Oracle Database and Client Configuration for use with a private PKI SSL infrastructure
Server configuration
Listener configuration
Edit Listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u00/oracle/dbsystem/admin/secdb/wallet)
)
)
SSL_LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = orcl1.loopback.org)(PORT = 1512))
(ADDRESS = (PROTOCOL = TCP)(HOST = orcl1.loopback.org)(PORT = 1531))
)
)
SID_LIST_SSL_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = secdb.loopback.org)
(SID_NAME = secdbt)
(ORACLE_HOME = /u00/oracle/dbsystem/product/11.2)
)
(SID_DESC =
(GLOBAL_DBNAME = loopdw.loopback.org)
(SID_NAME = loopdw)
(ORACLE_HOME = /u00/oracle/dbsystem/product/11.2)
)
)
ADR_BASE_SSL_LISTENER = /u00/oracle/dbsystem
Edit Sqlnet.ora
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1, MD5)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, TCP)
SSL_VERSION = 3.0
NAMES.DIRECTORY_PATH= (TNSNAMES)
#SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA )
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_SERVER_DN_MATCH = No
TRACE_LEVEL_SERVER = SUPPORT
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u00/oracle/dbsystem/admin/secdb/wallet)
)
)
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = HSM)
(METHOD_DATA =
(DIRECTORY=/u00/oracle/dbsystem/admin/secdb/ewallet)
)
)
Wallet configuration
export WALLET_DIR=/u00/oracle/dbsystem/admin/secdb/wallet
export CERTS_DIR=/mnt/certs
export PWD=123
Create wallet
orapki wallet create -wallet $WALLET_DIR -pwd 123 -auto_login
Create DB server certificate
orapki wallet add -wallet $WALLET_DIR -dn "CN=orcl1" -keysize 1024 -self_signed -validity 365 -pwd $PWD
Import Root CAs
orapki wallet add -wallet $WALLET_DIR -cert ${CERTS_DIR}/LoopCA.cer -trusted_cert -pwd $PWD
Delete default CAs
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US" -pwd $PWD
Display results
orapki wallet display -wallet $WALLET_DIR -pwd $PWD