Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security tools >> Strong authentication with SSL
(Message started by: Pete Finnigan on Oct 3rd, 2005, 7:13pm)

Title: Strong authentication with SSL
Post by Pete Finnigan on Oct 3rd, 2005, 7:13pm
Hi,

Sqlnet offers strong authentication with tcps (ssl) and I'm trying to make it work. My main interest is to authenticate the client with a X509 certificate.
In my setup I have two directories: Wallet_client and Wallet_server for the client wallet and server wallet. The steps are:


Code:
cd Wallet_client
1) orapki wallet create -wallet . -auto_login -pwd myclient99
2) orapki wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed -validity 365 -pwd myclient99
3) orapki wallet export -wallet . -dn "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert
cd ../Wallet_server
4) orapki wallet create -wallet . -auto_login -pwd myserver99
5) orapki wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed -validity 365 -pwd myserver99
6) orapki wallet export -wallet . -dn "CN=DBSERVER" -cert ../Wallet_client/db.cert
7) orapki wallet add -wallet . -trusted_cert -cert ivan.cert -pwd myserver99
cd ../Wallet_client
8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd myclient99


In steps 7 and 8 client and server exchange their public keys.
The clients sqlnet.ora is:

Code:
WALLET_LOCATION = (SOURCE=
                   (METHOD = FILE)
                   (METHOD_DATA =
                       (DIRECTORY=/home/oracle/Wallet_client
                   )))
SSL_VERSION = 0
SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ)
SSL_SERVER_DN_MATCH = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_CLIENT_AUTHENTICATION = TRUE
NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)
TRACE_DIRECTORY_CLIENT = /home/oracle/Wallet_client
trace_level_client = USER
TRACE_FILE_CLIENT = trace_user


And the clients tnsnames.ora is:

Code:
DBSERVER =
 (DESCRIPTION =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
   (CONNECT_DATA=
     (SERVER = DEDICATED)
     (SERVICE_NAME=IVAN2)
   )
  )
DBSERVER-CHECK =
 (DESCRIPTION =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
   (CONNECT_DATA=
     (SERVER = DEDICATED)
     (SERVICE_NAME=IVAN2)
   )
   (SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
  )


The servers sqlnet.ora is:

Code:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_VERSION = 0
WALLET_LOCATION =
 (SOURCE =
   (METHOD = FILE)
   (METHOD_DATA =
     (DIRECTORY = /home/oracle/Wallet_server)
   )
 )
TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace
trace_level_server = SUPPORT
TRACE_FILE_server = trace_server


The server's listener.ora  content is:

Code:
TRACE_LEVEL_LISTENER = ADMIN
TRACE_FILE_LISTENER = listener
TRACE_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/trace
LOG_FILE_LISTENER = listener
LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log
LOGGING_LISTENER = ON

SID_LIST_SSL_LISTENER =
 (SID_LIST =
   (SID_DESC =
     (GLOBAL_DBNAME = IVAN2)
     (SID_NAME = IVAN2)
     (ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
   )
 )

#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_LISTENER =
 (DESCRIPTION =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
 )
WALLET_LOCATION = (SOURCE=
                   (METHOD = FILE)
                   (METHOD_DATA =
                       (DIRECTORY=/home/oracle/Wallet_server
                   )))

I also created a Oracle user to test the strong client authentication:

create user ivan identified globally as 'CN=IVAN SAEZ';
grant create session to ivan;

When I connect to the database, I set TNS_ADMIN to /home/oracle/Wallet_client first, with:

sqlplus isaez/pwd@dbserver-check

I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is used: The final negotiated SSL Cipher Suite is:...

But when I try to use the clients x509 certificate to authenticate the connection:

sqlplus /nolog
connect /@dbserver-check

I get an error:
ERROR:
ORA-01017: invalid username/password; logon denied

I've wrestling with this problem a couple of hours and can't solve it. There is very few information on the net about orapki and ssl/tcps authentication. Maybe on Matelink but I don't have access to Metalink now.

Any ideas?

regards,

Ivan

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Oct 13th, 2005, 4:13pm
Ivan, i've just repeated your setup successfully with one small difference. The database user must be created identified externally , not globally for ssl authentification. Identified globally works with enterprise users only ( also directory service ).

Best Regards

Maxim

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Oct 13th, 2005, 4:59pm
Maxim,

Yes, thank you!

Changing "create user ivan identified globally as 'CN=IVAN SAEZ'" to
"create user ivan identified externally as 'CN=IVAN SAEZ'" did indeed
solve the problem.

regards,

Ivan

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 11th, 2006, 5:08pm
Hello,

I need some help about my connexion with SSL and Oracle.
I have :
- client : Windows XP with Oracle Client 8i
- server : Solaris with Oracle server 10g

I did the same thing as isaez but I have some problems :

Code:

$ lsnrctl reload lnp_ssl

LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:16

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Broken Pipe

$ lsnrctl reload lnp_ssl

LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:19

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
 TNS-28864: Message 28864 not found;  product=network; facility=TNS

  Solaris Error: 542: Unknown error


I don't understand what is not good...???

Can you help me please?
Thanks

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 14th, 2006, 10:21am
Hi,

Did you check if ssl is installed? Use the adapters command to check it:
oracle@Asus:~ > adapters

Installed Oracle Net transport protocols are:

   IPC
   BEQ
   TCP/IP
   SSL
   RAW
   SDP/IB

regards,

Ivan


Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 8:51am
Thank you for your answer.
Yes SSL is installed, the adapters command :


Code:
$ adapters

Installed Oracle Net transport protocols are:

   IPC
   BEQ
   TCP/IP
   SSL
   RAW

Installed Oracle Net naming methods are:

   Local Naming (tnsnames.ora)
   Oracle Directory Naming
   Oracle Host Naming
  Error!!!   Oracle Names Server Naming is not completely installed!

Installed Oracle Advanced Security options are:

   RC4 40-bit encryption
   RC4 56-bit encryption
   RC4 128-bit encryption
   RC4 256-bit encryption
   DES40 40-bit encryption
   DES 56-bit encryption
   3DES 112-bit encryption
   3DES 168-bit encryption
   AES 128-bit encryption
   AES 192-bit encryption
   AES 256-bit encryption
   MD5 crypto-checksumming
   SHA-1 crypto-checksumming
   Kerberos v5 authentication
   RADIUS authentication


And now I have this error :

Code:
lsnrctl start lnp_ssl

LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 09:41:37

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting /products/oracle/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28860: Fatal SSL error
TNS-12560: TNS:protocol adapter error
 TNS-28860: Message 28860 not found;  product=network; facility=TNS

  Solaris Error: 542: Unknown error

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 10:33am
Yeah, I successed but I am not very satisfied, because there is no service:

Code:
lsnrctl status lnp_ssl

LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 11:25:49

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias                     lnp_ssl
Version                   TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date                15-MAY-2006 10:53:10
Uptime                    0 days 0 hr. 32 min. 39 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /products/oracle/network/admin/listener.ora
Listener Log File         /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
The listener supports no services
The command completed successfully


And when I tried to do a tnsping on the client, I have :

Code:
...
TNS-12560 : TNS : error of protocol adapters

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 3:29pm
Yeah! The listener is good,

Code:
$ lsnrctl start lnp_ssl

LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 16:17:58

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting /products/oracle/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias                     lnp_ssl
Version                   TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date                15-MAY-2006 16:17:58
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /products/oracle/network/admin/listener.ora
Listener Log File         /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Services Summary...
Service "LNP" has 1 instance(s).
 Instance "LNP", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully


But when I try to connect to this listener, I have the following error :

Code:
ERROR:
ORA-28756: callback failure to allocate memory


Thank you for your help  :)

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Feb 1st, 2010, 9:06pm
Hi BBKing,

you'll need to add to the Listener.ora file  a reference for a non SSL protocol in front of the TCPS protocol:

lnp_ssl  =
 (DESCRIPTION_LIST =
   (DESCRIPTION =
     (ADDRESS_LIST =
       (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.100)(PORT = 1521))
     )
   )
 (DESCRIPTION =
     (ADDRESS_LIST =
       (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.2.100)(PORT = 2484))              
       )                                
       )

I don't remember where I saw this but , this was a work around for  that bug.  If you search Metalink for the error :

TNS-12560 : TNS : error of protocol adapters

It should turn up the bug fix. or on OTN a discussion on this.

Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Feb 1st, 2010, 9:36pm
I found the reference in $ORACLE_HOME/relnotes/readmes

Unable to start LISTENER with TCP/IP SSL protocol
When adding a Listener with the endpoint "address" using the PROTOCOL=TCPS, you
need to have at least one other "address" specified for that listener with
PROTOCOL=TCP, and this "TCP" endpoint should precede the "TCPS" endpoint
address. (Bug 4089715)
To illustrate, the following entry is incorrect and the listener will not
start up properly (because the TCPS address is before the TCP address):
LISTENER_A =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =
host.domain.com)(PORT = 2484 ))))
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =
host.domain.com)(PORT = 15151 ))))
)
The following entry is the correct way to do it:
LISTENER_A =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =
host.domain.com)(PORT = 15151))))
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =
host.domain.com)(PORT = 2484))))
)



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board