CF2021 Update 11 cannot connect to Oracle database with encryption and checksum

Good point.  I wasn't even aware Adobe had made Oracle Java available for production use for ColdFusion purposes.

Having switched to that, and re-updated Oracle to 2021.0.11 again, I'm still seeing the same issue.  I did switch my jvm.config and the system info does indeed show I'm now using Oracle Corporations 11.0.20+9-LTS-256.  Downgrading the package to 2021.0.05 makes it connect ok again.

I have not tried connecting with "Other" datasource type and using a downloaded Oracle odbc.jar file, but I kinda figure not having to do that is one (of many) reasons to have CF-Enterprise to begin with.

Now that I know this is available, I may as well go switch my Oracle on all my CF instances to that.  I don't see it available as a yum repo, so I may have to manually update but I guess I can live w/that, if it makes for better compatiblity. 

I won't quite be able to easily swap out an entire OS, and I'm not sure we'd go down that route for the sole purpose of making CF2021-Update11-Oracle-Package work, even if that was the official answer.  And yes, that's why I did note both my OS and my Java, because it is officially unsupported.

I was hoping someone would chime in and say that it does work on an officially supported configuration in which case, I'd love to know the connect string configuration in your CF Admin datasource and the sqlnet.ora encryption/checksum parameters under Oracle 19c that does work (other than none.)

Sigh.  Meant to say I may as well go switch my Java to Oracle on all my CF instances 🙂

If your application works with the Oracle 2021.0.05 package, then I would expect it to work with the Oracle 2021.0.11 package. There is a reason why I say that.

I unzipped \ColdFusion2021\bundles\oracle-2021.0.05.330109.jar and \ColdFusion2021\bundles\oracle-2021.0.11.330247.jar. Then I examined their respective manifest files in a text editor. I saw that they have the same build-JDK version, namely, 1.8.0_251. They also have the same Export-Package and Import-Package settings.

Which leads me to wonder whether what you are experiencing has to do with some hidden dependency. Therefore, I would suggest the following:

1.  On CF2021 Update 11, start the cfpm tool (with administrator / sudo rights);
2.  On cfpm, run the command: uninstall oracle
3.  Restart ColdFusion;
4.  On the cfpm tool (as administrator / sudo), run the command: install oracle
5.  Restart ColdFusion.

Is the problem solved?

Alas, nope.  Just did that, and that didn't resolve it either.

Will keep working on some magic combination of it all, but so far downgrading back to 2021.05 has been reliable across all my CF2021-Update11 dev/test environments (haven't done the update in prod yet) connecting to many different Oracle 19c databases (both on-premise in-house managed, and AWS RDS instances).

Thanks for the update.

Let's look into the issue some more.

Just in case, I built a new RHEL8.8 system and installed CF2021 in 30day-trial mode.  No sandbox security, no secure profile, used deveopment mode, etc.  I figure that's as permissive as I could get it, in case I had some weird setting.  I've disabled selinux.  I then used a .car to import only one single datasource from one of my other dev servers.  I can connect to that datasource.  Just for the heck of it, I also created that same datasource manually separately and it connects too, no surprise.

I updated via the CF2021-Administrator GUI directly to Update 11 and rebooted.  I can no longer connect to the datasource - either the one imported via .car file or the manually created one.

I used both the built-in JRE in /opt/ColdFusion/jre/bin/java ( java version "11.0.7" 2020-04-14 LTS ) as well as the Oracle Java 11.0.20 downloaded from Adobe ( java version "11.0.20" 2023-07-18 LTS ).  I'm using the supported OS (albeit the support-matrix says RHEL8.2 and 8.5 but I can't not dnf update my server, which takes me currently to 8.8.)  

Again, if I simply downgrade to Oracle 2021.0.00, 2021.0.02, or 2021.0.05 it works fine.  If I use 2021.0.11 then it fails.

And just for completeness' sake, I then installed odbc8.jar for Oracle 19c (downloaded from https://www.oracle.com/database/technologies/appdev/jdbc-downloads.html  ).  I copied that into /opt/ColdFusion/lib/ and restarted.  I created a new datasource using "Other" type and used "oracle.jdbc.driver.OracleDriver" as the "Driver Class Name".  Left "Driver Name" blank and used the old-school "jdbc:oracle:thin:@HOSTNAME:1521/SID" in the "JDBC URL" box and it connects fine.  

Running out of ideas.  If anyone has any other suggestions, I'm happy to try them.

Thanks all,

PH

Oh, and the odbc8.jar connection string (which works), including the encryption & checksum (even though it shouldn't be necessary because the database server is already requiring it anyways) looks like (old-school format)  : jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521))(CONNECT_DATA= (SERVICE_NAME=<servicename>))(Security=(ENCRYPTION_LEVEL=REQUIRED)(ENCRYPTION_TYPES_CLIENT=AES256)(CRYPTO_CHECKSUM_CLIENT=REQUIRED)(CRYPTO_CHECKSUM_TYPES_CLIENT=SHA256)))

Using the Oracle data-type, I enter SID, Server, Port, Username, and Password.   Under "Show Advanced Settings" -> "Conection String", I've left it blank to date (again since the db server requires it, I've never bothered to specify anything on the client side.)  But I've tried various incantations that are equivalent to what I specify explicitly in the Other jdbc:oracle:thin method, eg: "encryption_client=required&encryption_types_client=AES256&crypto_checksum_client=required&crypto_checksum_types_client=sha256".  I wasn't sure what type of connection-string format using the "Oracle" datasource type needs.  The Oracle docs ( eg: https://docs.oracle.com/en/database/oracle/oracle-database/21/jajdb/oracle/jdbc/OracleConnection.html#CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL  ) specify either a "EzConnectPlus" or "TNS Long URL" format..  I tried the EzConnectPlus format, but realistically, I find I could just add gibberish in that "Connection String" box and it still seems to connect (if I'm using the 00-05 driver) and doesn't connect (regardless of what I put in that "Connection String" box) if I'm using the 11 driver.

I realize there's a lot here, but trying things.  If anyone has ideas, please let me know.

Thanks all,

PH

Paul, this is certainly a frustrating sitaution to see you go through, but you're helping a lot with all the detail you've shared.

First, as for the fact that the Oracle thin driver (as "other") worked while the built-in Oracle driver did not , note that the former is created by Oracle while the latter is licensed by Adobe from Progress. That explains first why connectionstring values for the one may not work for the other.

On the other hand, I have done a bit of digging and I see at least one thing you can "try" for the Adobe-provided Oracle JDBC driver (from Progress--the one you were using originally). Can you add this to the connection string--which is likely empty for now:

AuthenticationMethod=SSL

I realize nothing was required before. Let's put that aside for the moment. And don't worry about "ssl" vs "tls". For now, please just check if this works. Of course, no CF restart is required. just add it, and on submit of the change CF will try to verify the DSN. Does it work? If so, I found it mentioned in the release notes of the Progress JDBC driver 6.0 (not on Adobe's site but the Progress site).

And I realize someone may find evidence (per files in the various CF driver jars) that suggest that even 2021.0.5 was using that 6.0 driver already--so this should not be necessary. But again let's just try it and see.

Finally, if it does NOT work, I can see in some REALLY low-level digging/comparison between CF's oracle-2021.0.05.330109.jar and the newer oracle-2021.0.11.330247.jar that one of the files deep inside those (2024EPSI.SF) has an indication that the old one refers to Java 8 while the new one refers to Java 11. To be clear, the "older" one (based on Java 8, specifically 1.8.0_73) is within the 2021.0.05 jar, so perhaps there's a connection to the new one now referring to Java 11 (specifically 11.0.16).

Of course, CF2021 itself only supports running on Java 11 (not 8). I'm not saying that it was wrong that the old driver has that Java 8 reference--again that's the one that WORKS for you. But I am observing this as another avenue of exploration if (and only if) the connectionstring I suggested doesn't do the job. There may well be some low-level encryption (ssl/tls) matter that this is now somehow tripping over for being on such a newer Java version. And I can think of some other things to proposed, but let's not clutter this post with more detail yet.

Let us know first how things go with the connectionstring.

A suggestion: add the connection setting

DataIntegrityLevel=0

> DataIntegrity=0

Results in "Connection verification failed for data source: meow java.sql.SQLNonTransientConnectionException: [DataDirect][Oracle JDBC Driver]The property value given is not a valid choice : dataIntegrityLevel=0"

> AuthenticationMethod=SSL

Results in "Connection verification failed for data source: meow  java.sql.SQLException: [DataDirect][Oracle JDBC Driver]SSL Authentication was requested, but is not supported by this Oracle Server."

Both (separately) were added to the "Show Advanced Settings" -> "Connection String" box.

It's interesting that depending on the context, I can put gibberish in the "Connection String" box.  For example, I put "foo=bar" in the box and clicked Submit and I get the same issue = ORA-12656.  Yet, as above, giving it a valid option (DataIntegrityLevel) and setting it "0", the driver knows that "0" is invalid.

Note, DataIntegrityLevel=required (or accepted, requested) are valid values, and all of them work (in the sense it doesn't give the error message about "not a valid choice".  But it still does fail as it still returns the "java.sql.SQLException: [DataDirect][Oracle JDBC Driver]ORA-12656: Cryptographic checksum mismatch" error.

Thanks to Charlie, now that I know this is a "progress" driver, the docs there use different options, and are what BKBK also mentioned.  While the Oracle odbc.jar driver would use "cryto_checksum_client=required" the progress driver uses "DataIntegrityLevel=required".  Based on that, I also tried "DataIntegrityLevel=required;DataIntegrityTypes=(SHA256);" but alas that still returns ORA-12656.  Incidentally, i guess progress uses ";" as a separator for options whereas Oracle seems to use "&"

Thanks all,

PH

Thanks for the update. 

What about

DataIntegrityLevel=rejected

I would suppose, that is the option closest, in essence, to DataIntegrityLevel=0.