We were trying to set up ssl for oracle 11gR2. Machine on which oracle is installed is Windows server 2008 R2 standard.
We followed below steps to configure ssl on server.
Server Side Configuration:
- 1. Stop the services for your Oracle DB and the Listener. Also stop Tomcat if it is running.
- 2. Install OpenSSL on your Machine. You can get the appropriate download here:
- 1 Shining Light Productions - Win32 OpenSSL
- 2 You may first need to run the installer for Visual C++ 2008 Redistributables
- 3. Now you will create a keystore and Trusted Certificate Authority with the following commands:
- 1. openssl genrsa -des3 -out CertAuthority.key 4096 (You will need to enter a passphrase)
- 2. openssl req -new -x509 -days 3650 -key CertAuthority.key -out CertAuthority.crt (You will enter keystore passphrase, then you should make the country code 'US'. You can skip other attributes, but for Common Name enter the fullname of your Oracle Server (ex - harrison.test.sailpoint.com)
- 4. Now launch Oracle Wallet Manager .Create a New Wallet (it will prompt you to enter a passphrase for the wallet. choose Standard wallet from the dropdown below the passphrase)
- 5. When asked if you want to create a cert request choose No.
- 6. Right Click on the Trusted Certificates node and select Import Trusted Certificate. Choose the CertAuthority.crt you created earlier.
- 7. Right Click on the Certificate node and select 'Create Certifcate Request'. For Common Name enter your server again (harrison.test.sailpoint.com)
- 8. Right Click on the Certificate node again and select Export Certificate Request. Choose where you would like the file to go. Let's name it harrison.csr
- 9. Now we will sign the certificate using OpenSSL
- 1. openssl x509 -req -days 3650 -in harrison.csr -CA CertAuthority.crt -CAkey CertAuthority.key -set_serial 01 -out harrison.crt
- 10. Back to Wallet Manager and click on the Certificate node and choose Import User Certificate. Choose harrison.crt and say OK. You should now see it says 'READY' next to the Certificate node.
- 11. Save the Wallet to place you'll remember. Click the Wallet menu again and select Auto Login. Save again.
- 12. Now launch Oracle Net Manager
- 13. Expand Local, Select Profile Node, in the right panel drop down select 'Oracle Advanced Security'. Go to the SSL tab and click on Server.
- 14. Choose the location you saved your Wallet. Uncheck the flag for Require Client Authentication. Save Network Configuration.
- 15. At this point check listener.ora and sqlnet.ora to ensure each has an entry for Wallet location that is correct and both have SSL Client Authentication = false
- 16. Now expand the Listener node and choose Listener and right hand panel of Listening Locations
- 17. Add an address for TCP/IP with SSL. Enter the full DB server name and port 2484.
- 18. Under Service Naming, choose your instance of Oracle.
- 19. In the right hand panel add an Address Configuration for TCP/IP with SSL. Enter the full DB server name and port 2484. Save Network Configuration.
- 20. At this point tnsnames.ora and listener.ora should show configured address for TCPS on port 2484.
- 21. Restart the Oracle DB service and the Listener.
- 22. go to a command prompt where you can use sqlplus and enter
- 1. sqlplus system@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=harrison.test.sailpoint.com)(PORT=2484))(CONNECT_DATA=(SID=casino)))
- 23. If that command succeeds, you are good to go. Pro tip: make sure the specific files inside the wallet directory are accessible by the user running your Oracle Service (probably the System user).
All the steps mentioned in the document are executed successfully but while testing the connection we are getting error " ORA-28864: SSL connection closed gracefully oracle db "
Please suggest solution for this.