Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Help
  3. Section XVI. System Administration
  4. Appendix G. Configure TLS-enabled Oracle database on IT Analytics Portal and data receiver
  5. Configure TLS in Oracle with IT Analytics on Linux in split architecture

Configure TLS in Oracle with IT Analytics on Linux in split architecture

In a split architecture, database and IT Analytics Portal are on different systems.

Step 1: Configure Oracle wallet on the server side.

  1. Login as Oracle user.
    su -aptare
  2. Create a directory server_wallet on the server system to store the server wallet.
    mkdir /opt/aptare/oracle/network/server_wallet
  3. Create an empty wallet for the Oracle server with auto login enabled.
    orapki wallet create -wallet "/opt/aptare/oracle/network/server_wallet" -pwd <password> -auto_login
  4. Add a self-signed certificate in the wallet. A new pair of private/public keys is created at this stage.
    orapki wallet add -wallet "/opt/aptare/oracle/network/server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -keysize 2048 -self_signed -validity <# of days>
  5. Check the contents of the wallet. Verity whether the self-signed certificate is a trusted certificate.
    orapki wallet display -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password>
  6. Export the certificate so that it can be loaded into the client wallet later.
    orapki wallet export -wallet "/opt/aptare/oracle/network/server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -cert <SERVER_WALLET>\<server-certificate-name>.crt
  7. Check whether the certificate is exported to the above directory.

Step 2: Configure Oracle wallet for client application

  1. Login as Oracle user.
    su - aptare
  2. Create a directory client_wallet on the client system to store the client wallet.
    mkdir /opt/aptare/oracle/network/client_wallet
  3. Create a wallet for the Oracle client. Create an empty wallet with auto login enabled.
    orapki wallet create -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password> -auto_login
  4. Add a self-signed certificate in the wallet. A new pair of private/public keys are created at this stage.
    orapki wallet add -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
  5. Check the contents of the wallet. Verify that the self-signed certificate is both a user and a trusted certificate.
    orapki wallet display -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password>
  6. Export the certificate so that it can be loaded into the server wallet later.
    orapki wallet export -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -cert <CLIENT_WALLET>\<client-certificate-name>.crt
  7. Check whether the certificate is exported to the above directory.
  8. Make sure the Oracle service user can access the wallet file cwallet.sso.

Step 3: Perform client-server exchange certificate process.

  1. Repeat these steps on each of the database client systems:
    • Copy <server-certificate-name>.crt from the server system to the client system /opt/aptare/oracle/network/client_wallet folder.

    • Copy <client-certificate-name>.crt from the client system to the server system /opt/aptare/oracle/network/server_wallet folder.

    • After copying certificate file, change the owner to Oracle service user on the client system.

      On the client system:

      chown aptare:aptare <server-certificate-name>.crt

      On the server system:

      chown aptare:aptare <client-certificate-name>.crt
  2. Load the server certificate into the client wallet.
    orapki wallet add -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password> -trusted_cert -cert /opt/aptare/oracle/network/client_wallet/<server-certificate-name>.crt
  3. Check the contents of the client wallet. Note that the server certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "/opt/aptare/oracle/network/client_wallet" -pwd <password>
  4. Load the client certificate into the server wallet.
    orapki wallet add -wallet "/opt/aptare/oracle/network/server_wallet" -pwd <password> -trusted_cert -cert /opt/aptare/oracle/network/server_wallet/<client-certificate-name>.crt
  5. Check the contents of the server wallet. Note that the client certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "/opt/aptare/oracle/network/server_wallet" -pwd <password>

Step 4: Configure the Oracle database to listen for TCPS connection (Server/Oracle system). In the steps below, host is Oracle server IP address and /opt/aptare/oracle/network/server_wallet is the server wallet location.

  1. Stop Oracle listener.
    lsnrctl stop
  2. Modify the listener.ora (/opt/aptare/oracle/network/admin/listener.ora).
    LISTENER = 
    		(DESCRIPTION_LIST = 
         (DESCRIPTION = 
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) 
          (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484))
         )
      )

    Append the below line at the end of the file.

    SSL_CLIENT_AUTHENTICATION = FALSE 
    SECURE_PROTOCOL_LISTENER=(IPC) 
    WALLET_LOCATION = 
        (SOURCE = 
          (METHOD = FILE) 
          (METHOD_DATA = 
             (DIRECTORY = /opt/aptare/oracle/network/server_wallet) 
          ) 
        ) 
    /opt/aptare/oracle/network/server_wallet
  3. Modify the sqlnet.ora file (/opt/aptare/oracle/network/admin/sqlnet.ora).
    SSL_CLIENT_AUTHENTICATION = FALSE 
      WALLET_LOCATION = 
        (SOURCE = 
           (METHOD = FILE) 
           (METHOD_DATA = 
              (DIRECTORY = /opt/aptare/oracle/network/server_wallet) 
           ) 
        )
    
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE
  4. Modify the tnsnames.ora file (/opt/aptare/oracle/network/admin/tnsnames.ora)
    SCDB =       
         (DESCRIPTION = 
            (ADDRESS= 
                (PROTOCOL=TCPS) 
                (HOST=xx.xx.xx.xx) 
                (PORT=2484) 
            ) 
            (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) 
        )
  5. Start the Oracle service.
    lsnrctl start
  6. Check the listener status.
    lsnrctl status

Step 5: Configure the Oracle database to listen for TCPS connection on the client system. Configure the listener.ora and sqlnet.ora files on the database server using the following steps. In the procedure below, host is Oracle server IP address and /opt/aptare/oracle/network/server_wallet is the server wallet location.

  1. Modify the listener.ora (/opt/aptare/oracle/network/admin/listener.ora) and add the below contents.
    LISTENER = 
       (DESCRIPTION_LIST = 
          (DESCRIPTION = 
             (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) 
             (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484)) 
          ) 
       )

    Add below line at the end of file:

     SSL_CLIENT_AUTHENTICATION = FALSE 
        SECURE_PROTOCOL_LISTENER=(IPC) 
        WALLET_LOCATION = 
         (SOURCE = 
           (METHOD = FILE) 
           (METHOD_DATA = 
             (DIRECTORY = /opt/aptare/oracle/network/client_wallet) 
         ) 
      )   
    /opt/aptare/oracle/network/client_wallet
  2. Modify the sqlnet.ora file (/opt/aptare/oracle/network/admin/sqlnet.ora).
    SSL_CLIENT_AUTHENTICATION = FALSE 
        WALLET_LOCATION = 
           (SOURCE = 
             (METHOD = FILE) 
             (METHOD_DATA = 
               (DIRECTORY = /opt/aptare/oracle/network/client_wallet) 
             ) 
           )
    
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE
  3. Modify the tnsnames.ora (/opt/aptare/oracle/network/admin/tnsnames.ora)
    SCDB = 
       (DESCRIPTION = 
           (ADDRESS= 
               (PROTOCOL=TCPS) 
               (HOST=xx.xx.xx.xx) 
               (PORT=2484) 
           ) 
           (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) 
        )
  4. Test Oracle connection using sqlplus.
    sqlplus username/password@dbService

Step 6: Load Oracle server wallet certificate to the portal and upgrader Java KeyStore.

  1. Login as a root user.
  2. Add server certificate in portal Java.
    cd /usr/java/bin 
    keytool -import -trustcacerts -alias ora_server_cert -file /opt/aptare/oracle/network/client_wallet/server-cert-db.crt -keystore /usr/java/lib/security/cacerts 
    password: changeit
  3. Add server certificate in upgrader Java.
    cd /opt/aptare/upgrade/jre/bin 
    keytool -import -trustcacerts -alias ora_server_cert -file /opt/aptare/oracle/network/client_wallet/server-cert-db.crt -keystore /opt/aptare/upgrade/jre/lib/security/cacerts 
    password: changeit

Step 7: Modify connection URL in the portal and receiver property file.

  1. Stop portal and agent services.
    /opt/aptare/bin/tomcat-portal stop
    /opt/aptare/bin/tomcat-agent stop
  2. Modify database URL in /opt/aptare/portalconf/portal.properties.
    db.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)
    (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))
  3. Modify database URL in /opt/aptare/datarcvrconf/datrarcvrproperties.xml.
    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)
    (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))
  4. Start portal and agent services.
    /opt/aptare/bin/tomcat-portal start
    /opt/aptare/bin/tomcat-agent start

Feedback

Was this page helpful?
Previous

TLS in Oracle environment

Next

Configure TLS in Oracle with IT Analytics on Linux in non-split architecture

Feedback

Was this page helpful?