Configuring Oracle SQL*Net Encryption
To properly configure the Windchill RV&S server connection to Oracle Database, you must define a compatible connection from the client side (the Windchill RV&S server) to the server side (the Oracle Database). It is important to remember that in this scenario, the Windchill RV&S server is considered the client, and the Oracle Database is considered the server. For compatibility details, see the following Oracle documentation:
Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients: http://docs.oracle.com/cd/E11882_01/network.112/e40393/asojbdc.htm#ASOAG030
Of particular interest is “Table 9-1 Client/Server Negotiations for Encryption or Windchill RV&S” in the JDBC Client-Side Security Features document. The supported algorithms and checksums must overlap between the Windchill RV&S server and the Oracle Database. In this case the Windchill RV&S server acts as the client and the Oracle database acts as the Windchill RV&S server.
The Windchill RV&S server contains Oracle JDBC Thin driver version 19.3.0.0.0. As a result, it is limited to the supported set of algorithms and checksums provided by this version of the driver.
Setting the Properties
The Oracle documentation describes how to set data encryption parameters using a Java properties object with properties such as OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL. Windchill RV&S does not support this approach. Instead, you must set the matching Java system properties.
These properties map directly to the main configuration options that need to be set for the Windchill RV&S server connection to the database:
Parameter
Values
oracle.net.encryption_client
One of the following:
accepted
rejected
requested
required
oracle.net.encryption_types_client
A bracket-enclosed, comma-separated list of any of the following supported algorithms:
AES256
AES192
AES128
3DES168
3DES112
DES56C
DES40C
RC4_256
RC4_128
RC4_40
RC4_56
oracle.net.crypto_checksum_client
One of the following:
accepted
rejected
requested
required
oracle.net.crypto_checksum_types_client
A bracket-enclosed, comma-separated list of any of the following supported algorithms:
MD5
SHA1
In the <Windchill RV&S Server Installation Directory>/config/mksservice.conf file, define these properties by adding mks.java.additional.<index> properties, where <index> is the index of the additional property that must be unique. This provides the configuration information needed for the Oracle JDBC connection to the Windchill RV&S server. You must make equivalent changes for the command line utilities provided with the server by adding the system properties to the LAX files inside the <Windchill RV&S Server Installation Directory>/bin directory: isutil.lax, PatchServer.lax, collectSupportPackage.lax, and encryptPassword.lax. The system properties must be appended to the lax.nl.java.option.additional property.
The following example configures the Windchill RV&S server and the supporting command line utilities to use SQL*Net encryption for the following scenario:
Encryption is required.
Encryption will be limited to the DES40C algorithm.
Checksums are required.
Checksums will be limited to the MD5 algorithm.
The first task is to update the mksservice.conf file. If this file already has additional properties defined up to index 30, you would add the following:
mks.java.additional.31=-Doracle.net.encryption_client=REQUIRED
mks.java.additional.32=-Doracle.net.encryption_types_client="( DES40C )"
mks.java.additional.33=-Doracle.net.crypto_checksum_client=REQUESTED
mks.java.additional.34=-Doracle.net.crypto_checksum_types_client="( MD5 )"
The second task is to update the LAX files. Following is the current lax.nl.java.option.additional property in this example:
lax.nl.java.option.additional=-XX:+UseCompressedOops -Dmks.installDir=
c:/example/Windchill/RVSServer13 -Dmks.install=server -Duser.language=en
-Djava.util.Arrays.useLegacyMergeSort=true -Djdk.lang.Process.
allowAmbiguousCommands=true -Dhttps.protocols=TLSv1.2,TLSv1.3
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3
* 
In the LAX file, this property appears on one line. Line breaks have been added here for readability.
The property would be updated as follows:
lax.nl.java.option.additional=-XX:+UseCompressedOops -Dmks.installDir=
c:/example/Windchill/RVSServer13 -Dmks.install=server -Duser.language=en
-Djava.util.Arrays.useLegacyMergeSort=true -Djdk.lang.Process.
allowAmbiguousCommands=true -Dhttps.protocols=TLSv1.2,TLSv1.3
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Doracle.net.
encryption_client=REQUIRED -Doracle.net.encryption_types_
client="( DES40C )" -Doracle.net.crypto_checksum_client=REQUESTED
-Doracle.net.crypto_checksum_types_client="( MD5 )"
Was this helpful?