Recently I had to implement some more advanced security in my shop and
I got very frustated trying to collect information from internet.
Googling around didn't help me too mutch and the official oracle
documentation was sometimes vague.
So I decided to write down what I have down and why.
This document is intended to help others not to repeat my errors and to
receive some comment on some topic that I haven't fully understood yet.
Oracle permits different type of authentication. In particular, with
the use of Oracle advanced security (a feature to be licensed),
it is possible to authenticate a user using certificate.
This is useful for a multytier architecture where you wish strong
authentication between the application server and the RDBMS.
It is even useful because you don't have to submitt a password anymore.
For the use of the certificates you have three possibilities:
- Client and server import the repective certificates as trusted;
- server is used as CA and sign the client certificate.
- a CA is used to sign client and server PKI. The CA certificates
is imported into the server (whatever certificates signed by the CA is
granted access to server).
I'm going to perform the first configuration in this document and the
third in the next one. I'm not going
to implement 2 since 3 is more complex and educational.
The steps to perform to arrive to a working configuration are not
commonplace so I'll try to simplify as much as I can.
The whole configuration is performed without GUI even because initially
I couldn't get the "Oracle Advanced Security" tab from netmgr so I
edited
my configuration file with a vi.
To make it appear follow metalink note #156345.1:
Check the file 'NetProperties' in $ORACLE_HOME/network/tools:
The parameter INSTALLEDCOMPONENTS should include the value 'ANO'
or 'ASO'.
If neither value 'ANO' nor 'ASO' is present, add it to the list.
Otherwise comment the parameter.
First of all you have to generate and store your certificates.
Oracle provide you with the Oracle Wallet Manager, which is the tool
used to store your certificates, and orapki to generate, export,
import, sign your certificates, requests and keys.
Orapki is provided for testing porpuse only.
You should rely on a Certification Authority for production systems.
Note: one of the most troblesome error I got with orapki was
"No valid user certificate found in wallet
".
Follow the steps below to avoid it.
My architecture:
client: SuSE 9.1 with Oracle client 10.2.0.1
client name: linux
server: SLES 9 SP2 with Oracle RDBMS 10.1.0.4
server name: breousdbls02
Instance name: UBANKP
CLIENT SIDE:
Creation of the wallet. It is important to specify auto_login.
Otherwise you are going to get the error: ORA-28759: Failed to open
file.
This because the file cwallet.sso (generated when autologin is enabled)
is not found by the client.
For the wallet creation you need to submitt a password which is going
to be used for most of the operation on the wallet itself.
oracle@linux:~/wallet/WALLETS/oracle>
orapki wallet create -wallet wallet-client -auto_login
Enter password:
Enter password again:
I generate a client self-signed certificate with an easy DN (my name:
CN=Fabrizio).
The validity is 10 years.
As far as I know is not possible to specify a non-expiring date.
I tryed 100 years but the application crashed.
