3 Replies Latest reply: Aug 7, 2012 4:12 AM by 953748 RSS

    Listener TCPS Oracle Database SSL

    953748
      Hello,
      I would like to switch my listener from tcp to tcps.
      But we don't know how to do this, my configuration,

      SERVER:
      From server "*listener.ora*":

      -----
      SID_LIST_LISTENER =*
      +(SID_LIST =+
      +(SID_DESC =+
      +(SID_NAME = PLSExtProc)+
      +(ORACLE_HOME = /opt/u01/app/oracle/product/10.2.0)+
      +(PROGRAM = extproc)+
      +)+
      +)+

      SSL_CLIENT_AUTHENTICATION = FALSE*
      WALLET_LOCATION =*
      +(SOURCE =+
      +(METHOD = FILE)+
      +(METHOD_DATA =+
      +(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
      +)+
      +)+

      LISTENER =*
      +(DESCRIPTION_LIST =+
      +(DESCRIPTION =+
      +(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
      +)+
      +)+
      TRACE_LEVEL_LISTENER = ADMIN*
      -----

      From server "*sqlnet.ora*":

      -----
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*
      SSL_VERSION = 0*
      NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*
      SSL_CLIENT_AUTHENTICATION = FALSE*
      TRACE_LEVEL_SERVER = ADMIN*
      WALLET_LOCATION =*
      +(SOURCE =+
      +(METHOD = FILE)+
      +(METHOD_DATA =+
      +(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
      +)+
      +)+
      SQLNET.WALLET_OVERRIDE = TRUE*
      -----

      From server "*tnsnames.ora*":

      -----
      TIB =*
      +(DESCRIPTION =+
      +(ADDRESS_LIST =+
      +(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
      +)+
      +(CONNECT_DATA =+
      +(SERVICE_NAME = TIB)+
      +)+
      +)+

      WALLET_LOCATION =*
      +(SOURCE =+
      +(METHOD = FILE)+
      +(METHOD_DATA =+
      +(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
      +)+
      +)+

      EXTPROC_CONNECTION_DATA =*
      +(DESCRIPTION =+
      +(ADDRESS_LIST =+
      +(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))+
      +)+
      +(CONNECT_DATA =+
      +(SID = PLSExtProc)+
      +(PRESENTATION = RO)+
      +)+
      +)+
      -----

      Version database server is:
      Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit

      Two files in the path from Wallet:
      /etc/ORACLE/WALLETS/oracle/ewallet.p12
      /etc/ORACLE/WALLETS/oracle/cwallet.sso

      Server SQL> select parameter, value from v$option where upper(parameter) like '%SECURITY%';
      Enterprise User Security TRUE
      Oracle Label Security FALSE



      CLIENT:
      From client "*sqlnet.ora*":

      -----
      SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*

      NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*

      SSL_CLIENT_AUTHENTICATION = FALSE*
      WALLET_LOCATION =*
      +(SOURCE =+
      +(METHOD = File)+
      +(METHOD_DATA =+
      +(DIRECTORY = "C:\Documents and Settings\user\ORACLE\WALLETS"))+
      +)+
      SSL_SERVER_DN_MATCH = OFF*
      -----

      From client "*tnsnames.ora*":

      -----
      TIB_CLIENT =*
      +(DESCRIPTION =+
      +(ADDRESS_LIST =+
      +(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))+
      +)+
      +(CONNECT_DATA =+
      +(SERVICE_NAME = TIB)+
      +)+
      +(SECURITY =+
      +(SSL_SERVER_CERT_DN = "cn=US,cn=CertForOracle,c=US,o=Company"))+
      +)+
      -----

      My problem:
      server$ lsnrctl start
      ...
      Instance "TIB", status READY, has 1 handler(s) for this service...
      ...

      client@ sqlplus system/pass@TIB_CLIENT
      ...
      ERROR:
      ora-28864 ssl connection closed gracefully

      server$ less /opt/u01/app/oracle/product/10.2.0/network/log/listener.log
      TNS-12502: TNS:listener received no CONNECT_DATA from client

      I cannot connect my client into server database. I get error on client "ora-28864 ssl connection closed gracefully". I get error on server "TNS-12502: TNS:listener received no CONNECT_DATA from client"
      Thanks in advance..
        • 1. Re: Listener TCPS Oracle Database SSL
          929328
          Hi, user6048424

          Let's start with ORA-28864.
          Go to your $ORACLE_HOME/network/admin directory on the database server and check the contents of your listener.ora file.

          Look for the WALLET_LOCATION part, and make sure:

          The directory exists
          a file called cwallet.sso is available
          The user the oracle software is running under has the correct privileges to access the directory and wallet

          Secondly, lets sort out the problem with TNS-12502.
          Cause: No CONNECT_DATA was passed to the listener.

          *Action: Check that the service name resolved from TNSNAMES.ORA has the CONNECT_DATA component of the connect descriptor.

          If you getting this error while registering database services with listener using local_listener or remote_listener problem might be with sqlnet.ora and tnsnames.ora setting not implemented by current instance and restarting the instance again after setting TNS_ADMIN parameter might resolve the problem.

          Case Study : Implementing TCPS authentication
          1. Once you have create all the configuartion and Listener to use TCPS connection and if listener is running on non default port, you would have to set local_listener parameter to register your database with new listener (TCPS). When you creating TNS alias for local_listener, you don't specify connect_data parameter as its not required for service register, however service registration will fail with TNS-12502 in listener.log until database instance is bounced.
          Bouncing/Restarting the instance will read sqlnet.ora , tnsnames.ora with new security config and listener will be able to register the new service on TCPS port.

          If you have questions, ask.
          Kirill Babeyev
          • 2. Re: Listener TCPS Oracle Database SSL
            953748
            Hello, Kirill
            Thanks for your reply
            I checked my server:

            The directory exists a file called cwallet.sso is available
            - It is ok :)
            The user the oracle software is running under has the correct privileges to access the directory and wallet
            - It is ok :)

            Can you give an example about "*Implementing TCPS authentication*" ?

            I currently have:

            From server my default port is *1521*,
            I changed protocol on my server from TCP to TCPS in "*tnsnames.ora*" and "*listener.ora*":

            -----
            LISTENER_TIB =+
            *(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*

            TIB =+
            *(DESCRIPTION =*
            *(ADDRESS_LIST =*
            *(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*
            *)*
            *(CONNECT_DATA =*
            *(SERVICE_NAME = TIB)*
            *)*
            *)*

            WALLET_LOCATION =+
            *(SOURCE =*
            *(METHOD = FILE)*
            *(METHOD_DATA =*
            *(DIRECTORY = /etc/ORACLE/WALLETS/oracle)*
            *)*
            *)*

            EXTPROC_CONNECTION_DATA =+
            *(DESCRIPTION =*
            *(ADDRESS_LIST =*
            *(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))*
            *)*
            *(CONNECT_DATA =*
            *(SID = PLSExtProc)*
            *(PRESENTATION = RO)*
            *)*
            *)*
            -----

            SQL> show parameter local_listener
            NAME                                 TYPE        VALUE
            local_listener                       string      LISTENER_TIB

            $cat .bash_profile
            TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN

            $tnsping LISTENER_TIB 9
            ...
            OK (10 msec)
            OK (0 msec)
            OK (0 msec)
            OK (10 msec)
            ...

            From client:
            I changed port on my client from TCP to TCPS in 'tnsnames.ora' and I receive error:
            ERROR:
            ora-28864 ssl connection closed gracefully

            What am I doing wrong ?

            Thanks and Best regards,

            Edited by: user6048424 on 2012-08-06 05:21

            Edited by: user6048424 on 2012-08-06 05:22
            • 3. Re: Listener TCPS Oracle Database SSL
              953748
              Hello,
              I solved the problem :)
              I had incorrect wallet, I generate and I sign my csr,
              It's very good, everything works :)
              Thx