Database Software

how to create wallet with orapki, if the dn is null(for a SSL connect)

JipengAug 21 2013 — edited Sep 24 2013

the server runs 11.1.0.6 32 bit on windows 2003, it is a test server. Client 11.2.0.3, OAS installed.

code 1
cd C:\SSL orapki wallet create -wallet ./ -auto_login -pwd myclient99 orapki wallet add -wallet ./ -dn "CN=Josef D" -keysize 1024 -self_signed -validity 365 -pwd myclient99 orapki wallet export -wallet ./ -dn "CN=Josef D" -cert C:/SSL/client.cert copy client.cert C:\SSL\server\client.cert orapki wallet create -wallet ./ -auto_login -pwd myserver99 orapki wallet add -wallet ./ -dn "CN=$%here is the problem$%" -keysize 1024 -self_signed -validity 365 -pwd myserver99 orapki wallet export -wallet ./ -dn "CN=$%here is the problem$%" -cert C:/SSL/server/db.cert orapki wallet add -wallet . -trusted_cert -cert client.cert -pwd myserver99 copy db.cert c:\SSL\db.cert cd .. orapki wallet add -wallet ./ -trusted_cert -cert db.cert -pwd myclient99 orapki wallet display -wallet ./ -pwd myclient99 cd server orapki wallet display -wallet ./ -pwd myserver99

code 1

cd C:\SSL

orapki wallet create -wallet ./ -auto_login -pwd myclient99

orapki wallet add -wallet ./ -dn "CN=Josef D" -keysize 1024 -self_signed -validity 365 -pwd myclient99

orapki wallet export -wallet ./ -dn "CN=Josef D" -cert C:/SSL/client.cert

copy client.cert C:\SSL\server\client.cert

orapki wallet create -wallet ./ -auto_login -pwd myserver99

orapki wallet add -wallet ./ -dn "CN=$%here is the problem$%" -keysize 1024 -self_signed -validity 365 -pwd myserver99

orapki wallet export -wallet ./ -dn "CN=$%here is the problem$%" -cert C:/SSL/server/db.cert

orapki wallet add -wallet . -trusted_cert -cert client.cert -pwd myserver99

copy db.cert c:\SSL\db.cert

cd ..

orapki wallet add -wallet ./ -trusted_cert -cert db.cert -pwd myclient99

orapki wallet display -wallet ./ -pwd myclient99

cd server

orapki wallet display -wallet ./ -pwd myserver99

$%here is the problem$% will be replaced with the DN name, at first i used service_name, then SID, but none of them do it's work.

now i can see, the wallet exchanged the certificate

the client wallet was copied to client under C:\SSL .

on the server, listener.ora

listener.ora
TRACE_LEVEL_LISTENER = ADMIN TRACE_FILE_LISTENER = listener TRACE_DIRECTORY_LISTENER =C:\app\Administrator\product\11.1.0\db_1\NETWORK\trace LOG_FILE_LISTENER = listener LOG_DIRECTORY_LISTENER =C:\app\Administrator\product\11.1.0\db_1\NETWORK\log LOGGING_LISTENER = ON SID_LIST_SSL_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL2) (SID_NAME = ORCL2) (ORACLE_HOME =C:\app\Administrator\product\11.1.0\db_1) ) ) SSL_LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521)) ) WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = (DIRECTORY=C:\SSL\server )))

listener.ora

TRACE_LEVEL_LISTENER = ADMIN

TRACE_FILE_LISTENER = listener

TRACE_DIRECTORY_LISTENER =C:\app\Administrator\product\11.1.0\db_1\NETWORK\trace

LOG_FILE_LISTENER = listener

LOG_DIRECTORY_LISTENER =C:\app\Administrator\product\11.1.0\db_1\NETWORK\log

LOGGING_LISTENER = ON

SID_LIST_SSL_LISTENER =

(SID_LIST =

(SID_DESC =

(GLOBAL_DBNAME = ORCL2)

(SID_NAME = ORCL2)

(ORACLE_HOME =C:\app\Administrator\product\11.1.0\db_1)

)

SSL_LISTENER =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521))

)

WALLET_LOCATION = (SOURCE=

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY=C:\SSL\server

)))

sqlnet.ora on server

sqlnet.ora or server
SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ) SSL_SERVER_DN_MATCH=no NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SSL_CLIENT_AUTHENTICATION = TRUE SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_VERSION = 0 WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\SSL\server) ) ) TRACE_DIRECTORY_SERVER = C:\app\Administrator\product\11.1.0\db_1\NETWORK\trace trace_level_server = SUPPORT TRACE_FILE_server = trace_server

sqlnet.ora or server

SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)

SSL_SERVER_DN_MATCH=no

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = TRUE

SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)

SSL_VERSION = 0

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = C:\SSL\server)

)

TRACE_DIRECTORY_SERVER = C:\app\Administrator\product\11.1.0\db_1\NETWORK\trace

trace_level_server = SUPPORT

TRACE_FILE_server = trace_server

sqlnet.ora on client

sqlnet.ora on client
WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = (DIRECTORY=C:\SSL ))) SSL_VERSION = 0 SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ) SSL_SERVER_DN_MATCH = no SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5) SSL_CLIENT_AUTHENTICATION = TRUE NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT) TRACE_DIRECTORY_CLIENT =C:\SSL trace_level_client = USER TRACE_FILE_CLIENT = trace_user

sqlnet.ora on client

WALLET_LOCATION = (SOURCE=

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY=C:\SSL

)))

SSL_VERSION = 0

SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ)

SSL_SERVER_DN_MATCH = no

SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)

SSL_CLIENT_AUTHENTICATION = TRUE

NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)

TRACE_DIRECTORY_CLIENT =C:\SSL

trace_level_client = USER

TRACE_FILE_CLIENT = trace_user

tnsnames.ora on client

tnsnames.ora on client
test_server76 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521)) ) (CONNECT_DATA = (SID = ORCL2) ) ) test_server76-CHECK = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME=ORCL2.TESTER.INTERN) ) (SECURITY=(SSL_SERVER_CERT_DN="CN=$%here is the problem$%")) )

tnsnames.ora on client

test_server76 =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521))

)

(CONNECT_DATA =

(SID = ORCL2)

)

test_server76-CHECK =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = 176.16.1.212)(PORT = 1521))

(CONNECT_DATA =

(SERVICE_NAME=ORCL2.TESTER.INTERN)

)

(SECURITY=(SSL_SERVER_CERT_DN="CN=$%here is the problem$%"))

)

connect
create user connectjd identified externally as 'CN=Josef D'; grant create session to connectjd; --the in client Sqlplus /nolog conn /@test_server76-CHECK ora-28864: SSL connection closed gracefully

connect

create user connectjd identified externally as 'CN=Josef D';

grant create session to connectjd;

--the in client

Sqlplus /nolog

conn /@test_server76-CHECK

ora-28864: SSL connection closed gracefully

something seems to be wrong:

1. select * from V$ENCRYPTION_WALLET;

WRL_TYPE WRL_PARAMETER STATUS

-----------------------------------------------------------------

file C:\APP\ADMINISTRATOR\ADMIN\ORCL2\WALLET open

2. show parameter dn;

name type value

-----------------------------------------------------------------

rdbms_server_dn string

??the DN is null??

show parameter name;

name type value

-----------------------------------------------------------------------

db_file_name_convert string

db_name string orcl2

db_unique_name string orcl2

global_names boolean false

instance_name string orcl2

lock_name_space string

log_file_name_convert string

service_names string orcl2.tester.intern

how can i get the right DN? can i just use a string that i will? i can not connect the server from outside of our company.

i'm really thankful for every suggestion!

Locked Post

New comments cannot be posted to this locked post.

Locked on Oct 22 2013

Added on Aug 21 2013

#database-security, #database-security-general, #ssl

1 comment

1,014 views