Listener & SSL : ORA-28864: SSL connection closed gracefully

Object:

I setuped SSL between the database server and the client machine.
When i reloaded the listener, i got the error : ORA-28864: SSL connection closed gracefully
Honsetly, not easy to find the solution, even using Metalink.

Setup

I . On the Database Server :

create a directoy for wallet location : 

• mkidr -p /u01/home/wallet
• cd  /u01/home/wallet

• Création Wallet

  $orapki wallet create -wallet ./  -auto_login -pwd "Xxxxxxxx" ll ð -rw-------.  1 oracle oinstall  120 Apr 10 16:27 cwallet.sso ð  -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:27 cwallet.sso.lck

• Création Self-Signed (root) Certificate for the CA Wallet

orapki wallet add -wallet -self_signed -dn "CN=Server_`hostname` ,O=XXX,C=US" -keysize 512 -validity 365 -pwd "Xxxxxxxx" ð cwallet.sso cwallet.sso.lck ewallet.p12 ewallet.p12.lck

•     Export CA Root Certificat

orapki wallet export -wallet ./ -dn "CN=Server_`hostname` ,O=XXX,C=US" -cert server_ca.cert -pwd "Xxxxxxxx" -rw-------.  1 oracle oinstall 1773 Apr 10 16:56 cwallet.sso -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:55 cwallet.sso.lck -rw-------.  1 oracle oinstall 1728 Apr 10 16:56 ewallet.p12 -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:55 ewallet.p12.lck -rw-------.  1 oracle oinstall  451 Apr 10 17:01 server_ca.cert

II . On the Client side :

create a directoy for wallet location : 

• mkidr -p /u01/home/wallet
• cd  /u01/home/wallet

• Création Wallet

  $orapki wallet create -wallet ./  -auto_login -pwd "Xxxxxxxx" ll ð -rw-------.  1 oracle oinstall  120 Apr 10 16:27 cwallet.sso ð  -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:27 cwallet.sso.lck

• Création Self-Signed

orapki wallet add -wallet -self_signed -dn "CN=Client_`hostname` ,O=XXX,C=US" -keysize 512 -validity 365 -pwd "Xxxxxxxx" ð cwallet.sso cwallet.sso.lck ewallet.p12 ewallet.p12.lck

•     Export CA Root Certificat

orapki wallet export -wallet ./ -dn "CN=Client_`hostname` ,O=XXX,C=US" -cert client_ca.cert -pwd "Xxxxxxxx" -rw-------.  1 oracle oinstall 1773 Apr 10 16:56 cwallet.sso -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:55 cwallet.sso.lck -rw-------.  1 oracle oinstall 1728 Apr 10 16:56 ewallet.p12 -rw-rw-rw-.  1 oracle oinstall    0 Apr 10 16:55 ewallet.p12.lck -rw-------.  1 oracle oinstall  451 Apr 10 17:01 client_ca.cert

III. Import certificate Serveur - Client

The final step is to import the server's root certificate (server_ca.cert) into the client wallet,

and to import the client's root certificate (client_ca.cert) into the server wallet. 

It is assumed that the exported files are transferred via ftp or another mechanism between the machines.

So on the client the server's root certificate is imported with,

• cd  /u01/home/wallet

orapki wallet add -wallet ./ -trusted_cert -cert server_ca.cert -pwd "Xxxxxxxx"

and on the server the client's root certificate is import with,

• cd  /u01/home/wallet

orapki wallet add -wallet ./ -trusted_cert -cert client_ca.cert -pwd "Xxxxxxxx"

The status of the certificat via owm must be Ready !!
Here an example

IV. Setup Sqlnet for TCPS

     1. Client Side

      1.1 Sqlnet.ora

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) NAMES.DEFAULT_DOMAIN=dev.local SQLNET.EXPIRE_TIME=10 SQLNET.INBOUND_CONNECT_TIMEOUT=600 # For SSL Config SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 1.0 SSL_CLIENT_AUTHENTICATION = TRUE SQLNET.ENCRYPTION_CLIENT=REQUIRED SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA) WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /u01/home/wallet)     )   )

  

1.2 Tnsnames

my_service_for_db=   (DESCRIPTION =   (ADDRESS = (PROTOCOL = TCPS)(HOST = xxxx)(PORT = 2484))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = xxxx)     )     (SECURITY=      (SSL_SERVER_CERT_DN="CN=Client_`hostname` ,O=XXX,C=US")     )   )

     2. Server Side

            2.1. Sqlnet.ora

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) NAMES.DEFAULT_DOMAIN=dev.local SQLNET.EXPIRE_TIME=10 SQLNET.INBOUND_CONNECT_TIMEOUT=600 ENCRYPTION_WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/logiciel/oracle/orabase/admin/${ORACLE_SID}/wallet)     )   ) #### Configuration SSL SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS) SSL_VERSION = 1.0 SSL_CRL_PATH = /home/logiciel/oracle/orabase/admin/wallet_ssl SSL_CLIENT_AUTHENTICATION = TRUE SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1) SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128) SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA) WALLET_LOCATION = (SOURCE =  (METHOD = FILE)  (METHOD_DATA =  (DIRECTORY = /u01/home/wallet)  ) )

     2.2. Listener

#This parameter should be false as listener is not going to authenticate the clients. It is the server process that authenticates the clients.

SSL_CLIENT_AUTHENTICATION=FALSE

#This parameter is recommended to force the use of TLS only

SSL_VERSION=1.0

#Set the Authentication method to include SSL Authentication. TCPS means SSL authentication. 
SQLNET.AUTHENTICATION_SERVICES = (BEQ,TCPS)

Port: 2484 for TCPS

# listener.ora Network Configuration File: /home/logiciel/oracle/ora12102_1807/network/admin/listener.ora # Generated by Oracle configuration tools. LISTENER =   (DESCRIPTION_LIST =     (DESCRIPTION =       (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))     )     (DESCRIPTION =       (ADDRESS = (PROTOCOL = TCP)(HOST = xxxxx)(PORT = 1521))     )     (DESCRIPTION =       (ADDRESS = (PROTOCOL = TCPS)(HOST = xxxxx)(PORT = 2484))     )   ) INBOUND_CONNECT_TIMEOUT_LISTENER = 200 SID_LIST_LISTENER =   (SID_LIST =     (SID_DESC =       (SID_NAME = PLSExtProc)       (ORACLE_HOME = xxxx)       (PROGRAM = extproc)     )     (SID_DESC =       (GLOBAL_DBNAME = xxxx.dev.local)       (ORACLE_HOME = xxx)       (SID_NAME = xxx)     )     (SID_DESC =       (GLOBAL_DBNAME = xxx)       (ORACLE_HOME = xxxx)       (SID_NAME = xxx)     )   ) NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) NAMES.DEFAULT_DOMAIN=dev.local SQLNET.EXPIRE_TIME=10 SQLNET.INBOUND_CONNECT_TIMEOUT=600 ENCRYPTION_WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/logiciel/oracle/orabase/admin/${ORACLE_SID}/wallet)     )   ) #### Configuration SSL SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS) SSL_VERSION = 1.0 SSL_CRL_PATH = /u01/home/wallet SSL_CLIENT_AUTHENTICATION = TRUE SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1) SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128) SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA) WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /u01/home/wallet)     )   ) ADR_BASE = /home/logiciel/oracle/orabase SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER = OFF DIAG_ADR_ENABLED_LISTENER = OFF

reload listener !!

V. Status of Listener & Issue

At moment, when we reload the listener, we will be faced with the Following issue :

lsnrctl status

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxxxx)(PORT=2484)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS

Linux Error: 542: Unknown error 542
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1520)))
STATUS of the LISTENER

VI. Solution

We have created the certificates without specifying the signature algorithm and by default orapki creates certificates signed in MD5 algorithm which does not work anymore in 12c

So we will need to remove the wallets are recreate them. Then the certificates should be created by adding " -sign_alg sha256 " parameter.

So:

• Remove the wallets (server and client)
• Execute the same steps, with the changes below (add -sign_alg sha256^)

Server Side : Création Self-Signed (root) Certificate for the CA Wallet

orapki wallet add -wallet -self_signed -dn "CN=Server_`hostname` ,O=XXX,C=US" -sign_alg sha256    -keysize 512 -validity 365 -pwd "Xxxxxxxx"

Client Side: Création Self-Signed

orapki wallet add -wallet -self_signed -dn "CN=Client_`hostname` ,O=XXX,C=US" -sign_alg sha256 -keysize 512 -validity 365 -pwd "Xxxxxxxx"

 ..


So :

lsnrctl status

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxxx)(PORT=2484)))
STATUS of the LISTENER
------------------------

Listening Endpoints Summary…
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xxxx)(PORT=2484)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=xxxx)(PORT=1521)))
Services Summary...

VII. Database Setup & Test

This is a simple test, useful to access to database with external users 

 1. OS_AUTHENT_PREFIX & REMOTE_OS_AUTHENT

sqlplus '/as sysdba'  alter system set remote_os_authent=FALSE scope=spfile;  alter system set os_authent_prefix='' scope=spfile;  shutdown immediate  startup

2. Create Database User

The user must have teh DN Client -dn "CN=Client_`hostname`,O=XXX,C=US"

create user client_ssl identified externally as 'CN=Client_`hostname`,O=XXX,C=US'; grant create session to  client_ssl;

3.Test

sqlplus /@my_service_for_db  SQL> show user USER is "CLIENT_SSL" SQL> select sys_context('userenv','network_protocol') from dual; tcps