| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Strong authentication with SSL
Hi,
Oracle version: 10g Release 2 (Suse 9.3)
Sqlnet offers strong authentication with tcps (ssl) and I'm trying to make it work . My main interest is to authenticate the client with a X509 certificate. In my setup I have two directories: Wallet_client and Wallet_server for the client wallet and server wallet. The steps are:
cd Wallet_client
1) orapki wallet create -wallet . -auto_login -pwd myclient99 2) orapki wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed -validity 365 -pwd myclient99 3) orapki wallet export -wallet . -dn "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.certcd ../Wallet_server
4) orapki wallet create -wallet . -auto_login -pwd myserver99 5) orapki wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed -validity 365 -pwd myserver99 6) orapki wallet export -wallet . -dn "CN=DBSERVER" -cert ../Wallet_client/db.cert 7) orapki wallet add -wallet . -trusted_cert -cert ivan.cert -pwd myserver99cd ../Wallet_client
In steps 7 and 8 client and server exchange their public keys. The clients sqlnet.ora is:
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/home/oracle/Wallet_client
)))
SSL_SERVER_DN_MATCH = TRUE SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_CLIENT_AUTHENTICATION = TRUE
TRACE_DIRECTORY_CLIENT = /home/oracle/Wallet_client trace_level_client = USER TRACE_FILE_CLIENT = trace_user
And the clients tnsnames.ora is:
DBSERVER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME=IVAN2)
)
)
DBSERVER-CHECK =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME=IVAN2)
)
(SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
)
The servers sqlnet.ora is:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ) NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_VERSION = 0
)
)
TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace trace_level_server = SUPPORT TRACE_FILE_server = trace_server
The server's listener.ora content is:
TRACE_LEVEL_LISTENER = ADMIN TRACE_FILE_LISTENER = listener TRACE_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/traceLOG_FILE_LISTENER = listener
(GLOBAL_DBNAME = IVAN2) (SID_NAME = IVAN2) (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
)
)
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
)
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/home/oracle/Wallet_server
)))
I also created a Oracle user to test the strong client authentication:
create user ivan identified globally as 'CN=IVAN SAEZ'; grant create session to ivan;
When I connect to the database, I set TNS_ADMIN to /home/oracle/Wallet_client first, with:
sqlplus isaez/pwd_at_dbserver-check
I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is used: The final negotiated SSL Cipher Suite is:...
But when I try to use the clients x509 certificate to authenticate the connection:
sqlplus /nolog
connect /@dbserver-check
I get an error:
ERROR:
ORA-01017: invalid username/password; logon denied
I've wrestling with this problem a couple of hours and can't solve it. There is very few information on the net about
orapki and ssl/tcps authentication.
Maybe on Matelink but I don't have access to Metalink now.
Any ideas?
regards,
Ivan Received on Thu Oct 13 2005 - 12:31:53 CDT
 |
 |