Skip to Main Content

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

UTL_HTTP, SSL, Wallets, and certificate authentication

Jason_(A_Non)Mar 19 2018 — edited May 22 2018

I'm stuck on an issue regarding wallets and certificates and SSL negotiation so seeking outside input to point out what I'm missing.

Background:

Remote_system calls web service on app_server, which routes message to database_server for additional processing.  Once done, database_server makes utl_http call back to remote_system web service to return results.  Communications between remote and our system are currently HTTP.

Improvement:

New functionality is being added that does same round-trip, but it should use HTTPS instead.  The twist is that remote_system needs our client certificate as part of their security to establish a SSL connection.

I've modified the existing PL/SQL code that handles the UTL_HTTP calls to add in

UTL_HTTP.set_wallet('file:/oracle/wallet');

before the existing code that does a

utl_http.begin_request(...);

utl_http.set_header(...);

I've granted the authority to use the wallet via

BEGIN

   DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (

    acl          => 'acl_file.xml',

    principal    => 'MYUSER',

    is_grant     => TRUE,

    privilege    => 'use-client-certificates');

   -- assign the wallet with all imported certificates:

   DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL(

     acl         => 'acl_file.xml',

     wallet_path => 'file:/oracle/wallet/');

END;

/

From the OS, I've created the wallet and imported the certificates up the chain from the certificate I've been provided

orapki wallet create -wallet /oracle/wallet -pwd Dave -auto_login

orapki wallet add -wallet /oracle/wallet -trusted_cert -cert "DigiCertGlobalRootCA.crt" -pwd Dave

orapki wallet add -wallet /oracle/wallet -trusted_cert -cert "DigiCertCA.crt" -pwd Dave

When I try to import the provided certificate the app_server uses I end up with

oracle@dbserver: orapki wallet add -wallet /oracle/wallet -user_cert -cert "/oracle/wallet/star_site_location.crt" -pwd Dave

Oracle PKI Tool : Version 11.2.0.4.0 - Production

Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

PKI-04006: No matching private key in the wallet.

Could not install user cert at/oracle/wallet/star_site_location.crt

Please add all trusted certificates before adding the user certificate

I didn't find anything more on the PKI-04006 error other than to install the private key.  I've been provided only the public key, given this certificate was requested from the app_server.

I stumbled across this post

though I'm not sure what to do if I ask for and receive the p12 file as the last post is not clear to me.

Is that the right path, if so, how do I implement what is suggested?  If it is not right for my situation, what is the right path?  As I stated, I'm trying to use the trusted/user certificate from the app_server, which are used in the remote_system to app_server web service SSL communications, when going from the database_server to the remote_system for a SSL web service call.

Thanks

Comments

Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 19 2018
Added on Mar 19 2018
15 comments
8,277 views