More certificates...
I still need a client certificate, and I ran into some problems with that. I do not have abundant memory on my server, so I tend to shutdown services I do not use on a regular basis, and just leave the 10g and 9i instances running.
So, what I actually had done, was:
/o/ias10/bin/emctl stop iasconsole
/o/ias10/opmn/bin/opmnctl stopall
thinking
/o/ias10/opmn/bin/opmnctl startall
/o/ias10/bin/emctl start iasconsole
would reverse that. And even though the Enterprise Manager control for the Certificate Autority shows it's up and running, the screen itself will not come up. You can try to stop and start, using OEM, until hell freezes over, but it won't give in. There is no other way I have found than:
/o/ias10/oca/bin/ocactl start
and enter the password (I did default to welcome1 all over, so that one works).
Once I did get that to work, getting a certificate was done in a jiffy.
By the way, there is something like the Oracle PKI Utility or orapki, that you might want to use to create certificates in wallets. Saves you from setting up Applications Servers, Certificate Authorities and all that. If I had known that earlier... that ought to teach me to read the documentation....
Network changes
Now that I have certificates for both server and client, I need to configure both the server and the client.
Server configuration
On the server side, all I need to do is indicate where the wallet is to be found. This is accomplished by the following addition to sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/wallets/oracle10)
)
)
and by changing the listener.ora file. Add these lines:
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/wallets/oracle10)
)
)
and make sure the listener can also resolve secured requests, add the following to the listener description list:
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = csdb01.cs.nl)(PORT = 2484))
Port 2484 is a default, suggested by Oracle. Stop and start the listener after these changes, and check with lsnrctl status; I want to see the endpoint with secure TCP:
Listening Endpoints Summary...
(DESCRIPTION= .[snipped ].
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=csdb01.cs.nl)(PORT=2484)))
Rest assured, you can all do this by using the Net Configuration Assistant, see the Oracle Advanced Security Administrator's Guide for more details.
Client configuration
On the client, changes are similar; change the sqlnet.ora file to include the wallet location:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\Documents and Settings\frankbo\ORACLE\WALLETS)
)
)
Make sure the client can use SSL secured TCP:
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
Mark the SSL version (SSL V3.0)
SSL_VERSION = 0
Require authentication:
SSL_CLIENT_AUTHENTICATION = TRUE
And match the server name DN (I'll come to that!):
SSL_SERVER_DN_MATCH = YES
That concludes the sqlnet.ora changes. Now for the tnsnames.ora:
O1003.CS.NL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.1.199)(PORT = 2484))
)
(CONNECT_DATA = (SERVICE_NAME = o10gR1))
(SECURITY=(SSL_SERVER_CERT_DN="cn=o10gR1,cn=OracleContext,dc=nl,dc=cs"))
)
I highlighted the changes in red: I want to use SSL secured TCP (tcps), on another port than the standard 15xx range (2484), and I want to match the server dn - it's in the Server Certificate , I requested and installed earlier. Copy this dn exactly!
Testing
Now that this is all done, it's time to test, and hopefully you will see what I saw:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS
)(HOST = 192.168.1.199)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = o10gR1))
(SECURITY=(SSL_SERVER_CERT_DN=cn=o10gR1,cn=OracleContext,dc=nl,dc=cs)))
OK (80 msec)
C:\>sqlplus system@o1003
SQL*Plus: Release 10.1.0.2.0 - Production on Wed Jun 1 20:12:41 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
Now, for the next step - Authentication through Certificates!
Wednesday, June 01, 2005
Subscribe to:
Post Comments (Atom)
2 comments:
I would like to thank you Frank for the great job you've done explaining this. I think you did a great favour to the Oracle community, it is very strange that none yet posted a comment to your articles. Many Oracle oriented blogs are full of personal stories and opinions that I don't really care of. At last a very good blog with some "technical" stuff. Davide Moraschi (dmoraschi@gmail.com)
Thank you, Davide, for the kind words. There are more blogs on oracle, though. And I'm not finsished with this: the ultimate goal is to be able to log on to oracle with a bogus user and password, and have the certificate do the job.
Post a Comment