notes/Oracle_TLS/oracle_tls_01.md

# Setup 1: self signed certificated and certificates exchange

## Server side (togoria)

Create the wallet:

	orapki wallet create \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-auto_login_local


Create certificate in wallet:

	orapki wallet add \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-dn "CN=togoria.swgalaxy" -keysize 1024 -self_signed -validity 3650

Display wallet contents (wallet password is not required):

	orapki wallet display \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet"

Export certificate:

	orapki wallet export \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-dn "CN=togoria.swgalaxy" \
		-cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt

## Client side (wayland)

Create the wallet:

	orapki wallet create \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-auto_login_local

Create certificate in wallet:

	orapki wallet add \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-dn "CN=wayland.swgalaxy" -keysize 1024 -self_signed -validity 3650

Display wallet contents (wallet password is not required):

	orapki wallet display \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet"

Export certificate:

	orapki wallet export \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-dn "CN=wayland.swgalaxy" \
		-cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt

## Exchange certificates between server and client

Load client certificate into server wallet as **trusted** certificate:

	orapki wallet add \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/wayland.swgalaxy.crt

Load server certificate into client wallet as **trusted** certificate:

	orapki wallet add \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-trusted_cert -cert /app/oracle/staging_area/TLS_poc/exports/togoria.swgalaxy.crt

## Server side (togoria)

> It is not possible to use a custom `TNS_ADMIN` for the listener.  `sqlnet.ora` and `listener.ora` shound be placed under `$(orabasehome)/network/admin` for a **read-only** `ORACLE_HOME` or under `$ORACLE_HOME/network/admin` for a **read-write** `ORACLE_HOME`

File `sqlnet.ora`:

	WALLET_LOCATION =
	   (SOURCE =
	     (METHOD = FILE)
	     (METHOD_DATA =
	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
	     )
	   )

	SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
	SSL_CLIENT_AUTHENTICATION = FALSE
	SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


File `listener.ora`:

	SSL_CLIENT_AUTHENTICATION = FALSE

	WALLET_LOCATION =
	   (SOURCE =
	     (METHOD = FILE)
	     (METHOD_DATA =
	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
	     )
	   )

	LISTENER_SECURE =
	  (DESCRIPTION_LIST =
	    (DESCRIPTION =
	                (ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
	  )
	)


Start listener:

	lsnrctl start LISTENER_SECURE

Register listener in database:

	alter system set local_listener="(DESCRIPTION_LIST =
		(DESCRIPTION =
			(ADDRESS = (PROTOCOL = TCPS)(HOST = togoria.swgalaxy)(PORT = 24000))
		)
	)" 
	scope=both sid='*';

	alter system register;

## Client network configuration

	export TNS_ADMIN=/app/oracle/staging_area/TLS_poc/tnsadmin

File `$TNS_ADMIN/sqlnet.ora`:

	WALLET_LOCATION =
	   (SOURCE =
	     (METHOD = FILE)
	     (METHOD_DATA =
	       (DIRECTORY = /app/oracle/staging_area/TLS_poc/wallet)
	     )
	   )

	SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
	SSL_CLIENT_AUTHENTICATION = FALSE
	SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


File `$TNS_ADMIN/tnsnames.ora`:

	MAUL_24000=
	  (DESCRIPTION=
	    (ADDRESS=
	      (PROTOCOL=TCPS)(HOST=togoria.swgalaxy)(PORT=24000)
	    )
	    (CONNECT_DATA=
	      (SERVICE_NAME=MAUL)
	    )
	  )


Check **TCPS** connection:

	connect vpl/*****@MAUL_24000

	select SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') from dual;


# Setup 2: use certificates signed by a CA Root

Stop the listener:

	lsnrctl stop LISTENER_SECURE

Remove trusted/user certificates and certificate requests on **server** side.

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-trusted_cert \
		-alias 'CN=togoria.swgalaxy' 

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-trusted_cert \
		-alias 'CN=wayland.swgalaxy' 		

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-user_cert \
		-dn 'CN=togoria.swgalaxy' 		

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-cert_req \
		-dn 'CN=togoria.swgalaxy'

Remove trusted/user certificates and certificate requests on  **client** side.

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-trusted_cert \
		-alias 'CN=togoria.swgalaxy' 

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-trusted_cert \
		-alias 'CN=wayland.swgalaxy' 		

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-user_cert \
		-dn 'CN=wayland.swgalaxy' 		

	orapki wallet remove \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-cert_req \
		-dn 'CN=wayland.swgalaxy'

Check if wallets are empty client/server side.

	orapki wallet display \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet"

We will use certificates signed by the same CA Root for the client and for the server.  

Create an export file using the server certificate, server private key and CA Root certificate:

	openssl pkcs12 -export \
		-in /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.crt \
		-inkey /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.key \
		-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
		-out /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12

Import into Oracle wallet:

	orapki wallet import_pkcs12 \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "C0mpl1cated#Ph|rase" \
		-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/togoria.swgalaxy.p12

Server certificate will be imported as **user** certificate and CA Root certificate will be imported as **trusted** certificate.  

Perform the same certificate export-import operation client side:

	openssl pkcs12 -export \
		-in /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.crt \
		-inkey /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.key \
		-certfile /app/oracle/staging_area/TLS_poc/openssl_files/rootCA.pem \
		-out /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12

	orapki wallet import_pkcs12 \
		-wallet "/app/oracle/staging_area/TLS_poc/wallet" \
		-pwd "Dont1Try@toGuessth1s" \
		-pkcs12file /app/oracle/staging_area/TLS_poc/openssl_files/wayland.swgalaxy.p12	

Start the listener:

	lsnrctl start LISTENER_SECURE