box appears.
4. Select Oracle from the Select Subtype list.
5. Click OK.
The Relational Connection Dialog dialog box appears.
6. Enter the connection properties, such as user name and password. Verify that the connection string is the
TNS entry that you created, such as orassl.
7. Click OK.
The database connection appears in the Connection Browser list.
Select the Oracle connection to run the mapping with secure communication in PowerCenter.
Authors
Anju Andrews
Lead QA Engineer
Sujitha Alexander
Technical Writer
5

Sign up to vote on this title
UsefulNot useful