Forum Stats

  • 3,838,957 Users
  • 2,262,429 Discussions
  • 7,900,818 Comments

Discussions

Getting ORA-1017 on PKI authenticated external user

Dtaylor-Oracle
Dtaylor-Oracle Member Posts: 32
edited Sep 30, 2019 3:16PM in Database Security - General

Working for a DoD customer. Attempting implementation of MOS # 401251.1 with substitution of DoD certs on client end. Using Microsoft Certificate Stores. When tnsping the SSL listener, it works:

C:\Users\dtaylor>tnsping newcac

TNS Ping Utility for 64-bit Windows: Version 12.2.0.1.0 - Production on 27-JUN-2019 10:26:22

Copyright (c) 1997, 2016, Oracle.  All rights reserved.

Used parameter files:

d:\app\oracle\product\12.2.0\dbhome_1\network\admin\sqlnet.ora

< Right here I get prompted to select the certificate, and enter the PIN from the CAC>

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = stang.taylortx.net)(PORT = 2484))(CONNECT_DATA=(SERVICE_NAME = NEWDEMO))))

OK (13300 msec)

As per the document, I have created a user account in the Linux database matching the account on the windows machine:

create user dtaylor identified externally as 'CN = DTAYLOR.EDIPI# = CONTRACTOR,OU = PKI,OU = DoD,O = U.S. Government,C = US';

However, when I attempt the alias connection, I get:

C:\Users\dtaylor>sqlplus /@newcac

SQL*Plus: Release 12.2.0.1.0 Production on Thu Jun 27 10:30:17 2019

Copyright (c) 1982, 2018, Oracle.  All rights reserved.

< Right here I get prompted to select the cetificate, and enter the PIN from the CAC>

ERROR:

ORA-01017: invalid username/password; logon denied

I have validated that the CN used on the CAC is identical to the externally defined user account CN reference.

Additionally I have tracing on:

Walking through the client trace, I see:

(17600) [27-JUN-2019 09:17:58:020] nsbasic_brc: entry: oln/tot=0,prd=0

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: entry

(17600) [27-JUN-2019 09:17:58:020] nttrd: entry

(17600) [27-JUN-2019 09:17:58:020] ntt2err: entry

(17600) [27-JUN-2019 09:17:58:020] ntt2err: exit

(17600) [27-JUN-2019 09:17:58:020] nttrd: socket 1244 had bytes read=0

(17600) [27-JUN-2019 09:17:58:020] nttrd: exit

(17600) [27-JUN-2019 09:17:58:020] nzospRead: I/O blocking - needs retry (-6993)

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: Error 28861. Read 0/8208 bytes     <<<<<<<<<<<<<<<<< This would seem to be an issue, but I get no hits on what the error is.

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: exit

(17600) [27-JUN-2019 09:17:58:020] ntctst: size of NTTEST list is 1 - not calling poll

(17600) [27-JUN-2019 09:17:58:020] sntseltst: Testing for DATA on socket 1244

(17600) [27-JUN-2019 09:17:59:063] sntseltst: FOUND: read request on socket 1244

(17600) [27-JUN-2019 09:17:59:063] nzos_Read: entry

(17600) [27-JUN-2019 09:17:59:063] nttrd: entry

(17600) [27-JUN-2019 09:17:59:063] nttrd: socket 1244 had bytes read=5

(17600) [27-JUN-2019 09:17:59:063] nttrd: exit

Then further down:

(17600) [27-JUN-2019 09:17:59:066] nzbioread:  read 176/176 bytes

(17600) [27-JUN-2019 09:17:59:066]      0: 8cbc613e cdd8f3a5 c0e739ea be952d3c       |..a>......9...-<|

    16: ed32021f 3db86991 6acb39bf 1d1afb1d       |.2..=.i.j.9.....|

    32: 31eefe38 58a6a7fc fd3089db 3637b8d7       |1..8X....0..67..|

    48: b66b8f14 84505d33 978fdc92 cb390a5b       |.k...P]3.....9.[|

    64: ca62a58a f3ef6964 f698839e 5754aaf7       |.b....id....WT..|

    80: 21e8ca20 db2a1dd0 37d91699 dc1c5396       |!.. .*..7.....S.|

    96: e1854e75 6b0440af 692f95f4 41a32924       |[email protected]/..A.)$|

   112: 664e03af 85115ab5 5306bd02 c4a4bbaa       |fN....Z.S.......|

   128: e4226281 583255e2 d6027079 659fe98f       |."b.X2U...pye...|

   144: 92df86e9 b2420c03 1d3fb299 286e1a05       |.....B...?..(n..|

   160: 241e8ac7 60ec5f15 1891c54c b8f2675c       |$...`._....L..g\|

(17600) [27-JUN-2019 09:17:59:066] SSL_Data: Read

(17600) [27-JUN-2019 09:17:59:066] nzos_Read: OK. Read 133/8208 bytes

(17600) [27-JUN-2019 09:17:59:066] nzos_Read: exit

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: type=6, plen=133

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: what=1, tot =133

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: packet dump

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 85 06 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 04 01 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 F9 03 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 02  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 03  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 F9 03 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 33 4F 52 41 2D 30 31  |.3ORA-01|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 30 31 37 3A 20 69 6E 76  |017:.inv|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 61 6C 69 64 20 75 73 65  |alid.use|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 72 6E 61 6D 65 2F 70 61  |rname/pa|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 73 73 77 6F 72 64 3B 20  |ssword;.|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6C 6F 67 6F 6E 20 64 65  |logon.de|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6E 69 65 64 0A           |nied.   |

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: exit: oln=0, dln=123, tot=133, rc=0

(17600) [27-JUN-2019 09:17:59:066] nioqrc: exit

(17600) [27-JUN-2019 09:18:02:234] nioqds: entry

(17600) [27-JUN-2019 09:18:02:234] nioqds:  disconnecting...

(17600) [27-JUN-2019 09:18:02:234] nsclose: entry

(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: entry

(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: exit

Any Ideas / suggestions would be appreciated.

Thanks,

Dwight

Tagged:

Answers

  • Dtaylor-Oracle
    Dtaylor-Oracle Member Posts: 32
    edited Jun 27, 2019 12:19PM

    Additionally, here is the client sqlnet.ora:

    DIAG_ADR_ENABLED=OFF

    NAMES.DIRECTORY_PATH=(TNSNAMES)

    SQLNET.AUTHENTICATION_SERVICES=(MCS,BEQ)

    SSL_CLIENT_AUTHENTICATION = TRUE

    SSL_VERSION=1.1

    WALLET_LOCATION = (SOURCE = (METHOD=MCS))

    trace_level_client = 16

    trace_file_client = cli

    trace_directory_client = D:\app\oracle\diag\clients\user_dtaylor\host_2675559519_82\trace

    trace_unique_client = on

    trace_timestamp_client = on

    trace_fileno_client = 2

    log_file_client = client

    log_directory_client = D:\app\oracle\product\12.2.0\dbhome_1\NETWORK\log

    tnsping.trace_directory = D:\app\oracle\product\12.2.0\dbhome_1\NETWORK\log

    tnsping.trace_level = admin

  • T1DSoldier
    T1DSoldier Member Posts: 60 Blue Ribbon
    edited Sep 30, 2019 3:16PM

    I am currently having the same issue, in the logs it does seem to be making the ssl connection but when i review the whole log it is not presenting the cert to the database. On one of our platforms that cac works you will see the cert being presented in the log and it will connect. Was your server cert signed by the cert authority? The testing platform i am working on it was not, I am wondering if that has anything to do with it.