SSL with PKCS12 truststore

Many many moons ago I vaguely remember having a similar issue with java keystore / truststore and microsoft certificates stores. When you start using SSL for your listener, you could potentially face a large number of issues amoung your toolsets. In my opinion, the most disastrous one is that you cannot monitor your database with […]

anonymous cypher suites for SSL (and a 12c pitfall)

If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default […]

KeepAlive socket in 12c listener

A not uncommon issue with firewalls and listeners are timeouts. Your production database may be behind a firewall, you may connect from a remote location, even your Windows workstation may have some firewall activated, possibly you use ssh tunnels or TCPS. All those occasionally lead to timeouts and connection abortion, for instance ORA-03113 end-of-file on […]

TCPS and SSLv2Hello

Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import; import java.sql.*; import*; public class KeyStore {   public static void main(String argv[])       throws SQLException {     String url="jdbc:oracle:thin:@(DESCRIPTION="+       "(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)("+       "Port=1521))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("",       "keystore.jks");     props.setProperty(       "","JKS");     props.setProperty(       "","***");     DriverManager.registerDriver(       new oracle.jdbc.OracleDriver());     Connection […]

check if using tcps part II

in your current session, as written there, check sys_context('USERENV', 'NETWORK_PROTOCOL') in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program,   case when program not like 'ora___@% (P%)' then   (select max(case when NETWORK_SERVICE_BANNER like '%TCP/IP%'       then 'TCP' when […]

jdbc ssl

I already wrote about jdbc hello world and listener with tcps. Let’s combine both technologies ! import java.util.Properties; import; import java.sql.*; import*; public class TCPS {   public static void main(String argv[]) throws SQLException {     String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))";     Properties props = new Properties();     props.setProperty("user", "scott");     props.setProperty("password", "tiger");     props.setProperty("","cwallet.sso");     props.setProperty("","SSO");     Security.addProvider(new;     DriverManager.registerDriver(new […]

user identified externally with SSL certificate

Today I configured my database to identify users with certificates. Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite. Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work. listener.ora LISTENER=   (DESCRIPTION_LIST=     (DESCRIPTION= […]

listener with tcps

How can you use SSL to encrypt your network traffic? Here is how I did it. Install Oracle Certification Authority 10.1.4 you need a CA to approve a certification request Install Oracle Database 10gR2 Enterprise Edition with Advanced Security Options Start Wallet Manager from Database Oracle Home, start $ORACLE_HOME/bin/owm create a new Wallet define a […]