Forum Stats

  • 3,733,041 Users
  • 2,246,686 Discussions
  • 7,856,490 Comments

Discussions

PFX certificate, wallet & UTL_HTTP

Jaco P.
Jaco P. Member Posts: 47 Blue Ribbon
edited February 2020 in Database Security - General

Hi,

We are trying to access some webservices via Oracle database (19c and 11g) using user certificate which we've got from some CA in .pfx format (containing USER cert, TRUSTED certs & private key).

Fist of all if this certificate is imported into browser I can access webservices successfully - this proves that .pfx certificate is valid & it works.

But I am having problems accessing this same webservice via Oracle database using functions SET_WALLET and then UTL_HTTP.REQUEST.

I've tired creating wallets from this .pfx using at least X different methods which none of them work..

To list a few:

1) rename pfx to p12

     mv user_cert.pfx ewallet.p12

     -- wallet is displayed correctly (I can see user & trusted certificates)

     orapki wallet display -wallet ./

     --trying to access the webservice fails:

     select UTL_HTTP.REQUEST(url => 'https://webservice.domain/path',wallet_path=> 'file:/wallet_path',wallet_password=> 'wallet_pass') FROM DUAL;

          ORA-29273: HTTP request failed

          ORA-06512: at "SYS.UTL_HTTP", line 1530

          ORA-29024: Certificate validation failure

          ORA-06512: at "SYS.UTL_HTTP", line 380

          ORA-06512: at "SYS.UTL_HTTP", line 1470

          ORA-06512: at line 1

2) dissect pfx into separate files: user_cert.cer, trusted_certs.cer, privatekey.cer & create new wallet using openssl

     openssl pkcs12 -inkey privatekey.cer -in  usercert.cer -export -out USER_CERT.pfx

     mv USER_CERT.pfx ewallet.p12

     orapki wallet add -wallet ./ -trusted_cert -cert rusted_certs

     --I get the same error..ORA-29024: Certificate validation failure

3) CONVERT from PFX --> Wallet:

     orapki wallet create -wallet./ -pwd 'wallet_pass'

     orapki wallet import_pkcs12 -wallet ./ -pkcs12file user_cert.pfx -pkcs12pwd 'wallet_pass'

     --I get the same error..ORA-29024: Certificate validation failure

..in all these cases when wallet created IS displayed (orapki wallet display -wallet ./ -pwd 'wallet_pass') correctly - I can see "User Certificates" & "Trusted Certificates" listed as expected.

I am testing with:

select UTL_HTTP.REQUEST(url => 'https://webservice.domain/path',wallet_path=> 'file:/wallet_path',wallet_password=> 'wallet_pass') FROM DUAL;

OR

EXEC UTL_HTTP.set_wallet('file:/wallet_path', 'wallet_pass');

EXEC show_html_from_url('https://webservice.domain/path');

Where is the problem here? How can I make it work?

Is there a problem with my tests? Is usage of UTL_HTTP correct?

Btw..I have some other wallet for accessing "ordinary" HTTPS pages where I have only trusted certificates and there usage of wallet work without any issues.

There must be some additional wizardry when using USER certificates but I can not figure out which.

Thanks for any help.

Answers

  • user917844
    user917844 Member Posts: 1 Red Ribbon

    Hi,


    I have exactly the same problem. Is anywhere link or advice how to solve this ?


    Thank you in advance,

    Miran

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,017 Silver Trophy

    Please start a new discussion/question with your issue and describe it in detail. You can link back to this post if needed. No need to pull up a post from someone else that is nearly a year old.

  • Jaco P.
    Jaco P. Member Posts: 47 Blue Ribbon

    Well..the issue is still there.

    I've manged to solve the issue with a workaround but solution as described does not work, so any suggestions would still be valuable.

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,017 Silver Trophy

    What was/is your work-around?

    When accessing the site via a browser, are you required to log in into or provide some sort of client authentication or is this just a standard HTTPS site?

    For 19c, all the wallet needs is the root certificate of the chain. No client, no intermediate. I'm not positive on 11g. Reason being an 11.2.0.4 implementation we use does have intermediate/root certs in the wallet for HTTPS, but I've seen people on this forum say only the root is really needed. I've not tested to verify, hence the new uncertainty.

  • Jaco P.
    Jaco P. Member Posts: 47 Blue Ribbon

    Well, we now "download" required .xml file with OS commands and then import it into the db..which is really unnecessary workaround, but ...it works.

  • Jason_(A_Non)
    Jason_(A_Non) Member Posts: 2,017 Silver Trophy

    You said

    I have some other wallet for accessing "ordinary" HTTPS pages where I have only trusted certificates and there usage of wallet work without any issues.

    Unless this HTTPS web service is requiring you to authenticate yourself with your own client certificates, all you should need to do is take the root certificate from the remote site and add it to your existing wallet. Am I misunderstanding how this remote site works?

    If it does require you to authenticate with a client certificate that identifies yourself, then yes, you are missing some steps.

Sign In or Register to comment.