Unable to establish a secure connection to Oracle over TLS
search cancel

Unable to establish a secure connection to Oracle over TLS

book

Article ID: 221002

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Unable to establish a secure connection to Oracle over TLS

Cause

TLS 1.0 is being used which Oracle rejects

Resolution

Except DLP 15.8 MP1+ and DLP 15.7 MP3, DLP used TLS 1.0 by default when communicating to the Oracle database.  If it’s a recent patch of Oracle 19 or if the DBA has denied TLS 1.0, communication will break.

To address this we need to force the connection over TLS 1.2.  There is a hotfix that needs to be applied to accomplish this.  Please request this from support and reference this KB.  Again this is implemented in 15.8 MP1.  If you are on a previous release then follow the below instructions to enable this:

  1. Stop all DLP services running on Enforce
  2. Make a backup of ojdbc7-12.1.0.2.0.jar from folder: /DataLossPrevention/ServerPlatformCommon/15.7/Protect/lib/jar  Note: Backup must be moved to a folder outside of the DataLossPrevention folder
  3. Make a backup of all .conf files from the folder /DataLossPrevention/EnforceServer/Services.  Note:  Backups must be moved to a folder outside of the DataLossPrevention folder
  4. Copy and replace the provided ojdbc7-12.1.0.2.0.jar from the ojdbc7 TLS 1.2 HF.zip to the folders: 
    a.  /DataLossPrevention/ServerPlatformCommon/15.7/Protect/lib/jar
    b.  /DataLossPrevention/EnforceServer/15.7/Protect/tomcat/lib
  5. Update the following .conf files the folder /DataLossPrevention/EnforceServer/Services:
    a. SymantecDLPDetectionServerController.conf
    b. SymantecDLPIncidentPersister.conf
    c. SymantecDLPManager.conf
  6. In each .conf files, find the line "wrapper.java.additional.202" and insert under it the line "wrapper.java.additional.203 = -Doracle.net.ssl_version=1.2"
  7. Once completed save the files and start all services.


Notes:
You can see this behavior in Wireshark taken on the Enforce server.  You should see a client hello going from Enforce to Oracle and then Oracle sending a FIN right after it and then you will see a handshake failure.  Key note here is it will never get to passing certificates.  If it gets to certificates and you still see the error, most likely you need to import the cert as per the installation/upgrade guide.  Follow the steps "About securing communications between the Enforce Server and the database" in the 15.7 installation and upgrade guides.

In case of DLP 15.8 MP1/DLP 15.7 MP3, new jar file is already updated, but we still need to perform steps 5,6 and 7 in order to force communication with Oracle DB over TLS 1.2.

Powered by Wolken Software