Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

ssl connection to 12c db failed with ORA-01017: invalid username/password; logon denied

satyanarayana.mekala-OracleMar 15 2017 — edited Mar 16 2017

Hi,

I am trying to establish ssl connection to oracle db with autologin wallet.

I have followed below document to create ssl certificates for server side and client:

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf from page 21,22

I have placed server certificates on server side and client certificate on client side(As you can see in sqlnet.ora files)

In my 12c Oracle DB, I have created an user as below

++++++++++

   create user client_test identified externally as ‘CN=client_test,C=US’;

   grant create session to client_test;

++++++++++

But when I do login from sqlplus, I am getting below error;

Am I missing anything in this setup?

bash-4.1$ sqlplus /@MATSDBSSL

SQL*Plus: Release 12.1.0.2.0 Production on Wed Mar 15 05:49:46 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

ERROR:

ORA-01017: invalid username/password; logon denied

Enter user-name:

^C

bash-4.1$

+++++++++++++++++++++++++++++++

Listener on oracle DB as looks good.

+++++++++++++++++++++++++++++++

bash-4.1$ /scratch/aime1/work/MATSDB/bin/lsnrctl status LISTENER

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 15-MAR-2017 02:50:25

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production

Start Date                15-MAR-2017 02:49:20

Uptime                    0 days 0 hr. 1 min. 5 sec

Trace Level               support

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /scratch/aime1/work/MATSDB/network/admin/listener.ora

Listener Log File         /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/alert/log.xml

Listener Trace File       /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/trace/ora_127178_140712168318400.trc

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=slc12lxl.us.oracle.com)(PORT=2484)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1234)))

Services Summary...

Service "MATSDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

Service "MATSDBXDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

The command completed successfully

bash-4.1$

+++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Root Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet root

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Requested Certificates:

User Certificates:

Subject:        CN=root_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

truststore Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet truststore

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Server side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet server

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

Subject:        CN=server_test,C=US

User Certificates:

Subject:        CN=server_test,C=US

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

client side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet client_wallet

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject:        CN=client_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

-bash-4.1$

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++

Server side :

+++++++++++++

listener.ora

+++++++++++++

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

      (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1234))

    )

  )

ADR_BASE_LISTENER = /scratch/aime1/work/MATSDB/

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

TRACE_LEVEL_LISTENER = SUPPORT

TRACE_FILE_LISTENER = listener

TRACE_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOG_FILE_LISTENER = listener

LOG_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOGGING_LISTENER = ON

+++++++++++++

sqlnet.ora

+++++++++++++

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION=3.0

ADR_BASE = /scratch/aime1/work/MATSDB

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

SSL_CLIENT_AUTHENTICATION=FALSE

TRACE_DIRECTORY_SERVER = /scratch/aime1/work/MATSDB/bin/network/trace

trace_level_server = SUPPORT

+++++++++++++

client side:

+++++++++++++

+++++++++++++

sqlnet.ora

+++++++++++++

SSL_VERSION=3.0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /scratch/username1/instantclient_12_1/logs

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/username1/ssl_thin/client_wallet)))

SSL_CLIENT_AUTHENTICATION=TRUE

DIAG_ADR_ENABLED=OFF

TRACE_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

LOG_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

TRACE_LEVEL_SERVER=SUPPORT

TRACE_LEVEL_CLIENT=SUPPORT

TRACE_UNIQUE_CLIENT=ON

+++++++++++++

tnsnames.ora

+++++++++++++

MATSDB =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

MATSDBSSL =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

LISTENER_MATSDB =

  (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

+++++++++++++
This post has been answered by Vlad Visan-Oracle on Mar 15 2017
Jump to Answer

Comments

Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Apr 13 2017
Added on Mar 15 2017
#general-database-discussions
11 comments
2,409 views