Skip to Main Content

Database Software

Getting ORA-1017 on PKI authenticated external user

Dtaylor-OracleJun 27 2019 — edited Sep 30 2019

Working for a DoD customer. Attempting implementation of MOS # 401251.1 with substitution of DoD certs on client end. Using Microsoft Certificate Stores. When tnsping the SSL listener, it works:

C:\Users\dtaylor>tnsping newcac

TNS Ping Utility for 64-bit Windows: Version 12.2.0.1.0 - Production on 27-JUN-2019 10:26:22

Copyright (c) 1997, 2016, Oracle.  All rights reserved.

Used parameter files:

d:\app\oracle\product\12.2.0\dbhome_1\network\admin\sqlnet.ora

< Right here I get prompted to select the certificate, and enter the PIN from the CAC>

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = stang.taylortx.net)(PORT = 2484))(CONNECT_DATA=(SERVICE_NAME = NEWDEMO))))

OK (13300 msec)

As per the document, I have created a user account in the Linux database matching the account on the windows machine:

create user dtaylor identified externally as 'CN = DTAYLOR.EDIPI# = CONTRACTOR,OU = PKI,OU = DoD,O = U.S. Government,C = US';

However, when I attempt the alias connection, I get:

C:\Users\dtaylor>sqlplus /@newcac

SQL*Plus: Release 12.2.0.1.0 Production on Thu Jun 27 10:30:17 2019

Copyright (c) 1982, 2018, Oracle.  All rights reserved.

< Right here I get prompted to select the cetificate, and enter the PIN from the CAC>

ERROR:

ORA-01017: invalid username/password; logon denied

I have validated that the CN used on the CAC is identical to the externally defined user account CN reference.

Additionally I have tracing on:

Walking through the client trace, I see:

(17600) [27-JUN-2019 09:17:58:020] nsbasic_brc: entry: oln/tot=0,prd=0

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: entry

(17600) [27-JUN-2019 09:17:58:020] nttrd: entry

(17600) [27-JUN-2019 09:17:58:020] ntt2err: entry

(17600) [27-JUN-2019 09:17:58:020] ntt2err: exit

(17600) [27-JUN-2019 09:17:58:020] nttrd: socket 1244 had bytes read=0

(17600) [27-JUN-2019 09:17:58:020] nttrd: exit

(17600) [27-JUN-2019 09:17:58:020] nzospRead: I/O blocking - needs retry (-6993)

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: Error 28861. Read 0/8208 bytes     <<<<<<<<<<<<<<<<< This would seem to be an issue, but I get no hits on what the error is.

(17600) [27-JUN-2019 09:17:58:020] nzos_Read: exit

(17600) [27-JUN-2019 09:17:58:020] ntctst: size of NTTEST list is 1 - not calling poll

(17600) [27-JUN-2019 09:17:58:020] sntseltst: Testing for DATA on socket 1244

(17600) [27-JUN-2019 09:17:59:063] sntseltst: FOUND: read request on socket 1244

(17600) [27-JUN-2019 09:17:59:063] nzos_Read: entry

(17600) [27-JUN-2019 09:17:59:063] nttrd: entry

(17600) [27-JUN-2019 09:17:59:063] nttrd: socket 1244 had bytes read=5

(17600) [27-JUN-2019 09:17:59:063] nttrd: exit

Then further down:

(17600) [27-JUN-2019 09:17:59:066] nzbioread:  read 176/176 bytes

(17600) [27-JUN-2019 09:17:59:066]      0: 8cbc613e cdd8f3a5 c0e739ea be952d3c       |..a>......9...-<|

    16: ed32021f 3db86991 6acb39bf 1d1afb1d       |.2..=.i.j.9.....|

    32: 31eefe38 58a6a7fc fd3089db 3637b8d7       |1..8X....0..67..|

    48: b66b8f14 84505d33 978fdc92 cb390a5b       |.k...P]3.....9.[|

    64: ca62a58a f3ef6964 f698839e 5754aaf7       |.b....id....WT..|

    80: 21e8ca20 db2a1dd0 37d91699 dc1c5396       |!.. .*..7.....S.|

    96: e1854e75 6b0440af 692f95f4 41a32924       |..Nuk.@.i/..A.)$|

   112: 664e03af 85115ab5 5306bd02 c4a4bbaa       |fN....Z.S.......|

   128: e4226281 583255e2 d6027079 659fe98f       |."b.X2U...pye...|

   144: 92df86e9 b2420c03 1d3fb299 286e1a05       |.....B...?..(n..|

   160: 241e8ac7 60ec5f15 1891c54c b8f2675c       |$...`._....L..g\|

(17600) [27-JUN-2019 09:17:59:066] SSL_Data: Read

(17600) [27-JUN-2019 09:17:59:066] nzos_Read: OK. Read 133/8208 bytes

(17600) [27-JUN-2019 09:17:59:066] nzos_Read: exit

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: type=6, plen=133

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: what=1, tot =133

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: packet dump

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 85 06 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 04 01 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 F9 03 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 02  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 03  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 00 00 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 00 00 00 F9 03 00 00  |........|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 00 33 4F 52 41 2D 30 31  |.3ORA-01|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 30 31 37 3A 20 69 6E 76  |017:.inv|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 61 6C 69 64 20 75 73 65  |alid.use|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 72 6E 61 6D 65 2F 70 61  |rname/pa|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 73 73 77 6F 72 64 3B 20  |ssword;.|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6C 6F 67 6F 6E 20 64 65  |logon.de|

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: 6E 69 65 64 0A           |nied.   |

(17600) [27-JUN-2019 09:17:59:066] nsbasic_brc: exit: oln=0, dln=123, tot=133, rc=0

(17600) [27-JUN-2019 09:17:59:066] nioqrc: exit

(17600) [27-JUN-2019 09:18:02:234] nioqds: entry

(17600) [27-JUN-2019 09:18:02:234] nioqds:  disconnecting...

(17600) [27-JUN-2019 09:18:02:234] nsclose: entry

(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: entry

(17600) [27-JUN-2019 09:18:02:234] nsvntx_dei: exit

Any Ideas / suggestions would be appreciated.

Thanks,

Dwight

Comments
Post Details
Added on Jun 27 2019
2 comments
946 views