Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Strong authentication with SSL

Re: Strong authentication with SSL

From: Maxim Demenko <mdemenko_at_arcor.de>
Date: Thu, 13 Oct 2005 16:42:21 +0200
Message-ID: <434e726b$0$24182$9b4e6d93@newsread4.arcor-online.net> 





Oracle Software Owner schrieb:


> Hi,

> 

> Oracle version: 10g Release 2 (Suse 9.3)

> 

> Sqlnet offers strong authentication with tcps (ssl) and I'm trying to make

> it work . My main interest is to authenticate the client with a X509

> certificate. In my setup I have two directories: Wallet_client and

> Wallet_server for the client wallet and server wallet. The steps are:

> 

> 

> cd Wallet_client

> 1) orapki wallet create -wallet . -auto_login -pwd myclient99

> 2) orapki wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed -validity 365 -pwd myclient99

> 3) orapki wallet export -wallet . -dn "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert

> cd ../Wallet_server

> 4) orapki wallet create -wallet . -auto_login -pwd myserver99

> 5) orapki wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed -validity 365 -pwd myserver99

> 6) orapki wallet export -wallet . -dn "CN=DBSERVER" -cert ../Wallet_client/db.cert

> 7) orapki wallet add -wallet . -trusted_cert -cert ivan.cert -pwd myserver99

> cd ../Wallet_client

> 8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd myclient99

> 

> 

> In steps 7 and 8 client and server exchange their public keys.

> The clients sqlnet.ora is:

> 

> 

> 

> WALLET_LOCATION = (SOURCE=


>      (METHOD = FILE)


>      (METHOD_DATA =


>     (DIRECTORY=/home/oracle/Wallet_client

>      )))

> SSL_VERSION = 0


> SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ)


> SSL_SERVER_DN_MATCH = TRUE


> SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)


> SSL_CLIENT_AUTHENTICATION = TRUE


> NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)


> TRACE_DIRECTORY_CLIENT = /home/oracle/Wallet_client

> trace_level_client = USER

> TRACE_FILE_CLIENT = trace_user

> 

> 

> And the clients tnsnames.ora is:

> 

> 

> DBSERVER =


>   (DESCRIPTION =


>     (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))


>     (CONNECT_DATA=


>  (SERVER = DEDICATED)


>  (SERVICE_NAME=IVAN2)


>     )

>    )

> DBSERVER-CHECK =


>   (DESCRIPTION =


>     (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))


>     (CONNECT_DATA=


>  (SERVER = DEDICATED)


>  (SERVICE_NAME=IVAN2)


>     )

>     (SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))


>    )

>  

> 

> 

> 

> The servers sqlnet.ora is:

> 

> SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)


>  

> NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)


> SSL_CLIENT_AUTHENTICATION = TRUE


> SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)


> SSL_VERSION = 0


> WALLET_LOCATION =


>   (SOURCE =


>     (METHOD = FILE)


>     (METHOD_DATA =


>  (DIRECTORY = /home/oracle/Wallet_server)

>     )

>   )

> TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace

> trace_level_server = SUPPORT

> TRACE_FILE_server = trace_server

> 

> 

> The server's listener.ora content is:

> 

> TRACE_LEVEL_LISTENER = ADMIN


> TRACE_FILE_LISTENER = listener

> TRACE_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/trace

> LOG_FILE_LISTENER = listener

> LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log

> LOGGING_LISTENER = ON


>  

> SID_LIST_SSL_LISTENER =


>   (SID_LIST =


>     (SID_DESC =


>  (GLOBAL_DBNAME = IVAN2)


>  (SID_NAME = IVAN2)


>  (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)

>     )

>   )

>  

> #SSL_CLIENT_AUTHENTICATION = FALSE


> SSL_LISTENER =


>   (DESCRIPTION =


>     (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))


>   )

> WALLET_LOCATION = (SOURCE=


>      (METHOD = FILE)


>      (METHOD_DATA =


>     (DIRECTORY=/home/oracle/Wallet_server

>      )))

> 

> I also created a Oracle user to test the strong client authentication:

> 

> create user ivan identified globally as 'CN=IVAN SAEZ';

> grant create session to ivan;

> 

> When I connect to the database, I set TNS_ADMIN to /home/oracle/Wallet_client first, with:

> 

> sqlplus isaez/pwd_at_dbserver-check

> 

> I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is used: The final negotiated SSL Cipher Suite is:...

> 

> But when I try to use the clients x509 certificate to authenticate the connection:

> 

> sqlplus /nolog

> connect /@dbserver-check

> 

> I get an error:

> ERROR:


> ORA-01017: invalid username/password; logon denied

> 

> I've wrestling with this problem a couple of hours and can't solve it. There is very few information on the net about 

> orapki and ssl/tcps authentication. 

> Maybe on Matelink but I don't have access to Metalink now.

> 

> Any ideas?

> 

> regards,

> 

> Ivan




You can create user identified globally only as enterprise user ( also 
in conjunction with directory service ). For ssl authentification you 
should use user identified *externally*.
Try with the same setup ( on my machine i reproduced it successfully )and
create user ivan identified externally as 'CN=IVAN SAEZ';



Best regards



Maxim
Received on Thu Oct 13 2005 - 09:42:21 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US