2026-03-12 21:01:38

2026-03-12 22:01:38 +01:00
parent 3bd1db26cc
commit 26296b6d6a
336 changed files with 27507 additions and 0 deletions
--- a/Oracle_TLS/oracle_tls_01.md
+++ b/Oracle_TLS/oracle_tls_01.md
@@ -0,0 +1,268 @@
+# Setup 1: self signed certificated and certificates exchange
+
+## Server side (togoria)
+
+Create the wallet:
+
+	orapki wallet create \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-auto_login_local
+
+
+Create certificate in wallet:
+
+	orapki wallet add \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-dn "CN=togoria.swgalaxy" -keysize 1024 -self_signed -validity 3650
+
+Display wallet contents (wallet password is not required):
+
+	orapki wallet display \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet"
+
+Export certificate:
+
+	orapki wallet export \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-dn "CN=togoria.swgalaxy" \
+		-cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt
+
+## Client side (wayland)
+
+Create the wallet:
+
+	orapki wallet create \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-auto_login_local
+
+Create certificate in wallet:
+
+	orapki wallet add \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-dn "CN=wayland.swgalaxy" -keysize 1024 -self_signed -validity 3650
+
+Display wallet contents (wallet password is not required):
+
+	orapki wallet display \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet"
+
+Export certificate:
+
+	orapki wallet export \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-dn "CN=wayland.swgalaxy" \
+		-cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt
+
+## Exchange certificates between server and client
+
+Load client certificate into server wallet as **trusted** certificate:
+
+	orapki wallet add \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt
+
+Load server certificate into client wallet as **trusted** certificate:
+
+	orapki wallet add \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt
+
+## Server side (togoria)
+
+> It is not possible to use a custom `TNS_ADMIN` for the listener.  `sqlnet.ora` and `listener.ora` shound be placed under `$(orabasehome)/network/admin` for a **read-only** `ORACLE_HOME` or under `$ORACLE_HOME/network/admin` for a **read-write** `ORACLE_HOME`
+
+File `sqlnet.ora`:
+
+	WALLET_LOCATION =
+	   (SOURCE =
+	     (METHOD = FILE)
+	     (METHOD_DATA =
+	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
+	     )
+	   )
+
+	SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
+	SSL_CLIENT_AUTHENTICATION = FALSE
+	SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
+
+
+File `listener.ora`:
+
+	SSL_CLIENT_AUTHENTICATION = FALSE
+
+	WALLET_LOCATION =
+	   (SOURCE =
+	     (METHOD = FILE)
+	     (METHOD_DATA =
+	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
+	     )
+	   )
+
+	LISTENER_SECURE =
+	  (DESCRIPTION_LIST =
+	    (DESCRIPTION =
+	                (ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
+	  )
+	)
+
+
+Start listener:
+
+	lsnrctl start LISTENER_SECURE
+
+Register listener in database:
+
+	alter system set local_listener="(DESCRIPTION_LIST =
+		(DESCRIPTION =
+			(ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
+		)
+	)" 
+	scope=both sid='*';
+
+	alter system register;
+
+## Client network configuration
+
+	export TNS_ADMIN=/app/oracle/staging_area/TLS_poc/tnsadmin
+
+File `$TNS_ADMIN/sqlnet.ora`:
+
+	WALLET_LOCATION =
+	   (SOURCE =
+	     (METHOD = FILE)
+	     (METHOD_DATA =
+	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
+	     )
+	   )
+
+	SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
+	SSL_CLIENT_AUTHENTICATION = FALSE
+	SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
+
+
+File `$TNS_ADMIN/tnsnames.ora`:
+
+	MAUL_24000=
+	  (DESCRIPTION=
+	    (ADDRESS=
+	      (PROTOCOL=TCPS)(HOST=togoria.swgalaxy)(PORT=24000)
+	    )
+	    (CONNECT_DATA=
+	      (SERVICE_NAME=MAUL)
+	    )
+	  )
+
+
+Check **TCPS** connection:
+
+	connect vpl/*****@MAUL_24000
+
+	select SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') from dual;
+
+
+# Setup 2: use certificates signed by a CA Root
+
+Stop the listener:
+
+	lsnrctl stop LISTENER_SECURE
+
+Remove trusted/user certificates and certificate requests on **server** side.
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-trusted_cert \
+		-alias 'CN=togoria.swgalaxy' 
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-trusted_cert \
+		-alias 'CN=wayland.swgalaxy' 		
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-user_cert \
+		-dn 'CN=togoria.swgalaxy' 		
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-cert_req \
+		-dn 'CN=togoria.swgalaxy'
+
+Remove trusted/user certificates and certificate requests on  **client** side.
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-trusted_cert \
+		-alias 'CN=togoria.swgalaxy' 
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-trusted_cert \
+		-alias 'CN=wayland.swgalaxy' 		
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-user_cert \
+		-dn 'CN=wayland.swgalaxy' 		
+
+	orapki wallet remove \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-cert_req \
+		-dn 'CN=wayland.swgalaxy'
+
+Check if wallets are empty client/server side.
+
+	orapki wallet display \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet"
+
+We will use certificates signed by the same CA Root for the client and for the server.  
+
+Create an export file using the server certificate, server private key and CA Root certificate:
+
+	openssl pkcs12 -export \
+		-in /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.crt \
+		-inkey /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.key \
+		-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
+		-out /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12
+
+Import into Oracle wallet:
+
+	orapki wallet import_pkcs12 \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "C0mpl1cated#Ph|rase" \
+		-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12
+
+Server certificate will be imported as **user** certificate and CA Root certificate will be imported as **trusted** certificate.  
+
+Perform the same certificate export-import operation client side:
+
+	openssl pkcs12 -export \
+		-in /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.crt \
+		-inkey /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.key \
+		-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
+		-out /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12
+
+	orapki wallet import_pkcs12 \
+		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
+		-pwd "Dont1Try@toGuessth1s" \
+		-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12	
+
+Start the listener:
+
+	lsnrctl start LISTENER_SECURE