Connection String for ColdFusion (using Oracle advanced Security)

Oracle has introduced a new security feature, Oracle Advanced security, for Oracle databases. This feature provides better data encryption other advanced security features to secure user data. For more details on OAS, please refer: http://www.oracle.com/technetwork/database/options/advanced-security/overview/index.html

After enabling this feature with an Oracle database, a user can create the connection using the connection string provided by Oracle with the help of Oracle JBDC drivers. However, when creating the secure connection using ColdFusion, there is an error when using the basic connection string. The error message is shown below:

Basic Connection String:

jdbc:macromedia:oracle://<our DB server host name here>:1521;ServiceName=CF;ConnectionRetryCount=3;ConnectionRetryDelay=3;LoadBalancing=true;failover=true;jdbcbehavior=0;

Connection verification failed for data source: oracle_encrypted

java.sql.SQLException: [Macromedia][Oracle JDBC Driver]ORA-12660: Encryption or crypto-checksumming parameters incompatible

The root cause was that: java.sql.SQLException: [Macromedia][Oracle JDBC Driver]ORA-12660: Encryption or crypto-checksumming parameters incompatible

The Macromedia driver, which ships with ColdFusion fully supports Oracle Advanced security. Before applying the fix, check the Encryption Type (or example, AES256, AES128, 3DES168) and DataIntegrityTypes (ex. MD5 etc). You can find these details in TNS.ORA file, also check with the DBA for these details.

Follow the steps below:

  1. Verify the connection string:
    URL:jdbc:macromedia:oracle://HOST_Name:PORT;SERVICENAME=SERVICE_NAME;jdbcbehavior=0;EncryptionLevel=required;EncryptionTypes=(AES256, AES128, 3DES168);DataIntegrityLevel=required;DataIntegrityTypes=(MD5);
    Driver Class:  macromedia.jdbc.MacromediaDriver
  1. Log in to ColdFusion Administrator. Click Data & Services > Data Sources. Chose OAS as the data source and other as Driver. Click Add.

blog1

  1. Add the URL, Driver Class, and Username/Password 

blog2

 

Note: Once you click Submit, you may receive an error that refers to Unlimited Policy exception.

Connection verification failed for data source: oracle_encrypted

java.sql.SQLException: [Macromedia][Oracle JDBC Driver]Failure due to insufficient maximum key length according to the installed JCE jurisdiction policy files. Please install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

The root cause was that: java.sql.SQLException: [Macromedia][Oracle JDBC Driver]Failure due to insufficient maximum key length according to the installed JCE jurisdiction policy files. Please install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

 

To resolve that the issue, download the Unlimited Policy jar from Oracle website link given below

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  • Extract the zip.
  • Stop ColdFusion service, go to this folder: ColdFusion2016jrelibsecurity. Take the backup of entire folder “security” and replace the files which you extracted from ZIP.
  • Restart ColdFusion and try again.

 

One Response

  1. I had to deal with this exact same issue on ColdFusion 11 when our DBA’s turned on advanced security. I don’t know if the above would also work on CF11 but here’s what i did to get it to work.

    I updated our JVM to the latest supported version. It turned out i didn’t need to do this step but it was overdue so a good idea. I still chose Oracle as the driver type for the db. Next i had to add this “EncryptionLevel=accepted;;EncryptionTypes=(AES256, 3DES168, 3DES112);DataIntegrityLevel=required;DataIntegrityTypes=(MD5);” in the connection string field to get past the first error about requiring “Oracle Advanced Security” . That got rid of that error but then i got a key length error. To get that error resolved i had to install the Java Cryptography Extension files to allow for unlimited strength keys (http://www.petefreitag.com/item/803.cfm).

    Priyasha’s post is much cleaner to implement but as i don’t know if it’ll work in CF11 I wanted to share how i got it to work. I plan on trying this post’s method out to see if it works on a clean CF11 install that doesn’t have all the tweaks i did getting my current server to connect.

Leave a reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.

Related