Oracle 12.2 TLS connection - ODP.NET client configuration — oracle-tech

    Forum Stats

  • 3,716,128 Users
  • 2,242,960 Discussions
  • 7,845,836 Comments

Discussions

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Log In Register

Categories

Oracle 12.2 TLS connection - ODP.NET client configuration

3716328
3716328 Member Posts: 2
edited June 2018 in ODP.NET

Hello,

We have to setup an encrypted TLS 2484 connection between an ODP.NET client and our Oracle 12.2 RDBMS.

We only need to use server ssl, so no client ssl/authentication ==> server ssl certificate

Authentication at db level stays based on username/password.

I guess the above is possible ?

We are starting from a Java JKS keystore.

On the Oracle RDBMS side I the following steps must be taken, correct ?

- Create Java keystore and key-pair

- Create CSR

- Provide CSR to CA for signing

- Import root (and intermediate) CA certificate

- Import our CA-signed certificate

- Use orapki tool to create wallet from jks keystore.

- Configure Oracle and ora listener files so it uses port 2484 and the wallet.

It's not clear however what we have to do at the ODP.NET client side.

Given that we only use server ssl, do we need to create a wallet at the client side as well and if so what certificates does it have to contain ?

Below the current, non-encrypted connection (1521) configuration used by the client.

pastedImage_1.png

tnsnames.ora

  XXX_PS =

  (DESCRIPTION =

    (ADDRESS_LIST =

      (ADDRESS = (PROTOCOL = TCP)(HOST = xyz-db.abc.be)(PORT = 1521))

    )

    (CONNECT_DATA =

      (SERVICE_NAME = myservice.zzz.BE)

    )

)

Kr,

EDH

Tagged:
· Share on TwitterShare on Facebook

Answers

  • Alex Keh-Oracle
    Alex Keh-Oracle Posts: 2,753 Employee
    edited May 2018

    Yes, Oracle DB clients/servers using SSL must have wallet/cert on the client AND the client and server must have a common trustpoint. You should use that ROOT that you referenced when making the server cert as the root for the client cert also. The procedure is the one that is specified here: Christian Shay - Oracle and .NET: Setting up Transport Layer Security/Secure Sockets Layer for Managed ODP.NET.

    · Share on TwitterShare on Facebook
  • 3716328
    3716328 Member Posts: 2
    edited June 2018

    We get SSl errors ora-28862: ssl connection failed and then ora-28860: fatal ssl error. See screenshots below.

    Our wallets on the server and client look like this. Are they ok ?

    Server wallet contents (wallet generated on the RDBMS server, linux, used on the server)

    Oracle PKI Tool : Version 12.2.0.1.0

    Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:

    User Certificates:

    Subject:        [email protected],CN=dbname.xxx.be,OU=FES,O=EWS,L=Brussels,ST=Belgium,C=BE

    Trusted Certificates:

    Subject:        CN=XXX Issuing CA 2,O=MyOrg (ABC ICT),C=BE

    Subject:        CN=XXX Issuing CA 1,O=MyOrg (ABC ICT),C=BE

    Subject:        CN=XXX Root CA,O=MyOrg (ABC ICT),C=BE

    Client wallet contents (wallet generated on the RDBMS server, linux, but used on the client, Windows)

    Oracle PKI Tool : Version 12.2.0.1.0

    Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:

    User Certificates:

    Trusted Certificates:

    Subject:        CN=XXX Root CA,O=MyOrg (ABC ICT),C=BE

    Subject:        CN=XXX Issuing CA 2,O=MyOrg (ABC ICT),C=BE

    Subject:        CN=XXX Issuing CA 1,O=MyOrg (ABC ICT),C=BE

    The error we get is:

    pastedImage_5.png

    pastedImage_4.png

    Could those error point to a wallet configuration problem, or either to a sqlnet.ora/tnsnames.ora config problem ?

    Kr.

    · Share on TwitterShare on Facebook
This discussion has been closed.