Working for a DoD customer. Attempting implementation of MOS # 401251.1 with substitution of DoD certs on client end. Using Microsoft Certificate Stores. When tnsping the SSL listener, it works:
C:\Users\dtaylor>tnsping newcac
TNS Ping Utility for 64-bit Windows: Version 12.2.0.1.0 - Production on 27-JUN-2019 10:26:22
Copyright (c) 1997, 2016, Oracle. All rights reserved.
Used parameter files:
d:\app\oracle\product\12.2.0\dbhome_1\network\admin\sqlnet.ora
< Right here I get prompted to select the certificate, and enter the PIN from the CAC>
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = stang.taylortx.net)(PORT = 2484))(CONNECT_DATA=(SERVICE_NAME = NEWDEMO))))
OK (13300 msec)
As per the document, I have created a user account in the Linux database matching the account on the windows machine:
create user dtaylor identified externally as 'CN = DTAYLOR.EDIPI# = CONTRACTOR,OU = PKI,OU = DoD,O = U.S. Government,C = US';
However, when I attempt the alias connection, I get:
C:\Users\dtaylor>sqlplus /@newcac
SQL*Plus: Release 12.2.0.1.0 Production on Thu Jun 27 10:30:17 2019
Copyright (c) 1982, 2018, Oracle. All rights reserved.
< Right here I get prompted to select the cetificate, and enter the PIN from the CAC>
ERROR:
ORA-01017: invalid username/password; logon denied
I have validated that the CN used on the CAC is identical to the externally defined user account CN reference.
Additionally I have tracing on:
Walking through the client trace, I see:
(17600) [27-JUN-2019 09:17:58:020] nsbasic_brc: entry: oln/tot=0,prd=0
(17600) [27-JUN-2019 09:17:58:020] nzos_Read: entry
(17600) [27-JUN-2019 09:17:58:020] nttrd: entry
(17600) [27-JUN-2019 09:17:58:020] ntt2err: entry
(17600) [27-JUN-2019 09:17:58:020] ntt2err: exit
(17600) [27-JUN-2019 09:17:58:020] nttrd: socket 1244 had bytes read=0
(17600) [27-JUN-2019 09:17:58:020] nttrd: exit
(17600) [27-JUN-2019 09:17:58:020] nzospRead: I/O blocking - needs retry (-6993)
(17600) [27-JUN-2019 09:17:58:020] nzos_Read: Error 28861. Read 0/8208 bytes <<<<<<<<<<<<<<<<< This would seem to be an issue, but I get no hits on what the error is.
(17600) [27-JUN-2019 09:17:58:020] nzos_Read: exit
(17600) [27-JUN-2019 09:17:58:020] ntctst: size of NTTEST list is 1 - not calling poll
(17600) [27-JUN-2019 09:17:58:020] sntseltst: Testing for DATA on socket 1244
(17600) [27-JUN-2019 09:17:59:063] sntseltst: FOUND: read request on socket 1244
(17600) [27-JUN-2019 09:17:59:063] nzos_Read: entry
(17600) [27-JUN-2019 09:17:59:063] nttrd: entry
(17600) [27-JUN-2019 09:17:59:063] nttrd: socket 1244 had bytes read=5
(17600) [27-JUN-2019 09:17:59:063] nttrd: exit
Then further down:
(17600) [27-JUN-2019 09:17:59:066] nzbioread: read 176/176 bytes
(17600) [27-JUN-2019 09:17:59:066] 0: 8cbc613e cdd8f3a5 c0e739ea be952d3c |..a>......9...-<|
16: ed32021f 3db86991 6acb39bf 1d1afb1d |.2..=.i.j.9.....|
32: 31eefe38 58a6a7fc fd3089db 3637b8d7 |1..8X....0..67..|
48: b66b8f14 84505d33 978fdc92 cb390a5b |.k...P]3.....9.[|
64: ca62a58a f3ef6964 f698839e 5754aaf7 |.b....id....WT..|
80: 21e8ca20 db2a1dd0 37d91699 dc1c5396 |!.. .*..7.....S.|
96: e1854e75 6b0440af 692f95f4 41a32924 |..Nuk.@.i/..A.)$|
112: 664e03af 85115ab5 5306bd02 c4a4bbaa |fN....Z.S.......|
128: e4226281 583255e2 d6027079 659fe98f |."b.X2U...pye...|
144: 92df86e9 b2420c03 1d3fb299 286e1a05 |.....B...?..(n..|
160: 241e8ac7 60ec5f15 1891c54c b8f2675c |$...`._....L..g\|
(17600) [27-JUN-2019 09:17:59:066] SSL_Data: Read
(17600) [27-JUN-2019 09:17:59:066] nzos_Read: OK. Read 133/8208 bytes
(17600) [27-JUN-2019 09:17:59:066] nzos_Read: exit
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: type=6, plen=133
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: what=1, tot =133
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: packet dump
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 85 06 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 04 01 00 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 F9 03 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 02 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 03 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 F9 03 00 00 |........|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 33 4F 52 41 2D 30 31 |.3ORA-01|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 30 31 37 3A 20 69 6E 76 |017:.inv|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 61 6C 69 64 20 75 73 65 |alid.use|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 72 6E 61 6D 65 2F 70 61 |rname/pa|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 73 73 77 6F 72 64 3B 20 |ssword;.|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6C 6F 67 6F 6E 20 64 65 |logon.de|
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6E 69 65 64 0A |nied. |
(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: exit: oln=0, dln=123, tot=133, rc=0
(17600) [27-JUN-2019 09:17:59:066] nioqrc: exit
(17600) [27-JUN-2019 09:18:02:234] nioqds: entry
(17600) [27-JUN-2019 09:18:02:234] nioqds: disconnecting...
(17600) [27-JUN-2019 09:18:02:234] nsclose: entry
(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: entry
(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: exit
Any Ideas / suggestions would be appreciated.
Thanks,
Dwight