Object:
I setuped SSL between the database server and the client machine.When i reloaded the listener, i got the error : ORA-28864: SSL connection closed gracefully
Honsetly, not easy to find the solution, even using Metalink.
Setup
I . On the Database Server :
create a directoy for wallet location :
- mkidr -p /u01/home/wallet
- cd /u01/home/wallet
Création Wallet
$orapki wallet create -wallet ./ -auto_login -pwd "Xxxxxxxx"llð -rw-------. 1 oracle oinstall 120 Apr 10 16:27 cwallet.ssoð -rw-rw-rw-. 1 oracle oinstall 0 Apr 10 16:27 cwallet.sso.lck
orapki wallet
add -wallet -self_signed -dn "CN=Server_`hostname` ,O=XXX,C=US"
-keysize 512 -validity 365 -pwd "Xxxxxxxx"
ð
cwallet.sso
cwallet.sso.lck
ewallet.p12
ewallet.p12.lck
|
orapki wallet
export -wallet ./ -dn "CN=Server_`hostname`
,O=XXX,C=US" -cert server_ca.cert -pwd "Xxxxxxxx"
-rw-------. 1
oracle oinstall 1773 Apr 10 16:56 cwallet.sso
-rw-rw-rw-. 1
oracle oinstall 0 Apr 10 16:55
cwallet.sso.lck
-rw-------. 1
oracle oinstall 1728 Apr 10 16:56 ewallet.p12
-rw-rw-rw-. 1
oracle oinstall 0 Apr 10 16:55
ewallet.p12.lck
-rw-------. 1 oracle oinstall 451 Apr 10 17:01 server_ca.cert
|
II . On the Client side :
create a directoy for wallet location :
- mkidr -p /u01/home/wallet
- cd /u01/home/wallet
Création Wallet
$orapki wallet create -wallet ./ -auto_login -pwd "Xxxxxxxx"llð -rw-------. 1 oracle oinstall 120 Apr 10 16:27 cwallet.ssoð -rw-rw-rw-. 1 oracle oinstall 0 Apr 10 16:27 cwallet.sso.lck
orapki wallet add -wallet -self_signed -dn "CN=Client_`hostname` ,O=XXX,C=US" -keysize 512 -validity 365 -pwd "Xxxxxxxx"
ð
cwallet.sso
cwallet.sso.lck
ewallet.p12
ewallet.p12.lck
|
orapki wallet export -wallet ./ -dn "CN=Client_`hostname` ,O=XXX,C=US" -cert client_ca.cert -pwd "Xxxxxxxx"
-rw-------. 1 oracle oinstall 1773 Apr 10 16:56 cwallet.sso
-rw-rw-rw-. 1 oracle oinstall 0 Apr 10 16:55 cwallet.sso.lck
-rw-------. 1 oracle oinstall 1728 Apr 10 16:56 ewallet.p12
-rw-rw-rw-. 1 oracle oinstall 0 Apr 10 16:55 ewallet.p12.lck
-rw-------. 1 oracle oinstall 451 Apr 10 17:01 client_ca.cert
|
III. Import certificate Serveur - Client
The final step is to import the server's root certificate (server_ca.cert) into the client wallet,
and to import the client's root certificate (client_ca.cert) into the server wallet.
It is assumed that the exported files are transferred via ftp or another mechanism between the machines.
So on the client the server's root certificate is imported with,
- cd /u01/home/wallet
orapki wallet add -wallet ./ -trusted_cert -cert server_ca.cert -pwd "Xxxxxxxx"
|
and on the server the client's root certificate is import with,
- cd /u01/home/wallet
orapki wallet add -wallet ./ -trusted_cert -cert client_ca.cert -pwd "Xxxxxxxx"
|
The status of the certificat via owm must be Ready !!
Here an example
IV. Setup Sqlnet for TCPS
1. Client Side
1.1 Sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
NAMES.DEFAULT_DOMAIN=dev.local
SQLNET.EXPIRE_TIME=10
SQLNET.INBOUND_CONNECT_TIMEOUT=600
# For SSL
Config
SQLNET.AUTHENTICATION_SERVICES=
(BEQ, TCPS)
SSL_VERSION =
1.0
SSL_CLIENT_AUTHENTICATION
= TRUE
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA)
WALLET_LOCATION
=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/home/wallet)
)
)
|
1.2 Tnsnames
my_service_for_db=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST =
xxxx)(PORT = 2484))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME =
xxxx)
)
(SECURITY=
(SSL_SERVER_CERT_DN="CN=Client_`hostname` ,O=XXX,C=US")
)
)
|
2. Server Side
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
NAMES.DEFAULT_DOMAIN=dev.local
SQLNET.EXPIRE_TIME=10
SQLNET.INBOUND_CONNECT_TIMEOUT=600
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD =
FILE)
(METHOD_DATA =
(DIRECTORY = /home/logiciel/oracle/orabase/admin/${ORACLE_SID}/wallet)
)
)
#### Configuration SSL
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
SSL_VERSION = 1.0
SSL_CRL_PATH = /home/logiciel/oracle/orabase/admin/wallet_ssl
SSL_CLIENT_AUTHENTICATION = TRUE
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/home/wallet)
)
)
|
#This parameter should be false as listener
is not going to authenticate the clients. It is the server process that authenticates
the clients.
SSL_CLIENT_AUTHENTICATION=FALSE
#This parameter is recommended to force the
use of TLS only
SSL_VERSION=1.0
#Set the Authentication method to include SSL
Authentication. TCPS means SSL authentication.
SQLNET.AUTHENTICATION_SERVICES = (BEQ,TCPS)
SQLNET.AUTHENTICATION_SERVICES = (BEQ,TCPS)
Port: 2484 for TCPS
# listener.ora Network Configuration File:
/home/logiciel/oracle/ora12102_1807/network/admin/listener.ora
# Generated by Oracle configuration tools.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS
= (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(DESCRIPTION =
(ADDRESS
= (PROTOCOL = TCP)(HOST = xxxxx)(PORT =
1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = xxxxx)(PORT = 2484))
)
)
INBOUND_CONNECT_TIMEOUT_LISTENER = 200
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC
=
(SID_NAME = PLSExtProc)
(ORACLE_HOME = xxxx)
(PROGRAM
= extproc)
)
(SID_DESC
=
(GLOBAL_DBNAME = xxxx.dev.local)
(ORACLE_HOME = xxx)
(SID_NAME = xxx)
)
(SID_DESC
=
(GLOBAL_DBNAME = xxx)
(ORACLE_HOME = xxxx)
(SID_NAME = xxx)
)
)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
NAMES.DEFAULT_DOMAIN=dev.local
SQLNET.EXPIRE_TIME=10
SQLNET.INBOUND_CONNECT_TIMEOUT=600
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD =
FILE)
(METHOD_DATA
=
(DIRECTORY
= /home/logiciel/oracle/orabase/admin/${ORACLE_SID}/wallet)
)
)
#### Configuration SSL
SQLNET.AUTHENTICATION_SERVICES=
(BEQ, TCPS, NTS)
SSL_VERSION = 1.0
SSL_CRL_PATH =
SSL_CLIENT_AUTHENTICATION
= TRUE
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
= (SHA1)
SQLNET.ENCRYPTION_TYPES_SERVER
= (AES256, AES192, AES128)
SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA)
WALLET_LOCATION
=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/home/wallet)
)
)
ADR_BASE = /home/logiciel/oracle/orabase
SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER = OFF
DIAG_ADR_ENABLED_LISTENER = OFF
|
reload listener !!
V. Status of Listener & Issue
At moment, when we reload the listener, we will be faced with the Following issue :
lsnrctl status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxxxx)(PORT=2484)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Linux Error: 542: Unknown error 542
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1520)))
STATUS of the LISTENER
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxxxx)(PORT=2484)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Linux Error: 542: Unknown error 542
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1520)))
STATUS of the LISTENER
VI. Solution
We have created the certificates without specifying the signature algorithm and by default orapki creates certificates signed in MD5 algorithm which does not work anymore in 12c
So we will need to remove the wallets are recreate them. Then the certificates should be created by adding " -sign_alg sha256 " parameter.
So:
- Remove the wallets (server and client)
- Execute the same steps, with the changes below (add -sign_alg sha256^)
orapki wallet add -wallet -self_signed -dn "CN=Server_`hostname` ,O=XXX,C=US" -sign_alg sha256 -keysize 512 -validity 365 -pwd "Xxxxxxxx"
|
orapki wallet add -wallet -self_signed -dn "CN=Client_`hostname` ,O=XXX,C=US" -sign_alg sha256 -keysize 512 -validity 365 -pwd "Xxxxxxxx"
|
So :
lsnrctl status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxxx)(PORT=2484)))
STATUS of the LISTENER
------------------------
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xxxx)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=xxxx)(PORT=1521)))
Services Summary...
VII. Database Setup & Test
This is a simple test, useful to access to database with external users
1. OS_AUTHENT_PREFIX & REMOTE_OS_AUTHENT
sqlplus
'/as sysdba'
alter system set remote_os_authent=FALSE
scope=spfile;
alter system set os_authent_prefix=''
scope=spfile;
shutdown immediate
startup
sqlplus
'/as sysdba'
alter system set remote_os_authent=FALSE
scope=spfile;
alter system set os_authent_prefix=''
scope=spfile;
shutdown immediate
startup
2. Create Database User
The user must have teh DN Client -dn "CN=Client_`hostname`,O=XXX,C=US"
create user client_ssl identified externally as
'CN=Client_`hostname`,O=XXX,C=US';
grant create session to client_ssl;
create user client_ssl identified externally as
'CN=Client_`hostname`,O=XXX,C=US';
grant create session to client_ssl;
3.Test
sqlplus
/@my_service_for_db
SQL> show user
USER is
"CLIENT_SSL"
SQL> select sys_context('userenv','network_protocol')
from dual;
tcps
sqlplus
/@my_service_for_db
SQL> show user
USER is
"CLIENT_SSL"
SQL> select sys_context('userenv','network_protocol')
from dual;