Thursday, February 16, 2006

Security, yup! No really!

I hardly dare to commence again....
Started with checking the configuration and testing the stuff that used to work. You don't know, nowadays, with these gremlins.
And sure enough:

D:\>tnsping o1003
TNS Ping Utility for 32-bit Windows: Version 10.1.0.4.0 - Production on 16-FEB-2006 15:36:29
Copyright (c) 1997, 2003, Oracle. All rights reserved.

Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.1.199)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = o10gR1))
( SECURITY = (SSL_SERVER_CERT_DN = cn=o10gR1,cn=OracleContext,dc=cs,dc=nl)))
TNS-12560: TNS:protocol adapter error

So, what is wrong here? That used to work!
Same here; this test worked, too!

D:\>sqlplus system@o10ssl
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 15:35:44 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter password:
ERROR:
ORA-28759: failure to open file

Okay - I know that one: the wallet is not set for autologin. Fired up the wallet manager, and changed that; the error is now more what I expected:


ORA-29003: SSL transport detected mismatched server certificate.

Okay - I know that one, too: change SSL_SERVER_DN_MATCH in SQLNET.ORA from YES to NO, and you're done! And in fact, I already hinted that would be a problem.
So, I am going to continue this, without the server authentication (which you can see, works! or rather, fails, and thus proves to work).
Let's create a demouser on the server:

[oracle10@csdb01 admin]$ sqlplus system/manager
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 16:43:10 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL> create user certdemo identified externally as 'CN=frankbo, O=CarrotSoft, C=NL';
User created.

SQL> grant create session to certdemo;
Grant succeeded.

SQL>


Okay, let's see if I can login from my (Windows) client:

D:\>sqlplus /nolog
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 15:56:39 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

SQL> connect / @o1003
ERROR:
ORA-01017: invalid username/password; logon denied

Hmmmm. This seems to be some weird mismatch between globally and externally defined users; the used syntax seems to be OK for 10g Release 2. Thanks to Fabrizio, who hinted that here.

SO, let's revert on the server:

SQL> drop user certdemo cascade;
User dropped.

SQL> create user certdemo identified globally as 'CN=frankbo, O=CarrotSoft, C=NL';
User created.

SQL> grant create session to certdemo;
Grant succeeded.


And try the client again:

SQL> connect /@o1003
Connected.
SQL> show user
USER is "CERTDEMO"
SQL>


So, finally, I'm able to say: finally!

Wednesday, February 08, 2006

Forgot OID administrator password?

In an environment, that already had the infrastructure install, I wanted to install the Application Server Middle tier. One thing Portal wants, is the connection to the LDAP server (Oracle Internet Directory server, or OID).
I was quite sure about the password, but always got errors during install. After checking (using netstat -a) I was actually using the correct port for LDAP (the default 389), I realized the password could have been expired.
This is the code to reset it:
D:\oracle\10.1\HTTP\BIN>oidpasswd connect=test1 unlock_su_acct=true
OID DB user password:
OID super user account unlocked successfully.


The OID DB user account is what you would enter as password here:
SQL> connect ods@test1
Enter password:
Connected.

Edit:

In addition to that, you cannot logon, using Single Sign On (SSO) anymore.
Some odd actions are to be taken here:
  1. start Oracle Directory Manager
  2. Log on, using the cn=orcladmin account, and the password you just reset...
  3. Navigate to your realm, something like
    cn=orcladmin, cn=Users, dc=yourcompany, dc=yourcountry
  4. scroll all the way down, to the userpassword entry, step over to the asterixes, and retype your password.
  5. Apply
You can now use your SSO logon again.