I'm running test to connect to locally installed Oracle DB using SSL Oracle wallet.
I was able to create the wallet and use them for authentication successfully around two weeks ago. But this no longer seems to be working. Here is how I created the wallets.
Create Server wallet and export certificate:
orapki wallet create -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -cert C:/app/TestWallet/MyHostName-certificate.crt
Create Client wallet and export certificate:
orapki wallet create -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -cert C:/app/TestWallet/DBUserName-certificate.crt
Exchange Certificate:
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/MyHostName-certificate.crt
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/DBUserName-certificate.crt
Wallet display (Server):
orapki wallet display -wallet "C:/app/TestWallet/Server" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=MyHostName.Domain.com
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
Wallet display (Client):
orapki wallet display -wallet "C:/app/TestWallet/Client" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=DBUserName
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
Server sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
Client sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Client)
)
)
I'm testing using OCCI Instant Client.
Environment *env = Environment::createEnvironment();
Connection *conn = env->createConnection(m_username.c_str(), m_password.c_str(), m_dbConnectionString.c_str());
// Note: username and password is not supplied to above function.
Above code throw exception as below:
ORA-29024: Certificate validation failure
I was able to create wallet and connect normally 2 weeks ago but this no longer seems to be working.
If I set wallet path in sqlnet.ora to use old one from 2 weeks ago, I'm able to connect fine.
I'm sure that wallet path is correct. LSNRCTL also confirmed that the wallet path is right:
LSNRCTL> status
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=MyHostName.Domain.com)(PORT=5500))(Security=(my_wallet_directory=C:\app\TestWallet\Server))
What might have I missed? How to make wallet SSL authentication to work?
EDIT:
If in sqlnet.ora file, I change the wallet to path to use old wallet that I created 2 weeks ago. It is still working. The problem occur for only newly created wallet.
Ok, it seems I just missed one more settings in the Server's listener.ora
This time I was creating wallet in different location than previous test.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
Changing this follow by:
LSNRCTL> stop
LSNRCTL> start
Wait some time for it to update. Now got it up and running.