Hi
I followed the below instructions to set up server-side authentication with
SSL. It works when I connect to the server locally, any remote access
reported "ora-28759: Failed to open file"
This howto covers the configuration of server-side SSL authentication for
both Net8 and IIOP (JServer) connections. It documents the steps required to
set up an SSL encrypted connection; it does not cover certificate
authentication.
It is worthwhile noting that although the setup of SSL requires the
installation of certificates, these certificates do not have to be current,
only valid. For some reason, in order to enable SSL connections, it is
necessary to set up valid certificate file on the server whether you intend
to use certificate authentication or not.
NOTE: I have been unable to determine whether or not the above statement is
entirely correct. If anyone can confirm or disprove it, please let me know.
The steps described below must all be carried out from the same logon
account. They have been tested on both 816 and 817 databases, but will
probably work for all versions, including 9i (unless there have been some
drastic changes in 9i that I'm not aware of).
- Log on to the database server with an administrative login.
Configure the database and listener to run under the current login account
(Control Panel -> Services). It is not necessary to restart these services
at this time.
- Create an Oracle wallet and set up the required certificates
(i) Open the Oracle Wallet Manager:
Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet
Manager
(ii) Create a new wallet (Wallet -> New).
(iii) When prompted, elect to generate a certificate request.
(iv) On the request form, the only field that matters is the Common Name.
Enter the fully qualified domain name (FQDN) of the database server (i.e.
the name with which the database server will be referenced by clients).
(v) Export the certificate request to file (Operations -> Export Certificate
Request).
(vi) Obtain a valid server certificate from an authorised signing authority.
It will also be necessary to download the signing authority's publicly
available trusted root certificate. Certificates can be obtained from
Verisign (http://www.verisign.com/) (vii) Install the trusted root
certificate obtained in (vi) into the wallet (Operations -> Import Trusted
Certificate). Either paste the contents of the certificate file, or browse
to the file on the file system.
(viii) Install the server certificate obtained in (vi) into the wallet
(Operations -> Import User Certificate). Either paste the contents of the
certificate file, or browse to the file on the file system.
(ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user
home]\Oracle\Wallets directory.
- Configure the listener for SSL.
(i) Open the Oracle Net8 Assistant:
Start -> Programs -> [Oracle Home] -> Network Administration -> Net8
Assistant
(ii) Select Net8 Configuration -> Local -> Profile.
(iii) From the drop-down list at right, select Oracle Advanced Security.
Select the SSL tab.
(iv) Select the Server radio button.
(v) In the wallet directory field, enter the location of the wallet created
in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
(vi) Uncheck the Require Client Authentication checkbox.
(vii) Select Net8 Configuration -> Listeners -> [listener name].
(viii) Add a new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2484
(ix) Add a second new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2482
Check the Dedicate this endpoint to IIOP connections checkbox.
(x) Save the Net8 configuration (File ð Save Network Configuration).
(xi) Restart the listener service.
- Configure the database to accept SSL connections.
(i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or
equivalent).
(ii) At the bottom of the file, uncomment the line that reads
mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
(iii) Save the file and restart the database service.
- Test the SSL confi guration using the Net8 Assistant.
(i) Open the Oracle Net8 Assistant.
(ii) Select Net8 Configuration -> Local -> Service Naming.
(iii) Add a new net service (Edit ð Create).
Net service name: [SID].auth (e.g. iasdb.auth)
Protocol: TCP/IP with SSL
Host: [database server] (e.g. oraserver)
Port: 2484
Service Name/SID: [SID] (e.g. iasdb.orion.internal)
Note: at the end of the net service configuration, click Finish, not Test.
The test can hang if run from the wizard.
(iv) Test the connection (Command -> Test Service). If the only error to
appear is username/password denied, the test has succeeded.
null
~~~~~~~~~~~~~~~~~~~`
Received on Sun Oct 21 2001 - 22:55:57 CDT
