Connecting via SSL
This section discusses how to connect a client application to Oracle Database using SSL (Secure Sockets Layer), which is an industry standard protocol for secure access to a remote machine over untrusted networks. It runs on top of TCP/IP to secure client-server communications by allowing an SSL-enabled client to authenticate itself to an SSL-enabled server and vice versa. During server authentication, an SSL-enabled client application uses standard techniques of public-key cryptography to verify the server's identity by checking that the server's certificate is issued by a trusted certificate authority (CA) and proves the ownership of the public key.
Conversely, SSL client authentication allows the server to validate the client's identity. The client and server can also authenticate each other using self-signed certificates, however, you will almost never want to use a self-signed certificate, except for an Intranet or a development server. After establishing an SSL connection, the client and server can exchange messages that are symmetrically encrypted with the shared secret key. SSL is the recommended method to establish a secure connection to Oracle due to easier configuration and higher performance, compared to SSH.
To establish an SSL connection to the server with ODAC, you must compile and install the
TCRSSLIOHandler component, which is distributed with SecureBridge and is required to bind ODAC with SecureBridge. The installation instructions for the component are provided in the
Readme.html file, which is located by default in "My Documents\Devart\ODAC for RAD Studio XX\Demos\TechnologySpecific\SecureBridge".
TOraSessioncomponent and set the
IOHandlerproperty to an instance of
TDBGridcomponent and set the
DataSourceproperty to an instance of
TOraDataSourcecomponent and set the
DataSetproperty to an instance of
TOraQuerycomponent and set the
Sessionproperty to an instance of
TOraQuerycomponent and specify a SQL query to execute against Oracle Database.
TCRSsoFileStoragecomponent and specify the path to the wallet file. A wallet is container for storing authentication and signing credentials, including keys and certificates needed by SSL. See this document for information on creating an Oracle wallet. If you are using Oracle Cloud, see this document for information on obtaining wallet files.
TCRSSLIOHandlercomponent and set the
Storageproperty to an instance of
TButtoncomponent and create an
OnClickevent. Add the code to call the
TOraQuerywhen the button is clicked.
TOraSessioncomponent and specify the server's distinguished name (DN) in the
SSLOptionsto enable server DN matching. It is used to check whether the server is genuine by matching the server's global database name against the DN from the server certificate. See this document for information on editing the client network configuration files.
TOraSessioncomponent and specify the server address, port, username and password.
The steps are similar to the above, except that you specify the server and client SSL certificates and the private client key instead of wallet files, thus you do not need the
TOraSession component and expand
SSLOptions. Specify the server certificate in the
CACert property, the client certificate in the
Cert property, the private client key in the
Key property and the server's distinguished name (DN) in the
Another way to embed SSL client functionality into your Delphi app, which uses ODAC components to access Oracle Database, is by using the OpenSSL library that implements the SSL protocol and enables servers to securely communicate with their clients. The description of the SSL connection features without using the SecureBridge's
The following options must be set for an SSL connection:
Note: The ssleay32.dll and libeay32.dll files are required to use the SSL protocol with the OpenSSL library.