- 3,716,128 Users
- 2,242,960 Discussions
- 7,845,836 Comments
Forum Stats
Discussions
Categories
- 17 Data
- 362.2K Big Data Appliance
- 7 Data Science
- 1.6K Databases
- 479 General Database Discussions
- 3.7K Java and JavaScript in the Database
- 22 Multilingual Engine
- 487 MySQL Community Space
- 5 NoSQL Database
- 7.6K Oracle Database Express Edition (XE)
- 2.8K ORDS, SODA & JSON in the Database
- 417 SQLcl
- 42 SQL Developer Data Modeler
- 184.9K SQL & PL/SQL
- 21K SQL Developer
- 1.9K Development
- 3 Developer Projects
- 32 Programming Languages
- 135.1K Development Tools
- 9 DevOps
- 3K QA/Testing
- 259 Java
- 6 Java Learning Subscription
- 11 Database Connectivity
- 67 Java Community Process
- 1 Java 25
- 9 Java APIs
- 141.1K Java Development Tools
- 6 Java EE (Java Enterprise Edition)
- 153K Java Essentials
- 135 Java 8 Questions
- 86.2K Java Programming
- 270 Java Lambda MOOC
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 10 Java SE
- 13.8K Java Security
- 3 Java User Groups
- 22 JavaScript - Nashorn
- 18 Programs
- 125 LiveLabs
- 31 Workshops
- 9 Software
- 3 Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 4 Deutsche Oracle Community
- 11 Español
- 1.9K Japanese
- 2 Portuguese
Oracle 12.2 TLS connection - ODP.NET client configuration
Hello,
We have to setup an encrypted TLS 2484 connection between an ODP.NET client and our Oracle 12.2 RDBMS.
We only need to use server ssl, so no client ssl/authentication ==> server ssl certificate
Authentication at db level stays based on username/password.
I guess the above is possible ?
We are starting from a Java JKS keystore.
On the Oracle RDBMS side I the following steps must be taken, correct ?
- Create Java keystore and key-pair
- Create CSR
- Provide CSR to CA for signing
- Import root (and intermediate) CA certificate
- Import our CA-signed certificate
- Use orapki tool to create wallet from jks keystore.
- Configure Oracle and ora listener files so it uses port 2484 and the wallet.
It's not clear however what we have to do at the ODP.NET client side.
Given that we only use server ssl, do we need to create a wallet at the client side as well and if so what certificates does it have to contain ?
Below the current, non-encrypted connection (1521) configuration used by the client.
tnsnames.ora
XXX_PS =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = xyz-db.abc.be)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = myservice.zzz.BE)
)
)
Kr,
EDH
Answers
-
Yes, Oracle DB clients/servers using SSL must have wallet/cert on the client AND the client and server must have a common trustpoint. You should use that ROOT that you referenced when making the server cert as the root for the client cert also. The procedure is the one that is specified here: Christian Shay - Oracle and .NET: Setting up Transport Layer Security/Secure Sockets Layer for Managed ODP.NET.
-
We get SSl errors ora-28862: ssl connection failed and then ora-28860: fatal ssl error. See screenshots below.
Our wallets on the server and client look like this. Are they ok ?
Server wallet contents (wallet generated on the RDBMS server, linux, used on the server)
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: [email protected],CN=dbname.xxx.be,OU=FES,O=EWS,L=Brussels,ST=Belgium,C=BE
Trusted Certificates:
Subject: CN=XXX Issuing CA 2,O=MyOrg (ABC ICT),C=BE
Subject: CN=XXX Issuing CA 1,O=MyOrg (ABC ICT),C=BE
Subject: CN=XXX Root CA,O=MyOrg (ABC ICT),C=BE
Client wallet contents (wallet generated on the RDBMS server, linux, but used on the client, Windows)
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=XXX Root CA,O=MyOrg (ABC ICT),C=BE
Subject: CN=XXX Issuing CA 2,O=MyOrg (ABC ICT),C=BE
Subject: CN=XXX Issuing CA 1,O=MyOrg (ABC ICT),C=BE
The error we get is:
Could those error point to a wallet configuration problem, or either to a sqlnet.ora/tnsnames.ora config problem ?
Kr.