APPLIES TO: Oracle Security Service - Version 12.1.0.1 and later Information in this document applies to any platform. PURPOSE Guiding Database Admin to Configure Tcps/SSL Configuration At Database Server and Client End-Having One Way SSL Authentication/Encryption with Self Signed Certificate and Troubleshooting Steps for Same. TROUBLESHOOTING STEPS Database End Configuration: 1) Create a Wallet For Self Signed Certificate
mkdir wallet_location orapki wallet create -wallet wallet_location -auto_login -pwd
This will have created two new files in the directory,
ls -la wallet_location
-rw------- 1 oracle dba 7940 Nov 29 08:14 cwallet.sso -rw------- 1 oracle dba 7912 Nov 29 08:14 ewallet.p12
The next step is to create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it,
orapki wallet add -wallet wallet_location -dn "CN=server" -keysize 2048 -self_signed -validity 365 -pwd Note:::To use keysize 2048 or more only.For sign algorithm : Do not use MD5 and SHA1. If version 12c or higher, add -sign_alg sha256 to ensure the cert is generated as SHA2 >>>The final step is to export the CA root certificate
orapki wallet export -wallet wallet_location -dn "CN=server" -cert server_ca.cert 2) orapki wallet display -wallet /wallet_location ---->To Verify the wallet contents
3) Configure a TCPS Listener Port On listener.ora : To Serve the Connection for SSL.
Use Net Manager to create an new TCPS listener or add new TCPS address to an existing listener. You will also need to add the wallet location. For example,
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = XXXX)(PORT = XXXX)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = XXXX)(PORT = XXXX)) ) )
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) SSL_CLIENT_AUTHENTICATION = FALSE 4) Server side sqlnet.ora Configuration:(It must be Oracle Home Location Sqlnet.ora File)
SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = wallet_location) ) ) Note : wallet_location is the wallet location path we created in step 1
5) You need to configure LOCAL_LISTENER to point to TCPS handler also (with the existing TCP Port)
alter system set LOCAL_LISTENER='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=xxxx)) (ADDRESS=(PROTOCOL=TCPS)(HOST=XXXX)(PORT=XXXX)))'scope=both; Note: 1) If RAC Database we can create a Self Signed certificate from one Node and have a Shared wallet_location: Wallet Shared between all Nodes 2) In RAC Each Node Listener Grid_Home location listener.ora and Oracle_Home location sqlnet.ora:Configuration should be done. 3) Doc ID 1448841.1 can be referred for RAC Listener/SCAN Configuration for SSL Trouble Shooting at Database Server End: To Check TCPS Connection Working Locally on Database Server or not: 1) Make sure files inside the TCPS wallet cwallet.sso and ewallet.p12 are available and have 660 Permission 2) Make sure LOCAL_LISTENER is Pointing to its Tcps Port IP Handler (If RAC its respective Node Listener VIP Tcps Port Handler ) along TCP protocol Handler. 3) SSL_CLIENT_AUTHENTICATION = FALSE -->This is important parameter, as this says we are making only 1 way SSL Server Authentication/Encryption Where only server has to present its certificate to client.This parameter should be pasted in listener.ora and sqlnet.ora 4) Make sure wallet_location parameter pointing to right wallet location,where we created certificate .This parameter should be pasted in listener.ora and sqlnet.ora 5) After checking all above 4 steps .We need to check Locally TCPS connection string is working and tnsping works for Database HOST over Tcps Port. >>tnsping tcpsconnection tnsping validates: service is available on listener and is ready --To reach over TCPS Handler >>sqlplus@tcpsconnection string works or not Example: tnsnames.ora entry tcpsconnection = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = XXXX)(PORT = XXXX)) ) (CONNECT_DATA = (SERVICE_NAME = orcl) ) ) Note: 1) If Locally sqlplus@tcpsconnection is working our configuration is correct. SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;--To validate after connecting we are logged in as Protocol TCPS.
2) Always we need to first validate Database server TCPS configuration is working ,after this validation we can work to configure client end TCPS connection
3) Make sure Standalone or RAC Environment variables are set right on DB
Client End Configuration: Its the same steps to create a wallet 1) mkdir client_wallet_location
Then change directory into this directory,
$> cd client_wallet_location $> cd client_wallet_location Next we will use orapki to create the initial wallet,
$> orapki wallet create -wallet client_wallet_location -auto_login -pwd
This will have created two new files in the directory,
$> ls -la wallet_location
-rw------- 1 oracle dba 7940 Nov 29 08:14 cwallet.sso -rw------- 1 oracle dba 7912 Nov 29 08:14 ewallet.p12 2) Here all we have to do is export the server certificate what we created at database to client side: As we are going for only 1 way SSL-Authentication/Encryption.So we need to make sure server certificates are added to client wallet trust location. 3) server_ca.cert which we exported at Database server end should be added to client end wallet Trust Location scp the server_ca.cert to client location Now: orapki wallet add -wallet client_wallet_location -cert client_wallet_location/server_ca.cert -trusted_cert -pwd >>>Add the certificate at client end orapki wallet display -wallet /client_wallet_location ---->To Verify the wallet contents 4) Configuring sqlnet.ora at client end SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = client_wallet_location) ) ) 4) Last step is testing connection of TCPS reaching the Database server Host over tcps port is working or not. tnsping tcpsconnection sqlplus@tcpsconnection string works or not Example: tnsanmes.ora entry tcpsconnection = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = XXXX)(PORT = XXXX)) ) (CONNECT_DATA = (SERVICE_NAME = orcl) ) ) If this connection works:We configured the TCPS connection successfully with One Way SSL Authentication/Encryption. SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;--To validate after connecting we are logged in as Protocol TCPS. Note:
If all the steps are followed still connection locally or from remote Client is failing.Create SR with Support with below information
1) tnsping and sqlplus@tcpsconnection string outputs
2) We need to capture sqlnet* level 16 Client /Server Trace and Listener Trace for failure connection -Attach the matching traces
3) Attach sqlnet.ora file(From both client and server end) and listener.ora file
4) Database end:
>Listener.log and Alert Log
> Output of >>>show parameter listener and lsnrctl status LISTENER
5) Also the certificate created method information with wallet display O/P JDBC - Version 11.1.0.7 and later Information in this document applies to any platform. GOAL The steps below are intended to enable the reader to become familiar with the steps required to configure a JDBC Thin Client to connect and authenticate through SSL to the database. SOLUTION Configuring SSL for Client Authentication and Encryption using orapki Configuring the server and client wallets
- Create and configure the server wallet
All of the steps to create and configure the wallet are done from the UNIX shell (or cmd.exe on Windows).
- The first step is optional and is to create a directory to put the wallet in, if one does not already exist:
$> mkdir -p $HOME/SSL/server_wallet
- Then change directory into this directory:
$> cd $HOME/SSL/server_wallet
- Next we will use orapki to create the initial wallet:
$> orapki wallet create -wallet $HOME/SSL/server_wallet -auto_login -pwd
This will have created two new files in the directory:
$> ls -la $HOME/SSL/server_wallet
-rw------- 1 oracle oinstall 7940 Aug 25 09:16 cwallet.sso -rw------- 1 oracle oinstall 7912 Aug 25 09:16 ewallet.p12
- The next step is to create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it:
$> orapki wallet add -wallet $HOME/SSL/server_wallet -dn 'CN=server' -keysize 512 -self_signed -validity 365 -pwd
If this wallet was opened using Oracle Wallet Manager (owm) it is possible to see these 2 new certificates.
- The final step is to export the CA root certificate:
$> orapki wallet export -wallet $HOME/SSL/server_wallet -dn 'CN=server' -cert server_ca.cert
- Create and configure the client wallet
All of the steps to create and configure the wallet are done from the UNIX shell (or cmd.exe on Windows).
- The first step is optional and is to create a directory to put the wallet in if one does not already exist (for simplicity I am putting the files inthe server and then when this id finished we can copy the files to the correct place):
$> mkdir -p $HOME/SSL/client_wallet/user1 $> mkdir -p $HOME/SSL/client_wallet/user2
- Next we will use orapki to create the initial wallet:
$> orapki wallet create -wallet $HOME/SSL/client_wallet/user1 -auto_login -pwd
$> orapki wallet create -wallet $HOME/SSL/client_wallet/user2 -auto_login -pwd
This will have created two new files in each directory:
$> ls -la $HOME/SSL/client_wallet/user1
-rw------- 1 oracle oinstall 7940 Aug 25 09:28 cwallet.sso -rw------- 1 oracle oinstall 7912 Aug 25 09:28 ewallet.p12
$> ls -la $HOME/SSL/client_wallet/user2
-rw------- 1 oracle oinstall 7940 Aug 25 09:28 cwallet.sso -rw------- 1 oracle oinstall 7912 Aug 25 09:28 ewallet.p12
- The next step is to create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it:
$> orapki wallet add -wallet $HOME/SSL/client_wallet/user1 -dn 'CN=user1' -keysize 512 -self_signed -validity 365 -pwd
$> orapki wallet add -wallet $HOME/SSL/client_wallet/user2 -dn 'CN=user2' -keysize 512 -self_signed -validity 365 -pwd
If this wallet was opened using Oracle Wallet Manager (owm) it is possible to see these 2 new certificates.
- The next step is to export the CA root certificate:
$> orapki wallet export -wallet $HOME/SSL/client_wallet/user1 -dn 'CN=user1' -cert $HOME/SSL/client_wallet/user1/client_user1_ca.cert
$> orapki wallet export -wallet $HOME/SSL/client_wallet/user2 -dn 'CN=user2' -cert $HOME/SSL/client_wallet/user2/client_user2_ca.cert
- The final step is to import the server's root certificate (server_ca.cert) into the client wallet, and to import the client's root certificate (client_ca.cert) into the server wallet. It is assumed that the exported files are transferred via ftp or another mechanism between the machines.
So on the client the server's root cerificate is imported with:
$> orapki wallet add -wallet $HOME/SSL/client_wallet/user1 -trusted_cert -cert $HOME/SSL/server_wallet/server_ca.cert -pwd
$> orapki wallet add -wallet $HOME/SSL/client_wallet/user2 -trusted_cert -cert $HOME/SSL/server_wallet/server_ca.cert -pwd
- and on the server the client's root certificate is import with:
$> orapki wallet add -wallet $HOME/SSL/server_wallet -trusted_cert -cert $HOME/SSL/client_wallet/user1/client_user1_ca.cert -pwd
$> orapki wallet add -wallet $HOME/SSL/server_wallet -trusted_cert -cert $HOME/SSL/client_wallet/user2/client_user2_ca.cert -pwd
Configuring sqlnet for TCPS on the server
- Server side Listener Configuration
Configure a TCPS listener address
Use Net Manager to create an new TCPS listener or add new TCPS address to an existing listener. You will also need to add the wallet location. For example:
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =)(PORT = 1521))) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = )(PORT = 1522))))
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=/home/oracle/SSL/server_wallet)))
Here the /home/oracle/SSL directory is where the files where created (/home/oracle/SSL => $HOME/SSL).
- Server side sqlnet.ora Configuration
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 0 SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/oracle/SSL/server_wallet)))
Configuring the database
-
OS_AUTHENT_PREFIX and REMOTE_OS_AUTHENT
The database parameter OS_AUTHENT_PREFIX must be null and REMOTE_OS_AUTHENT must be FALSE.
For example:
SQL> alter system set remote_os_authent=FALSE scope=spfile;
and
SQL> alter system set os_authent_prefix='' scope=spfile;
The instance will need to be restarted for these changes to take effect.
-
Create the user within the database
The user within the database has to be created specifying the distinguished name (DN) on their certificate. For example:
SQL> create user identified externally as 'CN='; SQL> create user identified externally as 'CN=';
The user should have have create session granted so they are able to connect,
SQL> grant create session to ; SQL> grant create session to ;
Configuring the Client
- Copy the complete $HOME/SSL/client_wallet/user1 and $HOME/SSL/client_wallet/user2 directory to the client where the JDBC program will be running.
In my case these directories are under the C:\usr\work\SSL directory.
- Copy the jar files needed to run the sample program to the C:\usr\work\SSL directory:
ojdbc6.jar => 11.1.0.7 downloaded from OTN. Use 0jdbc6.jar with JDK 1.6. ojpse.jar => DB HOME/jlib oraclepki.jar => DB HOME/jlib osdt_cert.jar => IAS HOME/jlib osdt_core.jar => IAS HOME/jlib
These files can be found under the directories shown above.
- Create the next java program (file must be named DbSSLTester.java):
import java.security.Security;
import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement;
public class DbSSLTester
{ public static void main(String[] args) throws Exception { DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(), 3); String url = "jdbc:oracle:thin:@(DESCRIPTION = " + "(ADDRESS_LIST = " + "(ADDRESS = " + "(PROTOCOL = TCPS)" + "(HOST = )" + "(PORT = )" + ")" + ") " + "(CONNECT_DATA = (SERVICE_NAME = ))" + ")";
java.util.Properties info = new java.util.Properties(); info.setProperty("oracle.net.authentication_services", "(TCPS)"); info.setProperty("javax.net.ssl.trustStore", "C:/usr/work/SSL/client_wallet/user2/cwallet.sso"); info.setProperty("javax.net.ssl.trustStoreType", "SSO"); info.setProperty("javax.net.ssl.keyStore", "C:/usr/work/SSL/client_wallet/user2/cwallet.sso"); info.setProperty("javax.net.ssl.keyStoreType", "SSO");
Connection conn = DriverManager.getConnection(url, info); Statement stmt = conn.createStatement(); ResultSet rset = stmt.executeQuery("select user from dual");
while (rset.next()) System.out.println(rset.getString(1));
rset.close(); stmt.close(); conn.close(); } }
Change the values to the ones you need to use. In this case the hostname, port and service name for your database. Also change the location of your wallets.
- Compile the program adding to the classpath the 5 files
ojdbc6.jar ojpse.jar oraclepki.jar osdt_cert.jar osdt_core.jar
set classpath C:\sw\oracle\product\jdbc\11.1.0.7.0\ojdbc6.jar;C:\usr\work\SSL\oraclepki.jar;C:\usr\work\SSL\osdt_cert.jar;C:\usr\work\SSL\osdt_core.jar;C:\usr\work\SSL\ojpse.jar;.
javac DbSSLTester.java
use the correct directories for your case.
- Run the program:
java -classpath .;C:\sw\oracle\product\jdbc\11.1.0.7.0\ojdbc6.jar;C:\usr\work\SSL\oraclepki.jar;C:\usr\work\SSL\osdt_cert.jar;C:\usr\work\SSL\osdt_core.jar;C:\usr\work\SSL\ojpse.jar DbSSLTester
The output is as follows:
USER2
Showing the username used for authentication to the database.
To test with the other user you only need to change the wallet and use the one in the C:/usr/work/SSL/client_wallet/user1 directory.
|