Thursday, October 30, 2014

How to Create a Database Server Distinguished Name Certificate 







***
This article is being delivered in Draft form and may contain
errors.  Please use the MetaLink "Feedback" button to advise
Oracle of any issues related to this article.
***
PURPOSE
-------

This note provides a generic example of creating a Database Distinguished Name Certificate for use with 
a client server TCPS connection or Enterprise User Security.

 
SCOPE & APPLICATION
-------------------

Distinguished Name Certificates can be required for both server certificates in TCPS connections and for 
each database used in an enterprise security realm.  This note assumes the reader is familiar with how to
sign a certificate request with their select certificate authority and therefore provides no instruction 
on how to sign the server certificate. Oracle Wallet Manager creates certificate requests in BASE64 format
and only imports User and Trusted certificates encoded in BASE64.


Step by step instructions on creating a database server distinguished name certificate
-------------------------------------------------------------------------------------

Step 1: Create a new wallet and certificate request from Oracle Wallet Manager.

1. Open Oracle Wallet Manager, OWM, and select Wallet->New 

2. Enter a new wallet password which conforms to the conditions stated on the screen and select OK

3. Select YES to create a certificate request

4. On the next screen choose the desired Key Size and select Advanced - there is no need to complete any other fields

5. Replace any text in the DN field with your required distinguished name.

Note: The general form of a database distinguished name is 

      cn=DB_NAME, cn=OracleContext, dc=DOMIAN_COMPONENT_N, .. ,dc=DOMIAN COMPONENT_2, dc=DOMIAN COMPONENT_1
 
      When a database is registered in OID via DBCA an rdbms_server_dn is added to the pfile or spfile.  It 
      is recommended that the value of this parameter is copied directly into the DN field in the Advanced
      Certificate Request form.
 
      e.g.  cn=sales,cn=OracleContext,dc=oracle,dc=com

      If the certificate is used by the OID server for SSL authentication then the DN is not as significant but
      convention may either be to use the database repository distinguished name or the OID server name.

6. Select ok to complete the certificate request creation process. A Certificate [Requested] entry should appear in 
   the Wallet Manager main window 

7. Save the wallet, File->Save

8. Save the certificate request, re-select the certificate request in the Main Window and then 
   go to Operation->Export Certificate Request. Save to a suitable file name, e.g. sales.csr


Step 2: Sign the certificate.

The export file created by OWM in the previous step will be a BASE64 format X509 certificate request.  This certificate
request can be signed by most commercial certificate authorities or self signed.  Oracle provides it's own certificate
authority, OCA, with 10g iAS.  For test purposes it is also possible to use OpenSSL which is supplied with many Linux
installations.  


Step 3: Import the trusted CA root certificate and signed certificate into OWM

Wallet manager will only import a signed certificate if the complete signing trusted certificate 
chain exists in the wallet. The trusted certificates for a commercial CA are generally available from
their web site.  If you have used your own certificate authority then you will need to locate the 
BASE64 files which were used to sign your certficate. For the purpose of this note it is assumed that
both the CA trusted certificate(s) and the signed user certficate have been copied to the server 
which is running OWM. 

1. Import the root certificate from the select CA into OWM, Operations->Import Trusted Certificate

2. Select the option to "Select a file that contains the certificate.

3. Browse to the file and select OK, the Common Name of you CA should now appear in the 
   main window under Trusted Certificate

4. Import the signed certificate from the CA into OWM, Operations->Import User Certificate

5. Select the option to "Select a file that contains the certificate.

6. Browse to the file containing your signed certicate and select OK, the requested Certificate should now have a status of Ready

Save your wallet.


Step 4: Enable the wallet for database access

When the database accesses the wallet it does not provide a password, instead it reads an open instantiation 
of the wallet file, ewallet.p12.  The open wallet file is names cwallet.sso.  To enable the wallet 
for unattended login tick the box next to File->Auto Login.  Save the wallet again.  

REFERENCES
----------

Oracle's primary  reference for SSL is the Oracle Advanced Security Administrator's Guide.  This guide 
describes Oracle's SSL solution and configuration in greater detail, see Configuring Secure Sockets Layer 
Authentication.  The guide is available on the documentation CD and at:

http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96573/asossl.htm#1004601

Note:189260.1: An Example on How to Configure TCPS Using a DN Certificate from Signed by Thwate
Note.262394.1: A Simple Example of a TCPS Loopback Connection Using OpenSSL
Posted by at 3 comments:

Wednesday, October 29, 2014

Configuring SSL for Client Authentication and Encryption With Self Signed Certificates On Both Ends Using orapki

Configuring SSL for Client Authentication and Encryption With Self Signed Certificates On Both Ends Using orapki

Applies to:
Advanced Networking Option - Version 10.2.0.5 to 11.2.0.2 [Release 10.2 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 29-Apr-2013
Purpose

The note has been written using Oracle Enterprise Linux 4.0 and 5.0,  and Oracle  RDBMS versions 10.2.0.5, 11.1.0.7, and 11.2.0.2, although the steps are generic and should apply to all platforms.

In this note the client and server are separate machines to help clarify which configuration is server side and which is client side. This connection authenticates both the server and the client.


One can set up the SSL authentication as described in this note only when testing this authentication method or when the number of  the users authenticated via SSL is not large. The rationale is that in this note the client signs it's own certificate and we import the root certificate of the client into the wallet of the server. As such for a large number of different users we will end up with too many client root certificates being imported into the wallet of the server.



This note uses the Oracle command line tool orapki to generate self signed certificates and to manipulate the wallets. Some of the steps could be done using Oracle Wallet Manager but this note will focus on using orapki.

Oracle's primary reference for SSL is the Oracle Advanced Security Administrator's Guide. This guide describes Oracle's SSL solution and configuration in greater detail, see Configuring Secure Sockets Layer Authentication. The guide is available on the documentation CD.
Scope

This note is intended for use by Database Administrators.

Details

Configuring the server and client wallets


1) Create and configure the server wallet


All of the steps to create and configure the wallet are done from the UNIX shell (or cmd.exe on Windows).

The first step is optional and is to create a directory to put the wallet in if one does not already exist,


$> mkdir /u01/10.2/server_wallet



Then change directory into this directory,

$> cd /u01/10.2/server_wallet
$> cd /u01/10.2/server_wallet



Next we will use orapki to create the initial wallet,


$> orapki wallet create -wallet /u01/10.2/server_wallet -auto_login -pwd Welcome1



This will have created two new files in the directory,

$> ls -la /u01/10.2/server_wallet

-rw------- 1 oracle dba 7940 Nov 29 08:14 cwallet.sso
-rw------- 1 oracle dba 7912 Nov 29 08:14 ewallet.p12



The next step is to create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it,


$> orapki wallet add -wallet /u01/10.2/server_wallet -dn "CN=server" -keysize 512 -self_signed -validity 365 -pwd Welcome1




If this wallet was opened using Oracle Wallet Manager (owm) it is possible to see these 2 new certificates.

The final step is to export the CA root certificate,


$> orapki wallet export -wallet /u01/10.2/server_wallet -dn "CN=server" -cert server_ca.cert


2) Create and configure the client wallet

All of the steps to create and configure the wallet are done from the UNIX shell (or cmd.exe on Windows).

The first step is optional and is to create a directory to put the wallet in if one does not already exist,


$> mkdir /u01/10.2/client_wallet



Then change directory into this directory,


$> cd /u01/10.2/client_wallet



Next we will use orapki to create the initial wallet,


$> orapki wallet create -wallet /u01/10.2/client_wallet -auto_login -pwd Welcome2



This will have created two new files in the directory,


$> ls -la /u01/10.2/client_wallet

-rw------- 1 adam adam 7940 2006-11-29 09:21 cwallet.sso
-rw------- 1 adam adam 7912 2006-11-29 09:21 ewallet.p12



The next step is to create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it,


$> orapki wallet add -wallet /u01/10.2/client_wallet -dn "CN=adam" -keysize 512 -self_signed -validity 365 -pwd Welcome2


If this wallet was opened using Oracle Wallet Manager (owm) it is possible to see these 2 new certificates.

The next step is to export the CA root certificate,


$> orapki wallet export -wallet /u01/10.2/client_wallet -dn "CN=adam" -cert client_ca.cert


The final step is to import the server's root certificate (server_ca.cert) into the client wallet,

and to import the client's root certificate (client_ca.cert) into the server wallet. It is assumed that the exported files are transferred via ftp or another mechanism between the machines.

So on the client the server's root certificate is imported with,


$> orapki wallet add -wallet /u01/10.2/client_wallet -trusted_cert -cert server_ca.cert -pwd Welcome2


and on the server the client's root certificate is import with,

$> orapki wallet add -wallet /u01/10.2/server_wallet -trusted_cert -cert client_ca.cert -pwd Welcome1



Configuring sqlnet for TCPS on the server and client


1) Server side Listener Configuration

Configure a TCPS listener address

Use Net Manager to create an new TCPS listener or add new TCPS address to an existing listener. You will also need to add the wallet location. For example,


LISTENER =
   (DESCRIPTION_LIST =
     (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = ukp12692.uk.oracle.com)(PORT = 1521))
     )
     (DESCRIPTION =
       (ADDRESS = (PROTOCOL = TCPS)(HOST = ukp12692.uk.oracle.com)(PORT = 1522))
     )
  )

WALLET_LOCATION =
  (SOURCE=
   (METHOD=File)
    (METHOD_DATA=
     (DIRECTORY=/u01/10.2/server_wallet)))


2) Server side sqlnet.ora Configuration


SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /u01/10.2/server_wallet)
    )
   )



3) Client side sqlnet.ora Configuration

In the client sqlnet.ora set TCPS as an authentication method and set the wallet location,


SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
   (METHOD_DATA =
   (DIRECTORY = /u01/10.2/client_wallet)
   )
  )




4) Client side tnsnames.ora Configuration


Use Net Manager or Net Configuration Assistant to create a service name using TCPS, e.g.


v10g =
  (DESCRIPTION =
    (ADDRESS_LIST =
     (ADDRESS = (PROTOCOL = TCPS)(HOST = ukp12692.uk.oracle.com)(PORT = 1522))
    )
    (CONNECT_DATA =
     (SERVICE_NAME = v10g)
    )
   )




Configuring the database

1) OS_AUTHENT_PREFIX and REMOTE_OS_AUTHENT

The database parameter OS_AUTHENT_PREFIX must be null and REMOTE_OS_AUTHENT must be FALSE.

For example,


SQL> alter system set remote_os_authent=FALSE scope=spfile;



and


SQL> alter system set os_authent_prefix='' scope=spfile;



The instance will need to be restarted for these changes to take effect.

2) Create the user within the database

The user within the database has to be created specifying the distiguished name (DN) on their certificate. For example,


SQL> create user adam identified externally as 'CN=adam';



The user should have have create session granted so they are able to connect,


SQL> grant create session to adam;




Testing it

1) The first test is to confirm the client is able to tnsping the alias for the TCPS listener.

This will confirm that the client wallet is properly accessible by the client. For example,

$> tnsping v10g

TNS Ping Utility for Linux: Version 10.2.0.2.0 - Production on 29-NOV-2006 10:16:32

Copyright (c) 1997, 2005, Oracle. All rights reserved.

Used parameter files:
/u01/10.2/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 138.3.128.29)(PORT = 1522))) (CONNECT_DATA = (SID = v10g)))
OK (100 msec)



2) The second test is to connect as the TCPS authenticated user. For example,


$> sqlplus /@v10g

SQL*Plus: Release 10.2.0.2.0 - Production on Wed Nov 29 10:17:27 2006

Copyright (c) 1982, 2005, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>



3) Then it is possible to confirm that the connection is for the correct user we created earlier,


SQL> select user from dual;

USER
------------------------------
ADAM



4) A final confirmation is to verify the network_protocol from the userenv, for example:


SQL> select sys_context('userenv','network_protocol') from dual;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps



 
Posted by at 2 comments:

How to Create a Wallet with a Self-Signed Certificate and Export the Certificate using ORAPKI

How to Create a Wallet with a Self-Signed Certificate and Export the Certificate using ORAPKI

Applies to:Oracle Security Service - Version 10.1.0.5 to 11.2.0.3 [Release 10.1 to 11.2]
Information in this document applies to any platform.

Goal : How to Create a Wallet with a Self-Signed Certificate and Export the Certificate:

Solution

The following steps illustrate creating a wallet, adding a self-signed certificate to it, viewing the wallet and exporting the certificate:
1. Create a wallet
        orapki wallet create -wallet /private/user/orapki_use/root
        The wallet is created ain the specified directory ( /private/user/orapki_use/root ).
2. Add a self-signed certificate to the wallet
         orapki wallet add -wallet /private/user/orapki_use/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650
       This creates a self-signed certificate with a validity of 3650 days. The distinguished name of the subject is CN=root_test,C=US. The key size for the certificate is 2048 bits.
3. View the contents of the wallet wallet
        orapki wallet display -wallet /private/user/orapki_use/root
   
4. Export the certificate
       orapki wallet export -wallet /private/user/orapki_use/root -dn 'CN=root_test,C=US' -cert /private/user/orapki_use/root/b64certificate.txt

     This exports the self-signed certificate to file b64certificate.txt. Note that the distinguished name used is the same as in step 2.

Posted by at 1 comment:
Subscribe to: Posts (Atom)