Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

ORA-29003 when checking server SSL certificate

chris_hereJun 30 2013 — edited Jul 10 2013

Hi there,

I'm bumping into an annoying issue when trying to configure SSL authentication on an 11gR2 database on RedHat Linux 6.3 64bit. The database is a physical standby instance in an Active Dataguard configuration, in case that's relevant to the case. Everything goes ok up to a point:

bash-4.1$ sqlplus /@smsgadm1
SQL*Plus: Release 11.2.0.3.0 Production on Sun Jun 30 21:51:45 2013
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
SQL>

until I switch to SSL_SERVER_DN_MATCH = TRUE in the client's sqlnet.ora; then I get:

bash-4.1$ sqlplus /@smsgadm1
SQL*Plus: Release 11.2.0.3.0 Production on Sun Jun 30 22:07:23 2013
ERROR: ORA-29003: SSL transport detected mismatched server certificate.
Enter user-name:

The relevant part of the client's tnsnames.ora is as follows; the DN string is a pure copy/paste from the output of "orapki wallet display".

SMSGADM1 =


  (DESCRIPTION =


    (ADDRESS = (PROTOCOL = TCPS)(HOST = admnode)(PORT = 2484))


    (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = smsgadm1))


    (SECURITY = (SSL_SERVER_CERT_DN="CN=smsgw,OU=etc.."))


  )

The documentation  mentions that the CN field should contain the global database name ("Server DN matching prevents the database server from faking its identity to the client during connections by matching the server's global database name against the DN from the server certificate."), which in my case is "smsgw". However I have also tried using the database SID "smsgadm1" to no avail, i.e., I get the exact same result. I've also tried to follow this recent post step by step without more success.

SQL> show parameter name


NAME                                 TYPE        VALUE


------------------------------------ ----------- ------------------------------


db_name                              string      SMSGW


db_unique_name                       string      SMSGADM1


instance_name                        string      smsgadm1




SQL> show parameter domain


NAME                                 TYPE        VALUE


------------------------------------ ----------- ------------------------------


db_domain                            string




SQL> select * from global_name;


GLOBAL_NAME


--------------------------------------------------------------------------------


SMSGW


The most puzzling thing is that this ORA-29003 error returns extremely few links on Google, so this seems to be a very uncommon error. I'm totally at a loss here about what may be going on. Has anybody got an idea? Or knows of a way to get more information from the client about what it's trying to match the DN against?
Thanks for your help,
Chris
 





  

    
    

      
Comments

      

    

    

  

  

  



  

    
    
  

  

    

    

      

        
Locked Post

        

      

      

        
New comments cannot be posted to this locked post.

        

        
      

    

  





        

  

    
    

      
Post Details

      

    

    

  

  


  
    
    
    
      
Locked on Aug 7 2013
      
      
      
    
  
  
    
    
    
      
Added on Jun 30 2013
      
      
      
    
  
  
    
    
    
      
 #database-security, #database-security-general, #ssl
      
      
      
    
  
  
    
    
    
      
                           5 comments
      
      
      
    
  
  
    
    
    
      
                       7,265 views