Today I configured my database to identify users with certificates.
Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite.
Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work.
LISTENER= (DESCRIPTION_LIST= (DESCRIPTION= (ADDRESS=(PROTOCOL=TCP)(HOST=chltlxlsc1)(PORT=1521)) ) (DESCRIPTION= (ADDRESS=(PROTOCOL=TCPS)(HOST=chltlxlsc1)(PORT=15210)) ) )
LSC07= (DESCRIPTION= (ADDRESS_LIST=( (ADDRESS=(PROTOCOL=tcp)(HOST=chltlxlsc1)(PORT=1521)) (ADDRESS=(PROTOCOL=tcps)(HOST=chltlxlsc1)(PORT=15210)) ) (CONNECT_DATA= (SERVICE_NAME=LSC07.lcsys.ch) ) )
# empty file
Now I have one user, lsc, which is going to connect with its own certificate. First, I need to create a wallet for that user. I run owm as lsc, I create a new wallet, a new certification request with the DN:CN=lsc, I copy/paste my certification request in the CA server, I import the user certificate, and I save it in the system default, /etc/ORACLE/WALLETS/lsc.
Now I need to trust that certificate, so I export my user certificate to a file, and make that file readable for oracle. As oracle, I run the wallet manager owm, I import the trusted user certificate, and I save in system default, /etc/ORACLE/WALLETS/oracle.
One more thing I need to configure now is the wallet location for lsc in the sqlnet parameter file. To avoid conflicts, I create a specific sqlnet for that user in homedir called .sqlnet.ora (with a leading dot).
WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY = /etc/ORACLE/WALLETS/lsc) ) )
Last thing to do : create the user in sqlplus.
SQL> show parameter os_authent_prefix NAME VALUE ------------------ ------------------------------ os_authent_prefix ops$ SQL> create user ops$lsc identified externally as 'CN=lsc'; User created. SQL> grant create session to ops$lsc; Grant succeeded.
Now I can remotely log on my database without a password.
SQL> connect /@LSC07 Connected.