TCPS and SSLv2Hello

Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class KeyStore {   public static void main(String argv[])       throws SQLException {     String url="jdbc:oracle:thin:@(DESCRIPTION="+       "(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)("+       "Port=1521))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("javax.net.ssl.trustStore",       "keystore.jks");     props.setProperty(       "javax.net.ssl.trustStoreType","JKS");     props.setProperty(       "javax.net.ssl.trustStorePassword","***");     DriverManager.registerDriver(       new oracle.jdbc.OracleDriver());     Connection …

check if using tcps part II

in your current session, as written there, check sys_context('USERENV', 'NETWORK_PROTOCOL') in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program,   case when program not like 'ora___@% (P%)' then   (select max(case when NETWORK_SERVICE_BANNER like '%TCP/IP%'       then 'TCP' when …

listener with tcps

How can you use SSL to encrypt your network traffic? Here is how I did it. Install Oracle Certification Authority 10.1.4 you need a CA to approve a certification request Install Oracle Database 10gR2 Enterprise Edition with Advanced Security Options Start Wallet Manager from Database Oracle Home, start $ORACLE_HOME/bin/owm create a new Wallet define a …

default listener port

Long time ago, Maxime Yuen registered 1521 for nCube License Manager. By googling I found : Ellison cleans house at nCube, and since them 1521 has been used as a default port for Oracle. Still, you’ll see nCube in IANA.ORG service names port numbers and in /etc/services the nCube name. I don’t know which one …

anonymous cypher suites for SSL (and a 12c pitfall)

If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until 11.2.0.2, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default …

ssl version

I wrote about ssl version in jdbc thin yesterday The default version also no longer works for the thick client with 12c client and 11g Server. With 11gR2 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: Version 11.2.0.4.0 OK (100 msec) with 12cR1 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: …

jdbc ssl

I already wrote about jdbc hello world and listener with tcps. Let’s combine both technologies ! TCPS.java import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class TCPS {   public static void main(String argv[]) throws SQLException {     String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("javax.net.ssl.trustStore","cwallet.sso");     props.setProperty("javax.net.ssl.trustStoreType","SSO");     Security.addProvider(new oracle.security.pki.OraclePKIProvider());     DriverManager.registerDriver(new …

user identified externally with SSL certificate

Today I configured my database to identify users with certificates. Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite. Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work. listener.ora LISTENER=   (DESCRIPTION_LIST=     (DESCRIPTION= …