TCPS and SSLv2Hello

Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class KeyStore {   public static void main(String argv[])       throws SQLException {     String url="jdbc:oracle:thin:@(DESCRIPTION="+       "(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)("+       "Port=1521))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("javax.net.ssl.trustStore",       "keystore.jks");     props.setProperty(       "javax.net.ssl.trustStoreType","JKS");     props.setProperty(       "javax.net.ssl.trustStorePassword","***");     DriverManager.registerDriver(       new oracle.jdbc.OracleDriver());     Connection …

check if using tcps part II

in your current session, as written there, check sys_context('USERENV', 'NETWORK_PROTOCOL') in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program,   case when program not like 'ora___@% (P%)' then   (select max(case when NETWORK_SERVICE_BANNER like '%TCP/IP%'       then 'TCP' when …

listener with tcps

How can you use SSL to encrypt your network traffic? Here is how I did it. Install Oracle Certification Authority 10.1.4 you need a CA to approve a certification request Install Oracle Database 10gR2 Enterprise Edition with Advanced Security Options Start Wallet Manager from Database Oracle Home, start $ORACLE_HOME/bin/owm create a new Wallet define a …

SSL with PKCS12 truststore

Many many moons ago I vaguely remember having a similar issue with java keystore / truststore and microsoft certificates stores. When you start using SSL for your listener, you could potentially face a large number of issues amoung your toolsets. In my opinion, the most disastrous one is that you cannot monitor your database with …

anonymous cypher suites for SSL (and a 12c pitfall)

If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until 11.2.0.2, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default …

KeepAlive socket in 12c listener

A not uncommon issue with firewalls and listeners are timeouts. Your production database may be behind a firewall, you may connect from a remote location, even your Windows workstation may have some firewall activated, possibly you use ssh tunnels or TCPS. All those occasionally lead to timeouts and connection abortion, for instance ORA-03113 end-of-file on …

ssl version

I wrote about ssl version in jdbc thin yesterday The default version also no longer works for the thick client with 12c client and 11g Server. With 11gR2 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: Version 11.2.0.4.0 OK (100 msec) with 12cR1 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: …

jdbc ssl

I already wrote about jdbc hello world and listener with tcps. Let’s combine both technologies ! TCPS.java import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class TCPS {   public static void main(String argv[]) throws SQLException {     String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("javax.net.ssl.trustStore","cwallet.sso");     props.setProperty("javax.net.ssl.trustStoreType","SSO");     Security.addProvider(new oracle.security.pki.OraclePKIProvider());     DriverManager.registerDriver(new …

user identified externally with SSL certificate

Today I configured my database to identify users with certificates. Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite. Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work. listener.ora LISTENER=   (DESCRIPTION_LIST=     (DESCRIPTION= …