Maxim,
Thank you!
Changing "create user ivan identified globally as 'CN=IVAN SAEZ'"
to "create user ivan identified externally as 'CN=IVAN SAEZ'"
did indeed solve the problem. Where in the doc's did you find it?
regards,
Ivan
On Thu, 13 Oct 2005 16:42:21 +0200, Maxim Demenko wrote:
> Oracle Software Owner schrieb:
>> Hi,
>>
>> Oracle version: 10g Release 2 (Suse 9.3)
>>
>> Sqlnet offers strong authentication with tcps (ssl) and I'm trying to
>> make it work . My main interest is to authenticate the client with a
>> X509 certificate. In my setup I have two directories: Wallet_client and
>> Wallet_server for the client wallet and server wallet. The steps are:
>>
>>
>> cd Wallet_client
>> 1) orapki wallet create -wallet . -auto_login -pwd myclient99 2) orapki
>> wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed
>> -validity 365 -pwd myclient99 3) orapki wallet export -wallet . -dn
>> "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert cd ../Wallet_server
>> 4) orapki wallet create -wallet . -auto_login -pwd myserver99 5) orapki
>> wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed
>> -validity 365 -pwd myserver99 6) orapki wallet export -wallet . -dn
>> "CN=DBSERVER" -cert ../Wallet_client/db.cert 7) orapki wallet add
>> -wallet . -trusted_cert -cert ivan.cert -pwd myserver99 cd
>> ../Wallet_client
>> 8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd
>> myclient99
>>
>>
>> In steps 7 and 8 client and server exchange their public keys. The
>> clients sqlnet.ora is:
>>
>>
>>
>> WALLET_LOCATION = (SOURCE=
>> (METHOD = FILE)
>> (METHOD_DATA =
>> (DIRECTORY=/home/oracle/Wallet_client
>> )))
>> SSL_VERSION = 0
>> SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ) SSL_SERVER_DN_MATCH = TRUE
>> SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
>> SSL_CLIENT_AUTHENTICATION = TRUE
>> NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT) TRACE_DIRECTORY_CLIENT =
>> /home/oracle/Wallet_client trace_level_client = USER
>> TRACE_FILE_CLIENT = trace_user
>>
>>
>> And the clients tnsnames.ora is:
>>
>>
>> DBSERVER =
>> (DESCRIPTION =
>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>> (CONNECT_DATA=
>> (SERVER = DEDICATED)
>> (SERVICE_NAME=IVAN2)
>> )
>> )
>> DBSERVER-CHECK =
>> (DESCRIPTION =
>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>> (CONNECT_DATA=
>> (SERVER = DEDICATED)
>> (SERVICE_NAME=IVAN2)
>> )
>> (SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
>> )
>>
>>
>>
>>
>> The servers sqlnet.ora is:
>>
>> SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)
>>
>> NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SSL_CLIENT_AUTHENTICATION =
>> TRUE
>> SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_VERSION = 0
>> WALLET_LOCATION =
>> (SOURCE =
>> (METHOD = FILE)
>> (METHOD_DATA =
>> (DIRECTORY = /home/oracle/Wallet_server)
>> )
>> )
>> TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace
>> trace_level_server = SUPPORT
>> TRACE_FILE_server = trace_server
>>
>>
>> The server's listener.ora content is:
>>
>> TRACE_LEVEL_LISTENER = ADMIN
>> TRACE_FILE_LISTENER = listener
>> TRACE_DIRECTORY_LISTENER =
>> /u01/app/oracle/product/10r2/db_1/network/trace LOG_FILE_LISTENER =
>> listener
>> LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log
>> LOGGING_LISTENER = ON
>>
>> SID_LIST_SSL_LISTENER =
>> (SID_LIST =
>> (SID_DESC =
>> (GLOBAL_DBNAME = IVAN2)
>> (SID_NAME = IVAN2)
>> (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
>> )
>> )
>>
>> #SSL_CLIENT_AUTHENTICATION = FALSE
>> SSL_LISTENER =
>> (DESCRIPTION =
>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>> )
>> WALLET_LOCATION = (SOURCE=
>> (METHOD = FILE)
>> (METHOD_DATA =
>> (DIRECTORY=/home/oracle/Wallet_server
>> )))
>>
>> I also created a Oracle user to test the strong client authentication:
>>
>> create user ivan identified globally as 'CN=IVAN SAEZ'; grant create
>> session to ivan;
>>
>> When I connect to the database, I set TNS_ADMIN to
>> /home/oracle/Wallet_client first, with:
>>
>> sqlplus isaez/pwd_at_dbserver-check
>>
>> I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is
>> used: The final negotiated SSL Cipher Suite is:...
>>
>> But when I try to use the clients x509 certificate to authenticate the
>> connection:
>>
>> sqlplus /nolog
>> connect /@dbserver-check
>>
>> I get an error:
>> ERROR:
>> ORA-01017: invalid username/password; logon denied
>>
>> I've wrestling with this problem a couple of hours and can't solve it.
>> There is very few information on the net about orapki and ssl/tcps
>> authentication.
>> Maybe on Matelink but I don't have access to Metalink now.
>>
>> Any ideas?
>>
>> regards,
>>
>> Ivan
>
> You can create user identified globally only as enterprise user ( also in
> conjunction with directory service ). For ssl authentification you should
> use user identified *externally*. Try with the same setup ( on my machine
> i reproduced it successfully )and create user ivan identified externally
> as 'CN=IVAN SAEZ';
>
> Best regards
>
> Maxim
Received on Thu Oct 13 2005 - 18:07:02 CDT
