support/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/Oracle_TLS/oracle_tls_01.md
Valeriu PLESNILA 26296b6d6a 2026-03-12 21:01:38
2026-03-12 22:01:38 +01:00

7.2 KiB
Raw Permalink Blame History

Setup 1: self signed certificated and certificates exchange

Server side (togoria)

Create the wallet:

orapki wallet create \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-auto_login_local

Create certificate in wallet:

orapki wallet add \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-dn "CN=togoria.swgalaxy" -keysize 1024 -self_signed -validity 3650

Display wallet contents (wallet password is not required):

orapki wallet display \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet"

Export certificate:

orapki wallet export \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-dn "CN=togoria.swgalaxy" \
	-cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt

Client side (wayland)

Create the wallet:

orapki wallet create \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-auto_login_local

Create certificate in wallet:

orapki wallet add \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-dn "CN=wayland.swgalaxy" -keysize 1024 -self_signed -validity 3650

Display wallet contents (wallet password is not required):

orapki wallet display \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet"

Export certificate:

orapki wallet export \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-dn "CN=wayland.swgalaxy" \
	-cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt

Exchange certificates between server and client

Load client certificate into server wallet as trusted certificate:

orapki wallet add \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt

Load server certificate into client wallet as trusted certificate:

orapki wallet add \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt

Server side (togoria)

It is not possible to use a custom TNS_ADMIN for the listener. sqlnet.ora and listener.ora shound be placed under $(orabasehome)/network/admin for a read-only ORACLE_HOME or under $ORACLE_HOME/network/admin for a read-write ORACLE_HOME

File sqlnet.ora:

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

File listener.ora:

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
     )
   )

LISTENER_SECURE =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
                (ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
  )
)

Start listener:

lsnrctl start LISTENER_SECURE

Register listener in database:

alter system set local_listener="(DESCRIPTION_LIST =
	(DESCRIPTION =
		(ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
	)
)" 
scope=both sid='*';

alter system register;

Client network configuration

export TNS_ADMIN=/app/oracle/staging_area/TLS_poc/tnsadmin

File $TNS_ADMIN/sqlnet.ora:

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

File $TNS_ADMIN/tnsnames.ora:

MAUL_24000=
  (DESCRIPTION=
    (ADDRESS=
      (PROTOCOL=TCPS)(HOST=togoria.swgalaxy)(PORT=24000)
    )
    (CONNECT_DATA=
      (SERVICE_NAME=MAUL)
    )
  )

Check TCPS connection:

connect vpl/*****@MAUL_24000

select SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') from dual;

Setup 2: use certificates signed by a CA Root

Stop the listener:

lsnrctl stop LISTENER_SECURE

Remove trusted/user certificates and certificate requests on server side.

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-trusted_cert \
	-alias 'CN=togoria.swgalaxy' 

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-trusted_cert \
	-alias 'CN=wayland.swgalaxy' 		

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-user_cert \
	-dn 'CN=togoria.swgalaxy' 		

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-cert_req \
	-dn 'CN=togoria.swgalaxy'

Remove trusted/user certificates and certificate requests on client side.

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-trusted_cert \
	-alias 'CN=togoria.swgalaxy' 

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-trusted_cert \
	-alias 'CN=wayland.swgalaxy' 		

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-user_cert \
	-dn 'CN=wayland.swgalaxy' 		

orapki wallet remove \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-cert_req \
	-dn 'CN=wayland.swgalaxy'

Check if wallets are empty client/server side.

orapki wallet display \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet"

We will use certificates signed by the same CA Root for the client and for the server.

Create an export file using the server certificate, server private key and CA Root certificate:

openssl pkcs12 -export \
	-in /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.crt \
	-inkey /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.key \
	-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
	-out /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12

Import into Oracle wallet:

orapki wallet import_pkcs12 \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "C0mpl1cated#Ph|rase" \
	-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12

Server certificate will be imported as user certificate and CA Root certificate will be imported as trusted certificate.

Perform the same certificate export-import operation client side:

openssl pkcs12 -export \
	-in /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.crt \
	-inkey /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.key \
	-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
	-out /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12

orapki wallet import_pkcs12 \
	-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
	-pwd "Dont1Try@toGuessth1s" \
	-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12

Start the listener:

lsnrctl start LISTENER_SECURE
Reference in New Issue View Git Blame Copy Permalink