Skip to end of metadata
Go to start of metadata

Oracle Database and Client Configuration for use with a private PKI SSL infrastructure

Server configuration

Listener configuration

Edit Listener.ora

SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u00/oracle/dbsystem/admin/secdb/wallet)
)
)
SSL_LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = orcl1.loopback.org)(PORT = 1512))
(ADDRESS = (PROTOCOL = TCP)(HOST = orcl1.loopback.org)(PORT = 1531))
)
)
SID_LIST_SSL_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = secdb.loopback.org)
(SID_NAME = secdbt)
(ORACLE_HOME = /u00/oracle/dbsystem/product/11.2)
)
(SID_DESC =
(GLOBAL_DBNAME = loopdw.loopback.org)
(SID_NAME = loopdw)
(ORACLE_HOME = /u00/oracle/dbsystem/product/11.2)
)
)
ADR_BASE_SSL_LISTENER = /u00/oracle/dbsystem

Edit Sqlnet.ora

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1, MD5)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, TCP)
SSL_VERSION = 3.0
NAMES.DIRECTORY_PATH= (TNSNAMES)
#SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA )
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_SERVER_DN_MATCH = No
TRACE_LEVEL_SERVER = SUPPORT
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u00/oracle/dbsystem/admin/secdb/wallet)
)
)
ENCRYPTION_WALLET_LOCATION =
(SOURCE = (METHOD = HSM)
(METHOD_DATA =
(DIRECTORY=/u00/oracle/dbsystem/admin/secdb/ewallet)
)
)

Wallet configuration

export WALLET_DIR=/u00/oracle/dbsystem/admin/secdb/wallet
export CERTS_DIR=/mnt/certs
export PWD=123

Create wallet

orapki wallet create -wallet $WALLET_DIR -pwd 123 -auto_login

Create DB server certificate

orapki wallet add -wallet $WALLET_DIR -dn "CN=orcl1" -keysize 1024 -self_signed -validity 365 -pwd $PWD

Import Root CAs

orapki wallet add -wallet $WALLET_DIR -cert ${CERTS_DIR}/LoopCA.cer -trusted_cert -pwd $PWD

Delete default CAs

orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US" -pwd $PWD
orapki wallet remove -wallet $WALLET_DIR -trusted_cert -dn "OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US" -pwd $PWD

Display results

orapki wallet display -wallet $WALLET_DIR -pwd $PWD

Client configuration

Windows XP Oracle Client

Windows 7 Oracle client