This discussion is archived
3 Replies Latest reply: Aug 7, 2012 2:12 AM by 953748 RSS

Listener TCPS Oracle Database SSL

953748 Newbie
Currently Being Moderated
Hello,
I would like to switch my listener from tcp to tcps.
But we don't know how to do this, my configuration,

SERVER:
From server "*listener.ora*":

-----
SID_LIST_LISTENER =*
+(SID_LIST =+
+(SID_DESC =+
+(SID_NAME = PLSExtProc)+
+(ORACLE_HOME = /opt/u01/app/oracle/product/10.2.0)+
+(PROGRAM = extproc)+
+)+
+)+

SSL_CLIENT_AUTHENTICATION = FALSE*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+

LISTENER =*
+(DESCRIPTION_LIST =+
+(DESCRIPTION =+
+(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
+)+
+)+
TRACE_LEVEL_LISTENER = ADMIN*
-----

From server "*sqlnet.ora*":

-----
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*
SSL_VERSION = 0*
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*
SSL_CLIENT_AUTHENTICATION = FALSE*
TRACE_LEVEL_SERVER = ADMIN*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+
SQLNET.WALLET_OVERRIDE = TRUE*
-----

From server "*tnsnames.ora*":

-----
TIB =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
+)+
+(CONNECT_DATA =+
+(SERVICE_NAME = TIB)+
+)+
+)+

WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+

EXTPROC_CONNECTION_DATA =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))+
+)+
+(CONNECT_DATA =+
+(SID = PLSExtProc)+
+(PRESENTATION = RO)+
+)+
+)+
-----

Version database server is:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit

Two files in the path from Wallet:
/etc/ORACLE/WALLETS/oracle/ewallet.p12
/etc/ORACLE/WALLETS/oracle/cwallet.sso

Server SQL> select parameter, value from v$option where upper(parameter) like '%SECURITY%';
Enterprise User Security TRUE
Oracle Label Security FALSE



CLIENT:
From client "*sqlnet.ora*":

-----
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*

SSL_CLIENT_AUTHENTICATION = FALSE*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = File)+
+(METHOD_DATA =+
+(DIRECTORY = "C:\Documents and Settings\user\ORACLE\WALLETS"))+
+)+
SSL_SERVER_DN_MATCH = OFF*
-----

From client "*tnsnames.ora*":

-----
TIB_CLIENT =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))+
+)+
+(CONNECT_DATA =+
+(SERVICE_NAME = TIB)+
+)+
+(SECURITY =+
+(SSL_SERVER_CERT_DN = "cn=US,cn=CertForOracle,c=US,o=Company"))+
+)+
-----

My problem:
server$ lsnrctl start
...
Instance "TIB", status READY, has 1 handler(s) for this service...
...

client@ sqlplus system/pass@TIB_CLIENT
...
ERROR:
ora-28864 ssl connection closed gracefully

server$ less /opt/u01/app/oracle/product/10.2.0/network/log/listener.log
TNS-12502: TNS:listener received no CONNECT_DATA from client

I cannot connect my client into server database. I get error on client "ora-28864 ssl connection closed gracefully". I get error on server "TNS-12502: TNS:listener received no CONNECT_DATA from client"
Thanks in advance..
  • 1. Re: Listener TCPS Oracle Database SSL
    929328 Newbie
    Currently Being Moderated
    Hi, user6048424

    Let's start with ORA-28864.
    Go to your $ORACLE_HOME/network/admin directory on the database server and check the contents of your listener.ora file.

    Look for the WALLET_LOCATION part, and make sure:

    The directory exists
    a file called cwallet.sso is available
    The user the oracle software is running under has the correct privileges to access the directory and wallet

    Secondly, lets sort out the problem with TNS-12502.
    Cause: No CONNECT_DATA was passed to the listener.

    *Action: Check that the service name resolved from TNSNAMES.ORA has the CONNECT_DATA component of the connect descriptor.

    If you getting this error while registering database services with listener using local_listener or remote_listener problem might be with sqlnet.ora and tnsnames.ora setting not implemented by current instance and restarting the instance again after setting TNS_ADMIN parameter might resolve the problem.

    Case Study : Implementing TCPS authentication
    1. Once you have create all the configuartion and Listener to use TCPS connection and if listener is running on non default port, you would have to set local_listener parameter to register your database with new listener (TCPS). When you creating TNS alias for local_listener, you don't specify connect_data parameter as its not required for service register, however service registration will fail with TNS-12502 in listener.log until database instance is bounced.
    Bouncing/Restarting the instance will read sqlnet.ora , tnsnames.ora with new security config and listener will be able to register the new service on TCPS port.

    If you have questions, ask.
    Kirill Babeyev
  • 2. Re: Listener TCPS Oracle Database SSL
    953748 Newbie
    Currently Being Moderated
    Hello, Kirill
    Thanks for your reply
    I checked my server:

    The directory exists a file called cwallet.sso is available
    - It is ok :)
    The user the oracle software is running under has the correct privileges to access the directory and wallet
    - It is ok :)

    Can you give an example about "*Implementing TCPS authentication*" ?

    I currently have:

    From server my default port is *1521*,
    I changed protocol on my server from TCP to TCPS in "*tnsnames.ora*" and "*listener.ora*":

    -----
    LISTENER_TIB =+
    *(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*

    TIB =+
    *(DESCRIPTION =*
    *(ADDRESS_LIST =*
    *(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*
    *)*
    *(CONNECT_DATA =*
    *(SERVICE_NAME = TIB)*
    *)*
    *)*

    WALLET_LOCATION =+
    *(SOURCE =*
    *(METHOD = FILE)*
    *(METHOD_DATA =*
    *(DIRECTORY = /etc/ORACLE/WALLETS/oracle)*
    *)*
    *)*

    EXTPROC_CONNECTION_DATA =+
    *(DESCRIPTION =*
    *(ADDRESS_LIST =*
    *(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))*
    *)*
    *(CONNECT_DATA =*
    *(SID = PLSExtProc)*
    *(PRESENTATION = RO)*
    *)*
    *)*
    -----

    SQL> show parameter local_listener
    NAME                                 TYPE        VALUE
    local_listener                       string      LISTENER_TIB

    $cat .bash_profile
    TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN

    $tnsping LISTENER_TIB 9
    ...
    OK (10 msec)
    OK (0 msec)
    OK (0 msec)
    OK (10 msec)
    ...

    From client:
    I changed port on my client from TCP to TCPS in 'tnsnames.ora' and I receive error:
    ERROR:
    ora-28864 ssl connection closed gracefully

    What am I doing wrong ?

    Thanks and Best regards,

    Edited by: user6048424 on 2012-08-06 05:21

    Edited by: user6048424 on 2012-08-06 05:22
  • 3. Re: Listener TCPS Oracle Database SSL
    953748 Newbie
    Currently Being Moderated
    Hello,
    I solved the problem :)
    I had incorrect wallet, I generate and I sign my csr,
    It's very good, everything works :)
    Thx

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points