7 Replies Latest reply on Apr 29, 2011 11:56 PM by Peter Wahl-Oracle

    Oracle Wallet PKCS11 Configuration Issues

    850706
      I'm trying to configure a PKCS#11 wallet for use as client authentication to an Oracle database.

      orapki wallet p11_verify -wallet wallet_location [-pwd password]

      works properly but when attempting to use it for client authentication it doesn't connect to the smart card at all (i.e. C_Initialize is not being called, the PKCS#11 library is not being loaded, etc.).

      Any ideas?

      Is there any information on using a common access card (CAC or PIV) or any other smart card with Oracle Wallet for client-side authentication (as opposed to TDE on the server)?

      Thanks,
      Jonathan
        • 1. Re: Oracle Wallet PKCS11 Configuration Issues
          855759
          I am assuming you are using HSM Wallet, NOT Software Wallet.

          1)
          Refer to this doc, and read from Page 15 and forward:
          http://www.oracle.com/technetwork/articles/systems-hardware-architecture/adv-encryption-sca6000-163879.pdf

          2)
          Where is your PKCS #11 library located ?

          According to the doc, for SafeNet HSM (Protect C software version PKCS #11), under RedHat 64 bits machine, such library has to be stored under:
          /opt/oracle/extapi/{ 32 | 64 }/hsm/{ vendor name }/{library version}/lib
          (i.e. /opt/oracle/extapi/64/hsm/safenet/3.30.00/lib)

          3)
          To look for error log from Oracle TDE, look under:
          $ORACLE_BASE/diag/rdbms/{db name}/{db name}/incident/

          Under Linux, I have a log file:
          $ORACLE_BASE/diag/rdbms/{db name}/{db name}/incident/incdir_6168/db-name_ora_19012_i6168.trc
          And, at line 4094, I could see the libpkcs11.so being loaded under:
          /opt/oracle/extapi/{ 32 | 64 }/hsm/{ vendor name }/{library version}/lib

          4)
          Make sure all environment variable are set and set correctly:
          ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
          ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
          ORACLE_SID=db-name; export ORACLE_SID
          ORACLE_TERM=xterm; export ORACLE_TERM
          export TNS_ADMIN=$ORACLE_HOME/network/admin
          export WALLET_LOCATION=/u01/app/oracle/admin/db-name/wallet_TDE_SqlPlus/


          Best,
          Steve

          Edited by: 852756 on Apr 15, 2011 7:00 PM

          Edited by: 852756 on Apr 15, 2011 7:16 PM
          • 2. Re: Oracle Wallet PKCS11 Configuration Issues
            Peter Wahl-Oracle
            Hi Jonathan,

            would you mind and please share with us who's card and card reader you are attempting to use? The SCA6000 card mentioned below has been certified as a local HSM (as opposed a network-based HSM) and does not help with authentication.

            Best, Peter
            • 3. Re: Oracle Wallet PKCS11 Configuration Issues
              850706
              We're using a software-based PKCS#11 library in our testing (it's called CSPid). We have concluded that it works perfectly when using the 32-bit Instant Client (we can successfully connect and use SQL*Plus). The 64-bit Oracle client refuses to load the 64-bit PKCS#11 library (it won't reach DLLMain). It's unclear to us what the particular issue is at this time as other software (i.e. 64-bit Firefox, 64-bit Java) will load the library.

              Sincerely,
              Jonathan
              • 4. Re: Oracle Wallet PKCS11 Configuration Issues
                Peter Wahl-Oracle
                Jonathan,

                thanks for the answers; what OS are you trying to authenticate from, plus my question was what card and card reader you're trying to use.

                Cheers, Peter
                • 5. Re: Oracle Wallet PKCS11 Configuration Issues
                  850706
                  OS is Windows 7 64-bit. There is no physical card or reader being used. CSPid is a virtual (i.e. entirely software-based) smartcard. It behaves very much like a network attached HSM.

                  Jonathan
                  • 6. Re: Oracle Wallet PKCS11 Configuration Issues
                    855759
                    Is your 64-bits PKCS #11 located under the correct path ?
                    (i.e. For RedHat Linux: /opt/oracle/extapi/64/hsm/{ vendor name }/{library version}/lib)

                    Also, make sure under $ORACLE_HOME, there is only one binary file of PKCS #11 library.
                    I believe Oracle will load all PKCS #11 libraries under path, $ORACLE_HOME.

                    Check the log file of Oracle for the load error.

                    Best,
                    Steve
                    • 7. Re: Oracle Wallet PKCS11 Configuration Issues
                      Peter Wahl-Oracle
                      It should be under "/opt/oracle/extapi/64/hsm/{ vendor name }/{library version}/"; the library name has to begin with "lib...", but try moving the library into "/opt/oracle/extapi/32/hsm/{ vendor name }/{library version}/" just to be sure

                      The Oracle DB will load external libraries only from /opt/oracle/extapi/

                      Peter