Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

ssl connection to 12c db failed with ORA-01017: invalid username/password; logon denied

satyanarayana.mekala-OracleMar 15 2017 — edited Mar 16 2017

Hi,

I am trying to establish ssl connection to oracle db with autologin wallet.

I have followed below document to create ssl certificates for server side and client:

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf from page 21,22

I have placed server certificates on server side and client certificate on client side(As you can see in sqlnet.ora files)

In my 12c Oracle DB, I have created an user as below

++++++++++

   create user client_test identified externally as ‘CN=client_test,C=US’;

   grant create session to client_test;

++++++++++

But when I do login from sqlplus, I am getting below error;

Am I missing anything in this setup?

bash-4.1$ sqlplus /@MATSDBSSL

SQL*Plus: Release 12.1.0.2.0 Production on Wed Mar 15 05:49:46 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

ERROR:

ORA-01017: invalid username/password; logon denied

Enter user-name:

^C

bash-4.1$

+++++++++++++++++++++++++++++++

Listener on oracle DB as looks good.

+++++++++++++++++++++++++++++++

bash-4.1$ /scratch/aime1/work/MATSDB/bin/lsnrctl status LISTENER

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 15-MAR-2017 02:50:25

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production

Start Date                15-MAR-2017 02:49:20

Uptime                    0 days 0 hr. 1 min. 5 sec

Trace Level               support

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /scratch/aime1/work/MATSDB/network/admin/listener.ora

Listener Log File         /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/alert/log.xml

Listener Trace File       /scratch/aime1/work/MATSDB/diag/tnslsnr/slc12lxl/listener/trace/ora_127178_140712168318400.trc

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=slc12lxl.us.oracle.com)(PORT=1234)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=slc12lxl.us.oracle.com)(PORT=2484)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1234)))

Services Summary...

Service "MATSDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

Service "MATSDBXDB.us.oracle.com" has 1 instance(s).

  Instance "MATSDB", status READY, has 1 handler(s) for this service...

The command completed successfully

bash-4.1$

+++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Root Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet root

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Requested Certificates:

User Certificates:

Subject:        CN=root_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

truststore Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet truststore

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Server side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet server

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

Subject:        CN=server_test,C=US

User Certificates:

Subject:        CN=server_test,C=US

Trusted Certificates:

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

client side Certificates

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-bash-4.1$ orapki wallet display -wallet client_wallet

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject:        CN=client_test,C=US

Trusted Certificates:

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=root_test,C=US

-bash-4.1$

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++

Server side :

+++++++++++++

listener.ora

+++++++++++++

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

      (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1234))

    )

  )

ADR_BASE_LISTENER = /scratch/aime1/work/MATSDB/

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

TRACE_LEVEL_LISTENER = SUPPORT

TRACE_FILE_LISTENER = listener

TRACE_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOG_FILE_LISTENER = listener

LOG_DIRECTORY_LISTENER = /scratch/aime1/work/MATSDB/network/trace

LOGGING_LISTENER = ON

+++++++++++++

sqlnet.ora

+++++++++++++

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION=3.0

ADR_BASE = /scratch/aime1/work/MATSDB

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/scratch/aime1/work/MATSDB/bin/server)))

SSL_CLIENT_AUTHENTICATION=FALSE

TRACE_DIRECTORY_SERVER = /scratch/aime1/work/MATSDB/bin/network/trace

trace_level_server = SUPPORT

+++++++++++++

client side:

+++++++++++++

+++++++++++++

sqlnet.ora

+++++++++++++

SSL_VERSION=3.0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /scratch/username1/instantclient_12_1/logs

SQLNET.WALLET_OVERRIDE = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/username1/ssl_thin/client_wallet)))

SSL_CLIENT_AUTHENTICATION=TRUE

DIAG_ADR_ENABLED=OFF

TRACE_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

LOG_DIRECTORY_CLIENT=/scratch/username1/instantclient_12_1/trace

TRACE_LEVEL_SERVER=SUPPORT

TRACE_LEVEL_CLIENT=SUPPORT

TRACE_UNIQUE_CLIENT=ON

+++++++++++++

tnsnames.ora

+++++++++++++

MATSDB =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

MATSDBSSL =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.242.233.79)(PORT = 2484))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = MATSDB.us.oracle.com)

    )

  )

LISTENER_MATSDB =

  (ADDRESS = (PROTOCOL = TCP)(HOST = 10.242.233.79)(PORT = 1234))

+++++++++++++
This post has been answered by Vlad Visan-Oracle on Mar 15 2017
Jump to Answer

Comments

alwu-Oracle
What is your DB version and what version of Jena Adaptor are you using?

Thanks,

Zhe Wu
Ram Krishna
The oracle database is v11.1.0.7 and we are using the new Jena adaptor (rel 3) that we got from our metalink site.

ram
alwu-Oracle
Hi,

It seems that the new version of Jena Adaptor is doing the right job to convert the whole SPARQL into a single SEM_MATCH based query. Now the problem is that 11.1.0.7 database has this known server side bug (table function related) when the query is too big. You did not see this problem with Jena Adaptor v2 because ARQ breaks the query into many small pieces.

To fix this problem, there are a few choices:

1) upgrade to database 11.2, or
2) shorten your query, or
3) file a tar with Oracle support.

We are working on an optimization in Jena Adaptor to convert a SPARQL (with just a base BGP and a number of parallel OPTIONAL clauses) into a plain SQL. This may solve your problem even if you continue use 11.1.0.7.

Cheers,

Zhe Wu
1 person found this helpful
Ram Krishna
Thanks Zhe- that is helpful. We will use one of the workarounds before we switch to 11.2.

ram
1 - 4
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Apr 13 2017
Added on Mar 15 2017
#general-database-discussions
11 comments
2,468 views