Oracle Database Discussions

Hi,

I am trying to establish ssl connection to oracle db with autologin wallet.

I have followed below document to create ssl certificates for server side and client:

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf from page 21,22

I have placed server certificates on server side and client certificate on client side(As you can see in sqlnet.ora files)

In my 12c Oracle DB, I have created an user as below

++++++++++

   create user client_test identified externally as ‘CN=client_test,C=US’;

   grant create session to client_test;

++++++++++

But when I do login from sqlplus, I am getting below error;

Am I missing anything in this setup?

bash-4.1$ sqlplus /@MATSDBSSL

SQL*Plus: Release 12.1.0.2.0 Production on Wed Mar 15 05:49:46 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

ERROR:

ORA-01017: invalid username/password; logon denied

Enter user-name:

^C

bash-4.1$

+++++++++++++++++++++++++++++++

Listener on oracle DB as looks good.

+++++++++++++++++++++++++++++++

bash-4.1$ /scratch/aime1/work/MATSDB/bin/lsnrctl status LISTENER

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 15-MAR-2017 02:50:25

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production

Start Date                15-MAR-2017 02:49:20

Uptime                    0 days 0 hr. 1 min. 5 sec

Trace Level               support

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /scratch/aime1/work/MATSDB/network/admin/listener.ora

Listener Log File         /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/alert/log.xml

Listener Trace File       /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/trace/ora_127178_140712168318400.trc

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=slc12lxl.us.oracle.com)(PORT=2484)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1234)))

Services Summary...

Service "MATSDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

Service "MATSDBXDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

The command completed successfully

bash-4.1$

+++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Root Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet root

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Requested Certificates:

User Certificates:

Subject:        CN=root_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

truststore Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet truststore

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Server side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet server

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

Subject:        CN=server_test,C=US

User Certificates:

Subject:        CN=server_test,C=US

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

client side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet client_wallet

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject:        CN=client_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

-bash-4.1$

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++

Server side :

+++++++++++++

listener.ora

+++++++++++++

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

      (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1234))

    )

  )

ADR_BASE_LISTENER = /scratch/aime1/work/MATSDB/

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

TRACE_LEVEL_LISTENER = SUPPORT

TRACE_FILE_LISTENER = listener

TRACE_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOG_FILE_LISTENER = listener

LOG_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOGGING_LISTENER = ON

+++++++++++++

sqlnet.ora

+++++++++++++

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION=3.0

ADR_BASE = /scratch/aime1/work/MATSDB

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

SSL_CLIENT_AUTHENTICATION=FALSE

TRACE_DIRECTORY_SERVER = /scratch/aime1/work/MATSDB/bin/network/trace

trace_level_server = SUPPORT

+++++++++++++

client side:

+++++++++++++

+++++++++++++

sqlnet.ora

+++++++++++++

SSL_VERSION=3.0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /scratch/username1/instantclient_12_1/logs

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/username1/ssl_thin/client_wallet)))

SSL_CLIENT_AUTHENTICATION=TRUE

DIAG_ADR_ENABLED=OFF

TRACE_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

LOG_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

TRACE_LEVEL_SERVER=SUPPORT

TRACE_LEVEL_CLIENT=SUPPORT

TRACE_UNIQUE_CLIENT=ON

+++++++++++++

tnsnames.ora

+++++++++++++

MATSDB =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

MATSDBSSL =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

LISTENER_MATSDB =

  (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

+++++++++++++