3 Replies Latest reply: Jan 25, 2014 2:07 AM by ThomasH RSS

Oracle 11g on Windows XP - TCP with SSL

ThomasH Newbie
Currently Being Moderated

Hello,

 

have successfully set-up Oracle 11g on a Windows XP machine which am using as a small server in a trial/test environment.

As this machine is running in my local environment without external connections the Windows Firewall is DEactivated.

 

A java test program written to connect to the server using TCP / via a plain text connection using the oracle thin JDBC driver is working fine.

 

Now wanted to set-up the server so it would accept SSL connections (ultimately with peer Authentication, but without server or client authentication as a start configuration).

 

Have used Oracle Net Manager to configure the server as follows:

(Note: have used red ink to hightlight settings I am unclear if they are needed)

listener.ora

# listener.ora Network Configuration File: C:\ORACLE11G\app\oracle\product\11.2.0\NETWORK\ADMIN\listener.ora

# Generated by Oracle configuration tools.

 

SID_LIST_LISTENER =

  (SID_LIST =

    (SID_DESC =

      (SID_NAME = CLRExtProc)

      (ORACLE_HOME = C:\ORACLE11G\app\oracle\product\11.2.0)

      (PROGRAM = extproc)

      (ENVS = "EXTPROC_DLLS=ONLY:C:\ORACLE11G\app\oracle\product\11.2.0\bin\oraclr11.dll")

    )

  )

 

LISTENER_TCPS =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC2484))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.178.103)(PORT = 2484))

    )

)

 

SSL_CLIENT_AUTHENTICATION = FALSE

 

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = AOPENMINI)(PORT = 1521))

    )

  )

 

ADR_BASE_LISTENER = C:\ORACLE11G\app\oracle

 

TRACE_LEVEL_LISTENER_TCPS = USER

 

ADR_BASE_LISTENER_TCPS = C:\ORACLE11G\app\oracle\product\11.2.0\log

 

tnsnames.ora
# tnsnames.ora Network Configuration File: C:\ORACLE11G\app\oracle\product\11.2.0\NETWORK\ADMIN\tnsnames.ora
# Generated by Oracle configuration tools.

 

PMT =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = AOPENMINI)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.178.103)(PORT = 2484))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = PMT)
    )
  )

 

ORACLR_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (CONNECT_DATA =
      (SID = CLRExtProc)
      (PRESENTATION = RO)
    )
  )

 

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = AOPENMINI)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = AOPENMINI)(PORT = 2484))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl.168.178.103)
    )
  )

 

sqlnet.ora

# sqlnet.ora Network Configuration File: C:\ORACLE11G\app\oracle\product\11.2.0\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.

 

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

 

SQLNET.AUTHENTICATION_SERVICES= (NONE)

 

SSL_VERSION = 0

 

TRACE_LEVEL_CLIENT = USER

 

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 

SSL_CLIENT_AUTHENTICATION = TRUE

 

TRACE_LEVEL_SERVER = USER

 

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\ORACLE11G\app\oracle\product\11.2.0\admin\PMT\wallet)
    )
  )

 

ADR_BASE = C:\ORACLE11G\app\oracle\product\11.2.0\log

 

Here is the error I am getting

error

Caused by: java.net.ConnectException: Connection refused: connect

    at java.net.PlainSocketImpl.socketConnect(Native Method)

    at java.net.PlainSocketImpl.doConnect(Unknown Source)

    at java.net.PlainSocketImpl.connectToAddress(Unknown Source)

    at java.net.PlainSocketImpl.connect(Unknown Source)

    at java.net.SocksSocketImpl.connect(Unknown Source)

    at java.net.Socket.connect(Unknown Source)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown Source)

    at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:114)

    at oracle.net.nt.ConnOption.connect(ConnOption.java:123)

    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:337)

 

For some reason the server does not seem to listen on port 2484 at all (running telnet localhost 2484 on the server itself leads to no connection possible).

 

Not being a network expert I am stuck here and would appreciate any help on how to overcome this set-up issue.

 

Thanks

  • 1. Re: Oracle 11g on Windows XP - TCP with SSL
    BillyVerreynne Oracle ACE
    Currently Being Moderated

    Why a 2nd listener for TCPS? Why not use a single listener - as is the recommended default?

     

    Do you have SSL certificates (complete root auth chain) for the server in the Oracle wallet for that server - with the SSL certificate request generated, signed by a root authority?

     

    To see listener tcp endpoints on the server, use the netstat command. Enable SQL*Net tracing on the listener side if you need to trace and debug connections to the listener. Enable it on the client side too if you need to trace the client's calls to the listener.

  • 2. Re: Oracle 11g on Windows XP - TCP with SSL
    ThomasH Newbie
    Currently Being Moderated

    Thanks. Defining a further address on the existing listener solved the problem.

  • 3. Re: Oracle 11g on Windows XP - TCP with SSL
    ThomasH Newbie
    Currently Being Moderated

    Hi,

     

    would now need to trace and understand why the handshake is failing.

     

    As you can see from the above posted config files and the trace_level settings tracing should already be turned on on my system - correct? So where would I find the output messages telling me in more detail why the handshake is failing?

     

    The error I am getting when trying to connect from a Java client program using the JDBC thin driver is:

     

    java.sql.SQLRecoverableException: I/O-Fehler: Remote host closed connection during handshake

        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:421)

        at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:531)

        at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:221)

        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)

        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:503)

        at java.sql.DriverManager.getConnection(Unknown Source)

        at java.sql.DriverManager.getConnection(Unknown Source)

        at onlyOraclePk.DBConnections.testSSLConnection(DBConnections.java:80)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

        at java.lang.reflect.Method.invoke(Unknown Source)

        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)

        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)

        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)

        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)

        at org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)

        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)

        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)

        at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)

        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)

        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)

        at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)

        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)

        at org.junit.runners.ParentRunner.run(ParentRunner.java:236)

        at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)

        at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)

        at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)

        at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)

        at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)

        at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)

    Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)

        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)

        at oracle.net.ns.Packet.send(Packet.java:385)

        at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:173)

        at oracle.net.ns.NSProtocol.connect(NSProtocol.java:283)

        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1042)

        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:301)

        ... 30 more

    Caused by: java.io.EOFException: SSL peer shut down incorrectly

        at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)

        ... 39 more

     

    Thanks

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points