DB Services via TCPS: DB side (part 1) Follow
These instructions will guide you in configuring SSL listener for incoming DB queries.
Run the following as the sysdba user, on the DB server - notice that these are Unix/Linux instructions (some adjustments in the scripts/commands will be needed to run on Windows).
0. Sanity test (optional)
Run step 6 with @dev first (instead of @dev_ssl) to test the existing TCP connection.
You should see Tcp in the output.
1. Create a DB-side wallet
Create a new create_db_side_wallet.sh file, with the following content (update the constants to your environment). Run it:
echo Configuring constants...
WALLET_PATH=/app/oracle/admin/wallets_ssl_dev
WALLET_HOST=db.myhost.com
WALLET_PASSWORD=MyPassword
export WALLET_PATH
export WALLET_HOST
export WALLET_PASSWORD
echo A. Creating a folder for the wallet...
mkdir -p ${WALLET_PATH}
echo B. Creating a wallet on the folder...
orapki wallet create -wallet "${WALLET_PATH}" -pwd ${WALLET_PASSWORD} -auto_login
echo C. Creating a self-signed certificate for this server...
orapki wallet add -wallet "${WALLET_PATH}" -pwd ${WALLET_PASSWORD} -dn \
"CN=${WALLET_HOST}" -keysize 1024 -self_signed -validity 3650
echo D. Exporting the certificate, we will load it into the ServiceManager later...
orapki wallet export -wallet "${WALLET_PATH}" -pwd ${WALLET_PASSWORD} -dn \
"CN=${WALLET_HOST}" -cert /home/oracle/${WALLET_HOST}-certificate.crt
echo Done.
Important: Save the exported certificate, we'll use it later in part 2.
Note: the backslashes break long lines.
Sanity checks / troubleshooting (optional)
Between steps C and D, you may check the contents of the wallet via the following command.
Notice the self-signed certificate is both user and trusted certificate:
orapki wallet display -wallet "${WALLET_PATH}" -pwd ${WALLET_PASSWORD}
After Step D, you may check that the certificate has been exported with the following command:
cat /home/oracle/${WALLET_HOST}-certificate.crt
2. listener.ora
Edit the listener configuration file at: /opt/oracle/product/19100/db_home1/network/admin/listener.ora
Line 8: replace /app/oracle/admin/wallets_ssl_dev with your wallet path
Line 14: replace /app/oracle/product/12201 with your home folder
Line 20: replace 10.1.0.0 with your DB host
########## SSL Configuration ###########
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /app/oracle/admin/wallets_ssl_dev)
)
)
SID_LIST_LISTENER_SSL =
(SID_LIST =
(SID_DESC =
(ORACLE_HOME = /app/oracle/product/12201)
(SID_NAME = dev)
)
)
DEV_LISTENER_SSL =
(DESCRIPTION_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.1.0.0)(PORT = 2484)) )
############## SSL Configuration ##################
3. tnsnames.ora
Edit the tns configuration file at: /app/oracle/product/11203/network/admin
Line 1: replace dev_ssl with a name that describes your enviornment
Line 3: replace HOST = 10.1.0.0 with your DB host
Line 6: replace SERVICE_NAME = dev with the SID_NAME you configured in listener.ora
dev_ssl =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.1.0.0)(PORT = 2484))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = dev)
)
)
4. sqlnet.ora
Edit sqlnet.ora at: /app/oracle/product/12201/network/admin
Line 5: replace DIRECTORY = /opt/oracle/admin/walletssl with your wallet path
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /app/oracle/admin/wallets_ssl_dev)
)
)
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_VERSION = 0
The cipher_suites depend on the database, we may have to change them.
5. Start the new listener
Run:
lsnrctl start DEV_LISTENER_SSL
6. Test TCP and TCP-SSL connection
Connect to the DB with TCPS and run:
Line 1: replace dbautil@dev_ssl with your DB account, followed by the listener name
sqlplus dbautil@dev_ssl
SELECT sys_context('USERENV','NETWORK_PROTOCOL') as network_protocol FROM dual;
The output should be:
SQL> SELECT sys_context('USERENV','NETWORK_PROTOCOL') as network_protocol FROM dual;
NETWORK_PROTOCOL
--------------------------------------------------------------------------------
Tcps
References:
Oracle's full instructions:
https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
Comments
0 comments
Please sign in to leave a comment.