Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Strong authentication with SSL

Re: Strong authentication with SSL

From: Maxim Demenko <mdemenko_at_arcor.de>
Date: Thu, 13 Oct 2005 17:48:07 +0200
Message-ID: <434e81d4$0$24167$9b4e6d93@newsread4.arcor-online.net>


Oracle Software Owner schrieb:

> Maxim,
> 
> Thank you!
> Changing "create user ivan identified globally as 'CN=IVAN SAEZ'"
> to "create user ivan identified externally as 'CN=IVAN SAEZ'"
> did indeed solve the problem. Where in the doc's did you find it?
> 
> regards,
> 
> Ivan
> 
> On Thu, 13 Oct 2005 16:42:21 +0200, Maxim Demenko wrote:
> 
> 

>>Oracle Software Owner schrieb:
>>
>>>Hi,
>>>
>>>Oracle version: 10g Release 2 (Suse 9.3)
>>>
>>>Sqlnet offers strong authentication with tcps (ssl) and I'm trying to
>>>make it work . My main interest is to authenticate the client with a
>>>X509 certificate. In my setup I have two directories: Wallet_client and
>>>Wallet_server for the client wallet and server wallet. The steps are:
>>>
>>>
>>>cd Wallet_client
>>>1) orapki wallet create -wallet . -auto_login -pwd myclient99 2) orapki
>>>wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed
>>>-validity 365 -pwd myclient99 3) orapki wallet export -wallet . -dn
>>>"CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert cd ../Wallet_server
>>>4) orapki wallet create -wallet . -auto_login -pwd myserver99 5) orapki
>>>wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed
>>>-validity 365 -pwd myserver99 6) orapki wallet export -wallet . -dn
>>>"CN=DBSERVER" -cert ../Wallet_client/db.cert 7) orapki wallet add
>>>-wallet . -trusted_cert -cert ivan.cert -pwd myserver99 cd
>>>../Wallet_client
>>>8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd
>>>myclient99
>>>
>>>
>>>In steps 7 and 8 client and server exchange their public keys. The
>>>clients sqlnet.ora is:
>>>
>>>
>>>
>>>WALLET_LOCATION = (SOURCE=
>>> (METHOD = FILE)
>>> (METHOD_DATA =
>>> (DIRECTORY=/home/oracle/Wallet_client
>>> )))
>>>SSL_VERSION = 0
>>>SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ) SSL_SERVER_DN_MATCH = TRUE
>>>SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
>>>SSL_CLIENT_AUTHENTICATION = TRUE
>>>NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT) TRACE_DIRECTORY_CLIENT =
>>>/home/oracle/Wallet_client trace_level_client = USER
>>>TRACE_FILE_CLIENT = trace_user
>>>
>>>
>>>And the clients tnsnames.ora is:
>>>
>>>
>>>DBSERVER =
>>> (DESCRIPTION =
>>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>>> (CONNECT_DATA=
>>> (SERVER = DEDICATED)
>>> (SERVICE_NAME=IVAN2)
>>> )
>>> )
>>>DBSERVER-CHECK =
>>> (DESCRIPTION =
>>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>>> (CONNECT_DATA=
>>> (SERVER = DEDICATED)
>>> (SERVICE_NAME=IVAN2)
>>> )
>>> (SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
>>> )
>>>
>>>
>>>
>>>
>>>The servers sqlnet.ora is:
>>>
>>>SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)
>>>
>>>NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SSL_CLIENT_AUTHENTICATION =
>>>TRUE
>>>SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_VERSION = 0
>>>WALLET_LOCATION =
>>> (SOURCE =
>>> (METHOD = FILE)
>>> (METHOD_DATA =
>>> (DIRECTORY = /home/oracle/Wallet_server)
>>> )
>>> )
>>>TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace
>>>trace_level_server = SUPPORT
>>>TRACE_FILE_server = trace_server
>>>
>>>
>>>The server's listener.ora content is:
>>>
>>>TRACE_LEVEL_LISTENER = ADMIN
>>>TRACE_FILE_LISTENER = listener
>>>TRACE_DIRECTORY_LISTENER =
>>>/u01/app/oracle/product/10r2/db_1/network/trace LOG_FILE_LISTENER =
>>>listener
>>>LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log
>>>LOGGING_LISTENER = ON
>>>
>>>SID_LIST_SSL_LISTENER =
>>> (SID_LIST =
>>> (SID_DESC =
>>> (GLOBAL_DBNAME = IVAN2)
>>> (SID_NAME = IVAN2)
>>> (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
>>> )
>>> )
>>>
>>>#SSL_CLIENT_AUTHENTICATION = FALSE
>>>SSL_LISTENER =
>>> (DESCRIPTION =
>>> (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
>>> )
>>>WALLET_LOCATION = (SOURCE=
>>> (METHOD = FILE)
>>> (METHOD_DATA =
>>> (DIRECTORY=/home/oracle/Wallet_server
>>> )))
>>>
>>>I also created a Oracle user to test the strong client authentication:
>>>
>>>create user ivan identified globally as 'CN=IVAN SAEZ'; grant create
>>>session to ivan;
>>>
>>>When I connect to the database, I set TNS_ADMIN to
>>>/home/oracle/Wallet_client first, with:
>>>
>>>sqlplus isaez/pwd_at_dbserver-check
>>>
>>>I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is
>>>used: The final negotiated SSL Cipher Suite is:...
>>>
>>>But when I try to use the clients x509 certificate to authenticate the
>>>connection:
>>>
>>>sqlplus /nolog
>>>connect /@dbserver-check
>>>
>>>I get an error:
>>>ERROR:
>>>ORA-01017: invalid username/password; logon denied
>>>
>>>I've wrestling with this problem a couple of hours and can't solve it.
>>>There is very few information on the net about orapki and ssl/tcps
>>>authentication.
>>>Maybe on Matelink but I don't have access to Metalink now.
>>>
>>>Any ideas?
>>>
>>>regards,
>>>
>>>Ivan
>>
>>You can create user identified globally only as enterprise user ( also in
>>conjunction with directory service ). For ssl authentification you should
>>use user identified *externally*. Try with the same setup ( on my machine
>>i reproduced it successfully )and create user ivan identified externally
>>as 'CN=IVAN SAEZ';
>>
>>Best regards
>>
>>Maxim

>
>

It is very straight forward in this case - SQL Reference, CREATE USER http://download-uk.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_8003.htm#sthref6338

Best regards

Maxim Received on Thu Oct 13 2005 - 10:48:07 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US