Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:38am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security tools
(Moderator: Pete Finnigan)
   Strong authentication with SSL
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Strong authentication with SSL  (Read 53081 times)
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Strong authentication with SSL
« on: Oct 3rd, 2005, 7:13pm »
Quote | Modify

Hi,
 
Sqlnet offers strong authentication with tcps (ssl) and I'm trying to make it work. My main interest is to authenticate the client with a X509 certificate.
In my setup I have two directories: Wallet_client and Wallet_server for the client wallet and server wallet. The steps are:
 
Code:

cd Wallet_client
1) orapki wallet create -wallet . -auto_login -pwd myclient99
2) orapki wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed -validity 365 -pwd myclient99
3) orapki wallet export -wallet . -dn "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert
cd ../Wallet_server
4) orapki wallet create -wallet . -auto_login -pwd myserver99
5) orapki wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed -validity 365 -pwd myserver99
6) orapki wallet export -wallet . -dn "CN=DBSERVER" -cert ../Wallet_client/db.cert
7) orapki wallet add -wallet . -trusted_cert -cert ivan.cert -pwd myserver99
cd ../Wallet_client
8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd myclient99

 
In steps 7 and 8 client and server exchange their public keys.
The clients sqlnet.ora is:
Code:

WALLET_LOCATION = (SOURCE=
     (METHOD = FILE)
     (METHOD_DATA =
    (DIRECTORY=/home/oracle/Wallet_client
     )))
SSL_VERSION = 0
SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ)
SSL_SERVER_DN_MATCH = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_CLIENT_AUTHENTICATION = TRUE
NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)
TRACE_DIRECTORY_CLIENT = /home/oracle/Wallet_client
trace_level_client = USER
TRACE_FILE_CLIENT = trace_user

 
And the clients tnsnames.ora is:
Code:

DBSERVER =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
    (CONNECT_DATA=
 (SERVER = DEDICATED)
 (SERVICE_NAME=IVAN2)
    )
   )
DBSERVER-CHECK =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
    (CONNECT_DATA=
 (SERVER = DEDICATED)
 (SERVICE_NAME=IVAN2)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
   )
 

 
The servers sqlnet.ora is:
Code:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)
 
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_VERSION = 0
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
 (DIRECTORY = /home/oracle/Wallet_server)
    )
  )
TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace
trace_level_server = SUPPORT
TRACE_FILE_server = trace_server

 
The server's listener.ora  content is:
Code:
TRACE_LEVEL_LISTENER = ADMIN
TRACE_FILE_LISTENER = listener
TRACE_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/trace
LOG_FILE_LISTENER = listener
LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log
LOGGING_LISTENER = ON
 
SID_LIST_SSL_LISTENER =
  (SID_LIST =
    (SID_DESC =
 (GLOBAL_DBNAME = IVAN2)
 (SID_NAME = IVAN2)
 (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
    )
  )
 
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_LISTENER =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
  )
WALLET_LOCATION = (SOURCE=
     (METHOD = FILE)
     (METHOD_DATA =
    (DIRECTORY=/home/oracle/Wallet_server
     )))

I also created a Oracle user to test the strong client authentication:
 
create user ivan identified globally as 'CN=IVAN SAEZ';
grant create session to ivan;
 
When I connect to the database, I set TNS_ADMIN to /home/oracle/Wallet_client first, with:
 
sqlplus isaez/pwd@dbserver-check
 
I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is used: The final negotiated SSL Cipher Suite is:...
 
But when I try to use the clients x509 certificate to authenticate the connection:
 
sqlplus /nolog
connect /@dbserver-check
 
I get an error:
ERROR:
ORA-01017: invalid username/password; logon denied
 
I've wrestling with this problem a couple of hours and can't solve it. There is very few information on the net about orapki and ssl/tcps authentication. Maybe on Matelink but I don't have access to Metalink now.
 
Any ideas?
 
regards,
 
Ivan
IP Logged

regards,

Ivan
Max
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Gender: male
Posts: 3
Re: Strong authentication with SSL
« Reply #1 on: Oct 13th, 2005, 4:13pm »
Quote | Modify

Ivan, i've just repeated your setup successfully with one small difference. The database user must be created identified externally , not globally for ssl authentification. Identified globally works with enterprise users only ( also directory service ).
 
Best Regards
 
Maxim
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Strong authentication with SSL
« Reply #2 on: Oct 13th, 2005, 4:59pm »
Quote | Modify

Maxim,
 
Yes, thank you!
 
Changing "create user ivan identified globally as 'CN=IVAN SAEZ'" to
"create user ivan identified externally as 'CN=IVAN SAEZ'" did indeed
solve the problem.
 
regards,
 
Ivan
IP Logged

regards,

Ivan
BBKing
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Strong authentication with SSL
« Reply #3 on: May 11th, 2006, 5:08pm »
Quote | Modify

Hello,
 
I need some help about my connexion with SSL and Oracle.  
I have :
- client : Windows XP with Oracle Client 8i
- server : Solaris with Oracle server 10g
 
I did the same thing as isaez but I have some problems :
Code:
 
$ lsnrctl reload lnp_ssl
 
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:16
 
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Broken Pipe
 
$ lsnrctl reload lnp_ssl
 
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:19
 
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28864: SSL connection closed gracefully
 TNS-12560: TNS:protocol adapter error
  TNS-28864: Message 28864 not found;  product=network; facility=TNS
 
   Solaris Error: 542: Unknown error

 
I don't understand what is not good...Huh
 
Can you help me please?  
Thanks
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Strong authentication with SSL
« Reply #4 on: May 14th, 2006, 10:21am »
Quote | Modify

Hi,
 
Did you check if ssl is installed? Use the adapters command to check it:
oracle@Asus:~ > adapters
 
Installed Oracle Net transport protocols are:
 
    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB
 
regards,
 
Ivan
 
IP Logged

regards,

Ivan
BBKing
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Strong authentication with SSL
« Reply #5 on: May 15th, 2006, 8:51am »
Quote | Modify

Thank you for your answer.
Yes SSL is installed, the adapters command :
 
Code:

$ adapters
 
Installed Oracle Net transport protocols are:
 
    IPC
    BEQ
    TCP/IP
    SSL
    RAW
 
Installed Oracle Net naming methods are:
 
    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
   Error!!!   Oracle Names Server Naming is not completely installed!
 
Installed Oracle Advanced Security options are:
 
    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

 
And now I have this error :  
Code:

lsnrctl start lnp_ssl
 
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 09:41:37
 
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
 
Starting /products/oracle/bin/tnslsnr: please wait...
 
TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28860: Fatal SSL error
 TNS-12560: TNS:protocol adapter error
  TNS-28860: Message 28860 not found;  product=network; facility=TNS
 
   Solaris Error: 542: Unknown error
IP Logged
BBKing
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Strong authentication with SSL
« Reply #6 on: May 15th, 2006, 10:33am »
Quote | Modify

Yeah, I successed but I am not very satisfied, because there is no service:  
Code:

 lsnrctl status lnp_ssl
 
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 11:25:49
 
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias      lnp_ssl
Version    TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date      15-MAY-2006 10:53:10
Uptime     0 days 0 hr. 32 min. 39 sec
Trace Level     off
Security   ON: Local OS Authentication
SNMP       OFF
Listener Parameter File   /products/oracle/network/admin/listener.ora
Listener Log File    /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
The listener supports no services
The command completed successfully

 
And when I tried to do a tnsping on the client, I have :  
Code:

...
TNS-12560 : TNS : error of protocol adapters
IP Logged
BBKing
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 4
Re: Strong authentication with SSL
« Reply #7 on: May 15th, 2006, 3:29pm »
Quote | Modify

Yeah! The listener is good,  
Code:

 $ lsnrctl start lnp_ssl
 
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 16:17:58
 
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
 
Starting /products/oracle/bin/tnslsnr: please wait...
 
TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias      lnp_ssl
Version    TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date      15-MAY-2006 16:17:58
Uptime     0 days 0 hr. 0 min. 0 sec
Trace Level     off
Security   ON: Local OS Authentication
SNMP       OFF
Listener Parameter File   /products/oracle/network/admin/listener.ora
Listener Log File    /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CO NNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Services Summary...
Service "LNP" has 1 instance(s).
  Instance "LNP", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

 
But when I try to connect to this listener, I have the following error :  
Code:

ERROR:
ORA-28756: callback failure to allocate memory

 
Thank you for your help  Smiley
IP Logged
Philip
PeteFinnigan.com Newbie
*



DBA

   
View Profile |

Gender: male
Posts: 2
Re: Strong authentication with SSL
« Reply #8 on: Feb 1st, 2010, 9:06pm »
Quote | Modify

Hi BBKing,
 
you'll need to add to the Listener.ora file  a reference for a non SSL protocol in front of the TCPS protocol:
 
lnp_ssl  =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
 (ADDRESS_LIST =
   (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.100)(PORT = 1521))
 )
    )
  (DESCRIPTION =
 (ADDRESS_LIST =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.2.100)(PORT = 2484))    
   )        
   )
 
I don't remember where I saw this but , this was a work around for  that bug.  If you search Metalink for the error :
 
TNS-12560 : TNS : error of protocol adapters  
 
It should turn up the bug fix. or on OTN a discussion on this.
IP Logged
Philip
PeteFinnigan.com Newbie
*



DBA

   
View Profile |

Gender: male
Posts: 2
Re: Strong authentication with SSL
« Reply #9 on: Feb 1st, 2010, 9:36pm »
Quote | Modify

I found the reference in $ORACLE_HOME/relnotes/readmes
 
Unable to start LISTENER with TCP/IP SSL protocol
When adding a Listener with the endpoint "address" using the PROTOCOL=TCPS, you  
need to have at least one other "address" specified for that listener with  
PROTOCOL=TCP, and this "TCP" endpoint should precede the "TCPS" endpoint  
address. (Bug 4089715)  
To illustrate, the following entry is incorrect and the listener will not  
start up properly (because the TCPS address is before the TCP address):  
LISTENER_A =  
(DESCRIPTION_LIST =  
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =  
host.domain.com)(PORT = 2484 ))))  
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =  
host.domain.com)(PORT = 15151 ))))  
)  
The following entry is the correct way to do it:  
LISTENER_A =  
(DESCRIPTION_LIST =  
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =  
host.domain.com)(PORT = 15151))))  
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =  
host.domain.com)(PORT = 2484))))  
)
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board