SSL with PKCS12 truststore

Many many moons ago I vaguely remember having a similar issue with java keystore / truststore and microsoft certificates stores. When you start using SSL for your listener, you could potentially face a large number of issues amoung your toolsets. In my opinion, the most disastrous one is that you cannot monitor your database with… Continue reading SSL with PKCS12 truststore

anonymous cypher suites for SSL (and a 12c pitfall)

If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until 11.2.0.2, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default… Continue reading anonymous cypher suites for SSL (and a 12c pitfall)

KeepAlive socket in 12c listener

A not uncommon issue with firewalls and listeners are timeouts. Your production database may be behind a firewall, you may connect from a remote location, even your Windows workstation may have some firewall activated, possibly you use ssh tunnels or TCPS. All those occasionally lead to timeouts and connection abortion, for instance ORA-03113 end-of-file on… Continue reading KeepAlive socket in 12c listener

TCPS and SSLv2Hello

Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class KeyStore { public static void main(String argv[]) throws SQLException { String url=”jdbc:oracle:thin:@(DESCRIPTION=”+ “(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)(“+ “Port=1521))(CONNECT_DATA=(SID=DB01)))”; Properties props = new Properties(); props.setProperty(“user”, “scott”); props.setProperty(“password”, “tiger”); props.setProperty(“javax.net.ssl.trustStore”, “keystore.jks”); props.setProperty( “javax.net.ssl.trustStoreType”,”JKS”); props.setProperty( “javax.net.ssl.trustStorePassword”,”***”); DriverManager.registerDriver( new oracle.jdbc.OracleDriver()); Connection… Continue reading TCPS and SSLv2Hello

check if using tcps part II

in your current session, as written there, check sys_context(‘USERENV’, ‘NETWORK_PROTOCOL’) in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program, case when program not like ‘ora___@% (P%)’ then (select max(case when NETWORK_SERVICE_BANNER like ‘%TCP/IP%’ then ‘TCP’ when… Continue reading check if using tcps part II

jdbc ssl

I already wrote about jdbc hello world and listener with tcps. Let’s combine both technologies ! TCPS.java import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class TCPS { public static void main(String argv[]) throws SQLException { String url = “jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))”; Properties props = new Properties(); props.setProperty(“user”, “scott”); props.setProperty(“password”, “tiger”); props.setProperty(“javax.net.ssl.trustStore”,”cwallet.sso”); props.setProperty(“javax.net.ssl.trustStoreType”,”SSO”); Security.addProvider(new oracle.security.pki.OraclePKIProvider()); DriverManager.registerDriver(new… Continue reading jdbc ssl

user identified externally with SSL certificate

Today I configured my database to identify users with certificates. Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite. Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work. listener.ora LISTENER= (DESCRIPTION_LIST= (DESCRIPTION=… Continue reading user identified externally with SSL certificate

check if using tcp or tcps

yesterday I wrote howto listener ssl. To check the protocol : SQL> select sys_context( ‘USERENV’,’NETWORK_PROTOCOL’) PROTOCOL from dual; PROTOCOL ——– tcps

listener with tcps

How can you use SSL to encrypt your network traffic? Here is how I did it. Install Oracle Certification Authority 10.1.4 you need a CA to approve a certification request Install Oracle Database 10gR2 Enterprise Edition with Advanced Security Options Start Wallet Manager from Database Oracle Home, start $ORACLE_HOME/bin/owm create a new Wallet define a… Continue reading listener with tcps