Enabling TLS server certificate validation between internal Oracle database and product components

The internal Oracle database communicates with the following components of TrueSight Capacity Optimization:

• Application Server
• Local ETL Engine Server
  
  

Before you begin

• Ensure that you use the Oracle database and client versions that support TLS 1.2. For more information, see TLS-considerations-for-TrueSight-Capacity-Optimization.
• Ensure that the Oracle database is configured in TLS 1.2 mode.

• Ensure that a TLS 1.2 compliant ojdbc7.jar file exists in the <Oracle client home>/jdbc/lib directory. If not, copy the file from the Oracle website.

To enable TLS 1.2 with server certificate validation, complete the following steps:

• • Before you begin
  • I. Procure the security certificate and configure the Oracle wallet
  • II. Install the security certificate
  • III. Configure the product components to use TLS

I. Procure the security certificate and configure the Oracle wallet

1. Procure the Oracle database certificate (in the x509 format) from the system administrator of your organization if a self-signed certificate is used. For example, oracle.crt. If a certificate that is signed for the Oracle database by an enterprise certificate authority (CA) or a third-party CA as a trusted root authority is used, import this signed certificate to avoid importing of multiple signed certificates for all TLS connections.
2. Procure and configure the Oracle wallet for the Oracle client.  
3. Ensure that the Oracle client communicates with the server securely on TCPS port.

II. Install the security certificate

The Application Server and local ETL Engine Server use the cotruststore.ts truststore to communicate with the Oracle database. This truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.

Complete the following steps on both the Application Server and the local ETL Engine Server to import the security certificate into their truststore files:

1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

    

   export PATH=<Server Installation Directory>/jre/bin:$PATH

2. Navigate to the <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

   keytool -importcert -trustcacerts -file <path>/oracle.crt -keystore cotruststore.ts -alias CODB

    

   Parameter description

   - oracle.crt is the name of the procured Oracle certificate. If the name of this certificate is different, use the relevant file name in the keytool command.

   - Ensure that CODB is used as the alias name.

3. When you are prompted, enter the password to access the keystore.
4. When you are prompted to trust the certificate, enter Yes.

III. Configure the product components to use TLS

Complete the following configuration steps on both the Application Server and the local ETL Engine Server:

1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

   #Example switchTLSmode.pl -on –dbport 2484 -tspwd -flow codb

   Click here for switchTLSmode.pl command details

   #Syntax
   perl switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]
   

    

   Parameter reference
   -h or --help: Prints the help for the command.

   -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

   -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

   -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

   -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

   internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

   auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Remedy Single Sign-On Server or LDAP server) and Application Server.

   codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

   externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

   all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.

2. When you are prompted, enter the password to access the truststore. 

The communication between the internal Oracle database and the Application Server, and between the internal Oracle database and local ETL Engine Server are now TLS 1.2 enabled with server certificate validation.