| Pete Finnigan's Oracle Security Forum
(http://www.petefinnigan.com/forum/yabb/YaBB.cgi) |
Oracle Security >> Oracle Security tools >> Strong authentication with SSL
(Message started by: Pete Finnigan on Oct 3rd, 2005, 7:13pm) |
|
Title: Strong authentication with SSL
Post by Pete Finnigan on Oct 3rd, 2005, 7:13pm
Hi,
Sqlnet offers strong authentication with tcps (ssl) and I'm trying to make it work. My main interest is to authenticate the client with a X509 certificate.
In my setup I have two directories: Wallet_client and Wallet_server for the client wallet and server wallet. The steps are:
Code:
cd Wallet_client
1) orapki wallet create -wallet . -auto_login -pwd myclient99
2) orapki wallet add -wallet . -dn "CN=IVAN SAEZ" -keysize 1024 -self_signed -validity 365 -pwd myclient99
3) orapki wallet export -wallet . -dn "CN=IVAN SAEZ" -cert ../Wallet_server/ivan.cert
cd ../Wallet_server
4) orapki wallet create -wallet . -auto_login -pwd myserver99
5) orapki wallet add -wallet . -dn "CN=DBSERVER" -keysize 1024 -self_signed -validity 365 -pwd myserver99
6) orapki wallet export -wallet . -dn "CN=DBSERVER" -cert ../Wallet_client/db.cert
7) orapki wallet add -wallet . -trusted_cert -cert ivan.cert -pwd myserver99
cd ../Wallet_client
8) orapki wallet add -wallet . -trusted_cert -cert db.cert -pwd myclient99 |
|
In steps 7 and 8 client and server exchange their public keys.
The clients sqlnet.ora is:
Code:
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/home/oracle/Wallet_client
)))
SSL_VERSION = 0
SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ)
SSL_SERVER_DN_MATCH = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_CLIENT_AUTHENTICATION = TRUE
NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)
TRACE_DIRECTORY_CLIENT = /home/oracle/Wallet_client
trace_level_client = USER
TRACE_FILE_CLIENT = trace_user |
|
And the clients tnsnames.ora is:
Code:
DBSERVER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME=IVAN2)
)
)
DBSERVER-CHECK =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME=IVAN2)
)
(SECURITY=(SSL_SERVER_CERT_DN="CN=DBSERVER"))
) |
|
The servers sqlnet.ora is:
Code:
SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_VERSION = 0
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /home/oracle/Wallet_server)
)
)
TRACE_DIRECTORY_SERVER = /u01/app/oracle/product/10r2/db_1/network/trace
trace_level_server = SUPPORT
TRACE_FILE_server = trace_server |
|
The server's listener.ora content is:
Code:
TRACE_LEVEL_LISTENER = ADMIN
TRACE_FILE_LISTENER = listener
TRACE_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/trace
LOG_FILE_LISTENER = listener
LOG_DIRECTORY_LISTENER = /u01/app/oracle/product/10r2/db_1/network/log
LOGGING_LISTENER = ON
SID_LIST_SSL_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = IVAN2)
(SID_NAME = IVAN2)
(ORACLE_HOME = /u01/app/oracle/product/10r2/db_1)
)
)
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.153)(PORT = 2484))
)
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY=/home/oracle/Wallet_server
))) |
|
I also created a Oracle user to test the strong client authentication:
create user ivan identified globally as 'CN=IVAN SAEZ';
grant create session to ivan;
When I connect to the database, I set TNS_ADMIN to /home/oracle/Wallet_client first, with:
sqlplus isaez/pwd@dbserver-check
I can see (with a grep -i 'ssl cipher suite' trace_user*) that SSL is used: The final negotiated SSL Cipher Suite is:...
But when I try to use the clients x509 certificate to authenticate the connection:
sqlplus /nolog
connect /@dbserver-check
I get an error:
ERROR:
ORA-01017: invalid username/password; logon denied
I've wrestling with this problem a couple of hours and can't solve it. There is very few information on the net about orapki and ssl/tcps authentication. Maybe on Matelink but I don't have access to Metalink now.
Any ideas?
regards,
Ivan |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Oct 13th, 2005, 4:13pm
Ivan, i've just repeated your setup successfully with one small difference. The database user must be created identified externally , not globally for ssl authentification. Identified globally works with enterprise users only ( also directory service ).
Best Regards
Maxim |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Oct 13th, 2005, 4:59pm
Maxim,
Yes, thank you!
Changing "create user ivan identified globally as 'CN=IVAN SAEZ'" to
"create user ivan identified externally as 'CN=IVAN SAEZ'" did indeed
solve the problem.
regards,
Ivan |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 11th, 2006, 5:08pm
Hello,
I need some help about my connexion with SSL and Oracle.
I have :
- client : Windows XP with Oracle Client 8i
- server : Solaris with Oracle server 10g
I did the same thing as isaez but I have some problems :
Code:
$ lsnrctl reload lnp_ssl
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:16
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Broken Pipe
$ lsnrctl reload lnp_ssl
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 11-MAY-2006 17:41:19
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28864: SSL connection closed gracefully
TNS-12560: TNS:protocol adapter error
TNS-28864: Message 28864 not found; product=network; facility=TNS
Solaris Error: 542: Unknown error |
|
I don't understand what is not good...???
Can you help me please?
Thanks |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 14th, 2006, 10:21am
Hi,
Did you check if ssl is installed? Use the adapters command to check it:
oracle@Asus:~ > adapters
Installed Oracle Net transport protocols are:
IPC
BEQ
TCP/IP
SSL
RAW
SDP/IB
regards,
Ivan
|
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 8:51am
Thank you for your answer.
Yes SSL is installed, the adapters command :
Code:
$ adapters
Installed Oracle Net transport protocols are:
IPC
BEQ
TCP/IP
SSL
RAW
Installed Oracle Net naming methods are:
Local Naming (tnsnames.ora)
Oracle Directory Naming
Oracle Host Naming
Error!!! Oracle Names Server Naming is not completely installed!
Installed Oracle Advanced Security options are:
RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication |
|
And now I have this error :
Code:
lsnrctl start lnp_ssl
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 09:41:37
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /products/oracle/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
ORA-28860: Fatal SSL error
TNS-12560: TNS:protocol adapter error
TNS-28860: Message 28860 not found; product=network; facility=TNS
Solaris Error: 542: Unknown error |
|
|
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 10:33am
Yeah, I successed but I am not very satisfied, because there is no service:
Code:
lsnrctl status lnp_ssl
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 11:25:49
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias lnp_ssl
Version TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date 15-MAY-2006 10:53:10
Uptime 0 days 0 hr. 32 min. 39 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /products/oracle/network/admin/listener.ora
Listener Log File /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
The listener supports no services
The command completed successfully |
|
And when I tried to do a tnsping on the client, I have :
Code:
...
TNS-12560 : TNS : error of protocol adapters |
|
|
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on May 15th, 2006, 3:29pm
Yeah! The listener is good,
Code:
$ lsnrctl start lnp_ssl
LSNRCTL for Solaris: Version 10.2.0.1.0 - Production on 15-MAY-2006 16:17:58
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /products/oracle/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
System parameter file is /products/oracle/network/admin/listener.ora
Log messages written to /products/oracle/network/log/lnp_ssl.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
STATUS of the LISTENER
------------------------
Alias lnp_ssl
Version TNSLSNR for Solaris: Version 10.2.0.1.0 - Production
Start Date 15-MAY-2006 16:17:58
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /products/oracle/network/admin/listener.ora
Listener Log File /products/oracle/network/log/lnp_ssl.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.2.100)(PORT=2484))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=LNP)))
Services Summary...
Service "LNP" has 1 instance(s).
Instance "LNP", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully |
|
But when I try to connect to this listener, I have the following error :
Code:
ERROR:
ORA-28756: callback failure to allocate memory |
|
Thank you for your help :) |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Feb 1st, 2010, 9:06pm
Hi BBKing,
you'll need to add to the Listener.ora file a reference for a non SSL protocol in front of the TCPS protocol:
lnp_ssl =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.2.100)(PORT = 1521))
)
)
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.2.100)(PORT = 2484))
)
)
I don't remember where I saw this but , this was a work around for that bug. If you search Metalink for the error :
TNS-12560 : TNS : error of protocol adapters
It should turn up the bug fix. or on OTN a discussion on this. |
Title: Re: Strong authentication with SSL
Post by Pete Finnigan on Feb 1st, 2010, 9:36pm
I found the reference in $ORACLE_HOME/relnotes/readmes
Unable to start LISTENER with TCP/IP SSL protocol
When adding a Listener with the endpoint "address" using the PROTOCOL=TCPS, you
need to have at least one other "address" specified for that listener with
PROTOCOL=TCP, and this "TCP" endpoint should precede the "TCPS" endpoint
address. (Bug 4089715)
To illustrate, the following entry is incorrect and the listener will not
start up properly (because the TCPS address is before the TCP address):
LISTENER_A =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =
host.domain.com)(PORT = 2484 ))))
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =
host.domain.com)(PORT = 15151 ))))
)
The following entry is the correct way to do it:
LISTENER_A =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP )(HOST =
host.domain.com)(PORT = 15151))))
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS )(HOST =
host.domain.com)(PORT = 2484))))
) |
Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board |