Configuring Oracle JDBC with FIPS for Windchill
This topic describes how to configure an Oracle database and Windchill to use FIPS‑compliant, TLS‑secured JDBC communication.
Prerequisites
Before you begin, ensure that SSL is enabled on the Oracle database server.
For details on enabling secure JDBC connections, see the topic and sections of Configuring Windchill to Use JDBC over SSL.
Configure the Oracle Database (Server Side)
1. Enable FIPS mode on the Oracle database:
a. Connect to the Oracle database using SQL*Plus.
b. Run the following command:
ALTER SYSTEM SET DBFIPS_140 = TRUE SCOPE = SPFILE;
This command enables FIPS mode at the database level.
c. Restart the Oracle database to apply the change.
d. Run the following command to verify that FIPS mode is enabled:
SHOW PARAMETER DBFIPS_140;
The output value must be set to TRUE, confirming that FIPS mode is active.
2. Enable TLS/SSL encryption in FIPS mode:
a. Locate the fips.ora file in the $ORACLE_HOME/ldap/admin directory. If the file does not exist, create it.
b. Add the following entry to the fips.ora file:
SSLFIPS_140=TRUE
3. Secure Oracle network communication using FIPS‑Compliant TLS/SSL:
a. Ensure that the Oracle database allows TLS 1.2 or later for JDBC connections.
b. Edit the sqlnet.ora file and add the following entries:
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)
These settings enforce encrypted network communication using FIPS‑approved algorithms.
4. Create an Oracle wallet while FIPS mode is enabled. Export the certificate from the wallet and make it available to the Windchill server.
 |
If a wallet does not already exist, create one. For more information, see Creating and Exchanging Self-signed Certificate at Client and Server Side.
|
Configure the Windchill Server (Client Side)
1. Obtain the FIPS‑compliant certificates and import them into the Oracle wallet. For more information, see Creating and Exchanging Self-signed Certificate at Client and Server Side.
2. Stop the Windchill server.
3. Open the db.properties file and add the following entry:
wt.pom.dbConnectionPropertiesNameList=javax.net.ssl.keyStore,javax.net.ssl.keyStoreType,javax.net.ssl.keyStorePassword,javax.net.ssl.trustStore,javax.net.ssl.trustStoreType,javax.net.ssl.trustStorePassword
wt.pom.dbConnectionPropertiesValueList=<Certificate path>\server_keystore_oracleServer2.bcfks,BCFKS,<keyStorePassword>,<Certificate path>server_keystore_oracleServer2.bcfks,BCFKS,<trustStorePassword>
wt.pom.dbConnectionPropertiesValueList=<Certificate path>\server_keystore_oracleServer2.bcfks,BCFKS,<keyStorePassword>,<Certificate path>server_keystore_oracleServer2.bcfks,BCFKS,<trustStorePassword>
4. Restart the Windchill server.
Windchill now connects to the Oracle database using FIPS‑compliant, TLS‑secured JDBC communication.