Introduction

• JS1 offers two levels of integration with an Oracle DBMS:
  • JS1 supports use of Oracle as the database for this scenario see JS7 - How to make JOC Cockpit connect to an Oracle database using Wallet®.
  • JS1 offers job templates from JITL Jobs that can be used to access Oracle databases.
    • Such jobs are preferably executed with Agents, therefore the below explanations apply to servers for which Agents are operated.

• For both scenarios users might prefer not to provide a user account and password for authentication with the DBMS from readable files.

  • Use of passwords is considered insecure when passwords are stored in clear text in external files or in job parameters.
  • JS1 offers Using a Credential Store for Jobs as an alternative way to store and to retrieve passwords.
  • The Oracle Wallet® provides a credential store to connect to an Oracle database without specifying a user account and password from parameters or from readable files.
• The following JITL Jobs can be used with Oracle Wallet®:
  • Job JobSchedulerManagedDatabaseJobSOSHibernate: Standard JDBC Job for any DBMS
  • Job JobSchedulerPLSQLJob: PL/SQL JDBC job for Oracle DBMS
  • Job SOSSQLPlusJob: SQL*Plus Command Line Client

Oracle Wallet®

The Oracle Wallet® configuration is explained with the Oracle documentation:

• Configuring clients to use the External Password Store e.g. in http://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm#CBHEHGCE
• Or as a more condensed version from the Oracle-Base web site e.g. in https://oracle-base.com/articles/10g/secure-external-password-store-10gr2
• The location of the docs depends on the specific Oracle version in use.

Prerequisites

Oracle Wallet®

Except for use of the Job SOSSQLPlusJob no Oracle Client installation is required at run-time for use of a wallet with JS1 Agents.

However, users need an Oracle Client to set up and to configure the wallet.

• The wallet does not necessarily have to be created on the machines where JS1 Agents are located. The wallet preferably consists of a number of keystore and truststore files that can be copied from a remote machine to the servers that host the JS1 Agents.

• Typical commands to create a wallet include for example:
  
  

  Example how to set up a wallet

  # create the wallet in an arbitrary location
  mkstore -wrl /home/js1/wallet -create
  
  # add credentials to the wallet; specify key, user account and password for database access
  mkstore -wrl /home/js1/wallet/ -createCredential js1 some_account some_password
  
  # check that the key has been added to the wallet
  mkstore -wrl  /home/js1/wallet/  -listCredential

Oracle JDBC Driver

The Job JobSchedulerManagedDatabaseJobSOSHibernate and Job JobSchedulerPLSQLJob make use of the Oracle JDBC Driver.

• Check the Oracle JDBC Driver version that ships with the JS1 release, see Which common Database Management Systems are supported by JobScheduler. A newer JDBC Driver might be available for download from Oracle.
• Oracle JDBC Drivers that ship for release 18c of the DBMS are reported to work. Previous Oracle JDBC Driver releases, for example 12c, are reported not to work with Oracle Wallet® when used by JS1. If in doubt use the Oracle JDBC Driver version that matches the version of the DBMS.
• Users who want to use a specific version of the Oracle JDBC Driver can apply the following steps:
  • For on premises installations store the Oracle JDBC Driver's .jar file in the SCHEDULER_HOME/lib/user_lib directory of the Agent installation directory.

Oracle PKI Libraries

The Job JobSchedulerManagedDatabaseJobSOSHibernate and Job JobSchedulerPLSQLJob make use of Oracle PKI Libraries.

• The Oracle PKI libraries are required and have to match the version of the Oracle DBMS and Oracle JDBC Driver.
• The .jar files are offered by Oracle for download and are available from an Oracle Client installation for example from:
  • ORACLE_HOME/jlib/oraclepki.jar
  • ORACLE_HOME/jlib/osdt_cert.jar
  • ORACLE_HOME/jlib/osdt_core.jar
• For on premises installations store the Oracle PKI libraries to the SCHEDULER_HOME/lib/user_lib directory of the JS1 Agent installation directory.

Configuration

Hibernate hibernate.cfg.xml Configuration File

The Job JobSchedulerManagedDatabaseJobSOSHibernate makes use of a Hibernate configuration file.

The Job JobSchedulerPLSQLJob does not use a Hibernate configuration file but uses the job argument db_url for the database URL.

• The below explanations about use of a URL such as jdbc:oracle:thin:@/js1?tns_admin=/home/js1/wallet similarly apply.
• For use with Oracle Wallet® the job arguments db_user and db_password are omitted.

A Hibernate configuration file by default is looked up from SCHEDULER_DATA/config/hibernate.cfg.xml. The Hibernate configuration can look like this:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
 <session-factory>
  <property name="hibernate.connection.driver_class">oracle.jdbc.OracleDriver</property>
  <property name="hibernate.connection.password"></property>
  <property name="hibernate.connection.url">jdbc:oracle:thin:@/js1?tns_admin=/home/js1/wallet</property>
  <property name="hibernate.connection.username"></property>
  <property name="hibernate.dialect">org.hibernate.dialect.Oracle12cDialect</property>
  <property name="hibernate.show_sql">false</property>
  <property name="hibernate.connection.autocommit">false</property>
  <property name="hibernate.format_sql">true</property>
  <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
 </session-factory>
</hibernate-configuration>

• Consider the empty elements that are used for the account and password. Do not delete the respective elements from the Hibernate configuration file.
• The connection URL specifies js1 as the key to an entry in the wallet.
• The URL parameter tns_admin is used to specify the directory of the tnsnames.ora configuration file. JDBC Connections usually do not need this configuration file as connection details (Listener, Service Name, Service ID) are specified with the URL. However, due to use of the js1 key to the wallet in the URL it is preferable to manage connection details from a tnsnames.ora configuration file.
• In the above example this file is located in the /home/js1/wallet directory that in fact is the directory where the wallet is located. This location is not authoritative as the file can reside in any directory that is accessible to JOC Cockpit.
• Consider that an sqlnet.ora configuration file is not used with the above setup of a JDBC connection.

Oracle tnsnames.ora Configuration File

Use of the tnsnames.ora file applies to all JITL Jobs.

The following example is not authoritative but is intended to explain a few basic settings:

# tnsnames.ora Network Configuration File: /home/js1/product/18.0.0/dbhomeXE/NETWORK/ADMIN/tnsnames.ora
# Generated by Oracle configuration tools.

JS1 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.11.0.99)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = JS1)
    )
  )

LISTENER_JS1 =
  (ADDRESS = (PROTOCOL = TCP)(HOST = 192.11.0.99)(PORT = 1521))


ORACLR_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (CONNECT_DATA =
      (SID = CLRExtProc)
      (PRESENTATION = RO)
    )
  )

Explanation:

• Line 4: The name JS1 of the first entry in this file corresponds to the key for which credentials have been stored to the wallet.
• Line 5-9: The settings indicate the Listener's host and port and the database Service Name or Service ID.

Wallet Location for Java

The Job SOSSQLPlusJob identifies the wallet location from its sqlnet.ora configuration file.

The Job JobSchedulerManagedDatabaseJobSOSHibernate and Job JobSchedulerPLSQLJob identify the wallet location from a Java define.

• Configure the location of the wallet by use of a Java define like this: 
  -Doracle.net.wallet_location=/home/js1/wallet. This setting should point to the directory where the wallet files are located. This setting can be specified for an Agent with one of the following options:
  
  • specify the JAVA_OPTIONS environment variable before running the jobscheduler_agent_<port>.sh|.cmd Instance Start Script.
  • for Unix add the JAVA_OPTIONS environment variable to the systemd service file.

Using Oracle Wallet® for the JITL JobSchedulerManagedDatabaseJobSOSHibernate

JS1 offers the Job JobSchedulerManagedDatabaseJobSOSHibernate template for use with Oracle Wallet®.

The job template is running with JS1 Agents and performs standard SQL operations for any DBMS including Oracle. This job template cannot be used to execute PL/SQL code that is specific for Oracle.

Prerequisites

All of the above explained Prerequisites apply.

Configuration

All of the above explained Configuration items apply.

Using Oracle Wallet® for the JITL JobSchedulerPLSQLJob

JS1 offers the Job JobSchedulerPLSQLJob template for use with Oracle Wallet®.

The job template is running with JS1 Agents and can be used to execute PL/SQL code that is specific for Oracle. This job template can be used for the Oracle DBMS only.

Prerequisites

All of the above explained Prerequisites apply.

Configuration

All of the above explained Configuration items apply.

Using Oracle Wallet® for the JITL SOSSQLPlusJob

JS1 offers the Job SOSSQLPlusJob template for use with Oracle Wallet®.

The job template is running with JS1 Agents and makes use of the sqlplus Command Line Client. This job template requires prior installation of an Oracle Client that includes the SQL*Plus Command Line Client.

Prerequisites

Prerequisites to execute SQL*Plus with Oracle Wallet® include that

• the Oracle Client including SQL*Plus is installed
• the following environment variables are set: ORACLE_HOME, LD_LIBRARY_PATH=$ORACLE_HOME/lib, TNS_ADMIN

The prerequisites for setting up the wallet are the same as explained above with chapter Prerequisites, Oracle Wallet®.

• Add the location of the wallet to your sqlnet.ora configuration file, for example:
  
  • WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/js1/wallet)))
  • Additional entries will be required for this file, please check Oracle's documentation.
• This file is required by SQL*Plus and allows to execute the command line client like this: sqlplus /@js1. 
• The  js1 is the key for the tnsnames.ora configuration file to identify the database connection settings and for the wallet to identify the matching credentials.

Configuration

Environment Variables

The prerequisites to set environment variables for use of SQL*Plus with Oracle Wallet® can be met

• by adding environment variable to the Agent Instance Start Script.

Environment Variables from the Agent Instance Start Script

• Adjust Agent Instance Start Script
  • For Unix add environment variables to the Agent Instance Start Script SCHEDULER_HOME/bin/jobscheduler_agent_<port>.sh
    • ORACLE_HOME=/some_location
LD_LIBRARY_PATH=$ORACLE_HOME/lib
TNS_ADMIN=/some_location
export ORACLE_HOME LD_LIBRARY_PATH TNS_ADMIN
  • For Windows add environment variables to the Agent Instance Start Script SCHEDULER_HOME\bin\jobscheduler_agent_<port>.cmd
    • set ORACLE_HOME=C:\some_location
set LD_LIBRARY_PATH=%ORACLE_HOME%\lib
set TNS_ADMIN=C:\some_location
  • The Instance Start Script is executed on startup of the Agent in the context of the user account that the Agent is operated for. The environment variables are forwarded to subsequent jobs in a workflow.
• Restart the Agent.

Oracle sqlnet.ora Configuration File

This file is located in the directory specified by the TNS_ADMIN environment variable. The wallet location is identified from the sqlnet.ora configuration file.

The following example is not authoritative but is intended to explain a few basic settings:

# sqlnet.ora Network Configuration File: /home/js1/product/18.0.0/dbhomeXE/NETWORK/ADMIN/sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/js1/wallet)))
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

Explanation:

• The wallet location specified from /home/js1/wallet is a possible location. Any location that is within reach of the JS1 Agent and that allows to read the wallet's files can be used.