Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to create SSL certificates that work when SSLFIPS_140=TRUE

2665762Feb 25 2015 — edited Mar 6 2015

Hello,

We are attempting FIPS 140-2 connections to our database using Oracle Advanced Security per the steps that are provided for FIPS 140-2 (http://docs.oracle.com/database/121/DBSEG/asoappe.htm#DBSEG9825).

We have no issues with SSL connections when SSLFIPS_140=FALSE. As soon as we change the parameter from FALSE to TRUE our client crashes and the error wallet open failed with error 29223 is present in the sqlnet client trace file.

ORA-29223: Cannot Create Certificate Chain. What would cause the certificate chain to not be valid when setting the SSLFIPS_140 parameter to TRUE?

The database is 12.1.0.2.0 RAC with two nodes. The client is 12.1.0.1 . We are using the following parameters.

ORACLE_HOME sqlnet.ora file

SSL_VERSION = 0

SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$WALLET)))

SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA)

GRID sqlnet.ora file

SSL_CLIENT_AUTHENTICATION = TRUE

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD = FILE)(METHOD_DATA=(DIRECTORY=$WALLET)))

listener.ora file

SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = $WALLET)))

Thanks,

Locked Post

New comments cannot be posted to this locked post.

Locked on Apr 3 2015

Added on Feb 25 2015

#database-security, #database-security-general, #ssl

2 comments

2,702 views