You can configure Oracle Database to use Secure Sockets Layer authentication.
Topics:
Netscape Communications Corporation designed Secure Sockets Layer (SSL) to secure network connections.
Transport Layer Security (TLS) is an incremental version of Secure Sockets Layer (SSL) version 3.0.
Although SSL was primarily developed by Netscape Communications Corporation, the Internet Engineering Task Force (IETF) took over development of it, and renamed it Transport Layer Security (TLS).
See Also:
The TLS Protocol Version 1.0 [RFC 2246] at the IETF Web site, which can be found at:
http://www.ietf.org
Note:
To simplify discussion, this chapter uses the term SSL where either SSL or TLS may be appropriate because SSL is the most widely recognized term. However, where distinctions occur between how you use or configure these protocols, this chapter specifies what is appropriate for either SSL or TLS.
Oracle Database uses digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols.
By using Oracle Database SSL functionality to secure communications between clients and servers, you can
Use SSL to encrypt the connection between clients and servers
Authenticate any client or server, such as Oracle Application Server 10g, to any Oracle database server that is configured to communicate over SSL
You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Database. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes:
Only the server authenticates itself to the client
Both client and server authenticate themselves to each other
Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself
See Also:
The SSL Protocol, version 3.0, published by the Internet Engineering Task Force, for a more detailed discussion of SSL
When a network connection over Secure Sockets Layer is initiated, the client and server perform an SSL handshake before performing the authentication.
The handshake process is as follows:
The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers.
The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. This step verifies the identity of the server.
Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA.
The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this session key and the negotiated cipher suite.
The authentication process is as follows:
On a client, the user initiates an Oracle Net connection to the server by using SSL.
SSL performs the handshake between the client and the server.
If the handshake is successful, then the server verifies that the user has the appropriate authorization to access the database.
A public key infrastructure (PKI) is a substrate of network components that provide a security underpinning, based on trust assertions, for an entire organization.
Topics:
Traditional private-key or symmetric-key cryptography requires a single, secret key that is shared by two or more parties to a secure communication.
This key is used to both encrypt and decrypt secure messages sent between the parties, requiring prior, secure distribution of the key to each party. The problem with this method is that it is difficult to securely transmit and store the key.
Public-key cryptography provides a solution to this problem, by employing public and private key pairs and a secure method for key distribution. The freely available public key is used to encrypt messages that can only be decrypted by the holder of the associated private key. The private key is securely stored, together with other security credentials, in an encrypted container called a wallet.
Public-key algorithms can guarantee the secrecy of a message, but they do not necessarily guarantee secure communications because they do not verify the identities of the communicating parties. To establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its own public key for a legitimate key (the man-in-the-middle attack).
In order to avoid such an attack, it is necessary to verify the owner of the public key, a process called authentication. Authentication can be accomplished through a certificate authority (CA), which is a third party that is trusted by both of the communicating parties.
The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).
The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known and does not have to be authenticated each time it is accessed. Such CA public keys are stored in wallets.
Public key infrastructure (PKI) components in an Oracle environment include a certificate authority, certificates, certificate revocation lists, and wallets.
Topics:
A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers.
When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key.
Different CAs may have different identification requirements when issuing certificates. Some CAs may verify a requester's identity with a driver's license, some may verify identity with the requester's fingerprints, while others may require that requesters have their certificate request form notarized.
The CA publishes its own certificate, which includes its public key. Each network entity has a list of trusted CA certificates. Before communicating, network entities exchange certificates and check that each other's certificate is signed by one of the CAs on their respective trusted CA certificate lists.
Network entities can obtain their certificates from the same or different CAs. By default, Oracle Database automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.
See Also:
A certificate is created when an entity's public key is signed by a trusted certificate authority (CA).
A certificate ensures that an entity's identification information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, public key, and an expiration date, as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate.
When a network entity receives a certificate, it verifies that it is a trusted certificate, that is, one that has been issued and signed by a trusted certificate authority. A certificate remains valid until it expires or until it is revoked.
When a CA signs a certificate binding a public key pair to a user identity, the certificate is valid for a specified time.
However, certain events, such as user name changes or compromised private keys, can render a certificate invalid before the validity period expires. When this happens, the CA revokes the certificate and adds its serial number to a Certificate Revocation List (CRL). The CA periodically publishes CRLs to alert the user population when it is no longer acceptable to use a particular public key to verify its associated user identity.
When servers or clients receive user certificates in an Oracle environment, they can validate the certificate by checking its expiration date, signature, and revocation status. Certificate revocation status is checked by validating it against published CRLs. If certificate revocation status checking is turned on, then the server searches for the appropriate CRL depending on how this feature has been configured. The server searches for CRLs in the following locations in this order:
Local file system
Oracle Internet Directory
CRL Distribution Point, a location specified in the CRL Distribution Point (CRL DP) X.509, version 3, certificate extension when the certificate is issued.
Note:
To use CRLs with other Oracle products, refer to the specific product documentation. This implementation of certificate validation with CRLs is only available in the Oracle Database 12c release 1 (12.1) SSL adapter.
See Also:
Certificate Validation with Certificate Revocation Lists for information about configuring and managing this PKI component
A wallet is a container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates SSL needs.
In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates, with the exception of Diffie-Hellman.
Security administrators use Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, you use Oracle Wallet Manager to do the following:
Generate a public-private key pair and create a certificate request
Store a user certificate that matches with the private key
Configure trusted certificates
See Also:
Oracle Database Enterprise User Security Administrator's Guide for information about Oracle Wallet Manager
Oracle Database Enterprise User Security Administrator's Guide for information about creating a new Oracle wallet
Oracle Database Enterprise User Security Administrator's Guide for information about managing trusted certificates in Oracle wallets
The hardware security modules for SSL include devices to handle various functions and hardware devices to store cryptographic information.
Oracle Database uses these devices for the following functions:
Store cryptographic information, such as private keys
Perform cryptographic operations to off load RSA operations from the server, freeing the CPU to respond to other transactions
Cryptographic information can be stored on two types of hardware devices:
(Server-side) Hardware boxes where keys are stored in the box, but managed by using tokens.
(Client-side) Smart card readers, which support storing private keys on tokens.
An Oracle environment supports hardware devices using APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11 specification.
Note:
Currently, SafeNET and nCipher devices are certified with Oracle Database
See Also:
Configuring Your System to Use Hardware Security Modules for details configuration details.
You can configure Oracle Database to use Secure Sockets Layer (SSL) concurrently with database user names and passwords, RADIUS, and Kerberos.
Topics:
How Secure Sockets Layer Works with Other Authentication Methods
See Also:
Data Encryption and Integrity Parameters for information about how to configure SSL with other supported authentication methods, including an example of a sqlnet.ora
file with multiple authentication methods specified.
It is important to understand the architecture of how Oracle Database works with SSL.
Figure 15-4 , which displays the Oracle Database implementation of Secure Sockets Layer architecture, shows that Oracle Databases operates at the session layer on top of SSL and uses TCP/IP at the transport layer.
This separation of functionality lets you employ SSL concurrently with other supported protocols.
See Also:
Oracle Database Net Services Administrator's Guide for information about stack communications in an Oracle networking environment
Secure Sockets Layer can be used with other authentication methods that Oracle Database supports.
Figure 18-1 illustrates a configuration in which Secure Sockets Layer is used in combination with another authentication method.
Figure 18-1 Secure Sockets Layer in Relation to Other Authentication Methods
In this example, Secure Sockets Layer is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client. The process is as follows:
The client seeks to connect to the Oracle database server.
Secure Sockets Layer performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use.
Once the Secure Sockets Layer handshake is successfully completed, the user seeks access to the database.
The Oracle database server authenticates the user with the authentication server using a non-SSL authentication method such as Kerberos or RADIUS.
Upon validation by the authentication server, the Oracle database server grants access and authorization to the user, and then the user can access the database securely by using SSL.
Oracle Database supports two application proxy-based and stateful packet inspection of firewalls.
These firewalls are as follows:
Application proxy-based firewalls: Examples are Network Associates Gauntlet, or Axent Raptor.
Stateful packet inspection firewalls: Examples are Check Point Firewall-1, or Cisco PIX Firewall.
When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets.
Firewalls do not inspect encrypted traffic. When a firewall encounters data addressed to an SSL port on an intranet server, it checks the target IP address against its access rules and lets the SSL packet pass through to permitted SSL ports, rejecting all others.
With the Oracle Net Firewall Proxy kit, a product offered by some firewall vendors, firewall applications can provide specific support for database network traffic. If the proxy kit is implemented in the firewall, then the following processing takes place:
The Net Proxy (a component of the Oracle Net Firewall Proxy kit) determines where to route its traffic.
The database listener requires access to a certificate in order to participate in the SSL handshake. The listener inspects the SSL packet and identifies the target database, returning the port on which the target database listens to the client. This port must be designated as an SSL port.
The client communicates on this server-designated port in all subsequent connections.
You should be aware of SSL usage issues, such as communication with other Oracle products and types of supported authentication and encryption methods.
Consider the following issues when using SSL:
SSL use enables secure communication with other Oracle products, such as Oracle Internet Directory.
Because SSL supports both authentication and encryption, the client/server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption).
Each SSL authentication mode requires configuration settings.
Multi-threaded clients currently cannot use SSL.
Note:
If you configure SSL encryption, you must disable non-SSL encryption. To disable such encryption, refer to Disabling Strong Authentication and Network Encryption.
See Also:
Configuring Your System to Use Hardware Security Modules for information about improving SSL performance with hardware accelerators
You must configure Secure Sockets Layer on the server, and then the client.
Topics:
During installation, Oracle sets defaults on the Oracle database server and the Oracle client for SSL parameters, except the Oracle wallet location.
Before proceeding to the next step, confirm that a wallet has been created and that it has a certificate.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for information about creating a new Oracle walletNext, you are ready to specify a location on the server for the wallet.
Note:
The listener uses the wallet defined in the listener.ora
file. It can use any database wallet. When SSL is configured for a server using Net Manager, the wallet location is entered into the listener.ora
and the sqlnet.ora
files. The listener.ora
file is not relevant to the Oracle client.
To change the listener wallet location so that the listener has its own wallet, you can edit listener.ora
to enter the new location.
Optionally, you can set the Secure Sockets Layer cipher suites.
Topics:
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities.
During a Secure Sockets Layer handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
When you install Oracle Database, the Secure Sockets Layer cipher suites listed in Table 18-1 are set for you by default and negotiated in the order they are listed. You can override the default order by setting the SSL_CIPHER_SUITES
parameter.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
Compatibility. Server and client must be configured to use compatible cipher suites for a successful connection.
Cipher priority and strength. Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible.
The level of security you want to use.
The impact on performance.
Note:
Regarding Diffie-Hellman anonymous authentication:
If you set the server to employ this cipher suite, then you must also set the same cipher suite on the client. Otherwise, the connection fails.
If you use a cipher suite employing Diffie-Hellman anonymous, then you must set the SSL_CLIENT_AUTHENTICATION
parameter to FALSE
. For more information, refer to Step 1E: Set SSL Client Authentication on the Server (Optional).
There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client.
Oracle Database supports a set of cipher suites that are set by default when you install Oracle Database.
Table 18-1 lists the authentication, encryption, and data integrity types each cipher suite uses.
Table 18-1 Secure Sockets Layer Cipher Suites
Cipher Suites | Authentication | Encryption | Data Integrity | TLS Compatibility |
---|---|---|---|---|
|
ECDHE_ECDSA |
AES 128 GCM |
SHA256 (SHA-2) |
TLS 1.2 only |
|
ECDHE_ECDSA |
AES 128 CBC |
SHA-1 |
TLS 1.0 and later |
|
ECDHE_ECDSA |
AES 128 CBC |
SHA256 (SHA-2) |
TLS 1.2 only |
|
ECDHE_ECDSA |
AES 256 CBC |
SHA-1 |
TLS 1.0 and later |
|
ECDHE_ECDSA |
AES 256 CBC |
SHA384 (SHA-2) |
TLS 1.2 only |
|
ECDHE_ECDSA |
AES 256 GCM |
SHA384 (SHA-2) |
TLS 1.2 only |
|
RSA |
AES 128 CBC |
SHA256 (SHA-2) |
TLS 1.2 only |
|
RSA |
AES 128 GCM |
SHA256 (SHA-2) |
TLS 1.2 only |
|
RSA |
AES 128 CBC |
SHA-1 |
TLS 1.0 only |
|
RSA |
AES 256 CBC |
SHA-1 |
TLS 1.0 and later |
|
RSA |
AES 256 CBC |
SHA256 (SHA-2) |
TLS 1.2 only |
|
RSA |
AES 256 GCM |
SHA384 (SHA-2) |
TLS 1.2 only |
Table 18-2 lists cipher suites that you can use, but be aware that they do not the provide authentication of the communicating parties, and hence can be vulnerable to man-in-the-middle attacks. Oracle recommends that you do not use these cipher suites to protect sensitive data. However, they are useful if the communicating parties want to remain anonymous or simply do not want the overhead caused by mutual authentication.
Table 18-2 SSL_DH Secure Sockets Layer Cipher Suites
Cipher Suites | Authentication | Encryption | Data Integrity | TLS Compatibility |
---|---|---|---|---|
|
DH anon |
3DES EDE CBC |
SHA-1 |
TLS 3.0 and later |
The SSL_VERSION
parameter defines the version of SSL that must run on the systems with which the server communicates.
Optionally, you can set the SSL_VERSION
parameter in the sqlnet.ora
or the listener.ora
file.
You can require these systems to use any valid version. The default setting for this parameter in sqlnet.ora
is undetermined
, which is set by selecting Any from the list in the SSL tab of the Network Security window.
Note:
SSL 2.0 is not supported on the server side.
See Also:
Oracle Database Net Services Reference for more information about the SSL_VERSION
parameter
The SSL_CLIENT_AUTHENTICATION
parameter controls whether the client is authenticated using SSL.
You must set this parameter in the sqlnet.ora
file on the server. The default value of SSL_CLIENT_AUTHENTICATION
parameter is TRUE
.
You can set the SSL_CLIENT_AUTHENTICATION
to FALSE
if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon
).
Also, you can set this parameter to FALSE
for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Database, such as Kerberos or RADIUS.
Note:
There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client.
To set SSL_CLIENT_AUTHENTICATION
to FALSE
on the server:
The SQLNET.AUTHENTICATION_SERVICES
parameter in the sqlnet.ora
file sets the SSL authentication service.
Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Database. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.
To set the SQLNET.AUTHENTICATION_SERVICES
parameter on the server, add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora
file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows:
SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius)
If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter.
You can configure a listening endpoint to use TCP/IP with SSL on the server.
Configure the listener in the listener.ora
file. Oracle recommends using port number 2484 for typical Oracle Net clients.
See Also:
Oracle Database Net Services Reference for detailed information about configuring thelistener.ora
fileWhen you configure SSL on the client, you configure the server DNs and use TCP/IP with SSL on the client.
You must confirm that a wallet has been created on the client and that the client has a valid certificate.
Use Oracle Wallet Manager to check that the wallet has been created. See Step 1A: Confirm Wallet Creation on the Server for information about checking a wallet.
Note:
Oracle recommends that you use Oracle Wallet Manager to remove the trusted certificate in your Oracle wallet that is associated with each certificate authority that you do not use.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for general information about wallets
Oracle Database Enterprise User Security Administrator's Guide for information about opening an existing wallet
Oracle Database Enterprise User Security Administrator's Guide for information about creating a new wallet
Next, you are ready to configure the server DNs and user TCP/IP with SSL on the client.
Topics:
You can configure the Oracle Net Service name to include the server DNs and to use TCP/IP with SSL on the client.
To accomplish this, you must specify the server's distinguished name (DN) and TCPS
as the protocol in the client network configuration files to enable server DN matching and TCP/IP with SSL connections. Server DN matching prevents the database server from faking its identity to the client during connections by matching the server's global database name against the DN from the server certificate.
You must manually edit the client network configuration files, tnsnames.ora
and listener.ora
, to specify the server's DN and the TCP/IP with SSL protocol. The tnsnames.ora
file can be located on the client or in the LDAP directory. If it is located on the server, then it typically resides in the same directory as the listener.ora
file. Depending on the operating system, these files reside in the following directory locations:
(UNIX) $ORACLE_HOME
/network/admin/
(Windows) ORACLE_BASE
\
ORACLE_HOME
\network\admin\
You can use Oracle Net Manager to specify the required client SSL configuration.
See Also:
For information about the server match parameters:
For information about using Oracle Net Manager to configure TCP/IP with SSL:
Optionally, you can set the SSL cipher suites. Oracle Database provides default cipher suite settings, which you can change.
Topics:
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities.
During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
When you install Oracle Database, the SSL cipher suites listed in Table 18-1 are set for you by default. This table lists them in the order they are tried when two entities are negotiating a connection. You can override the default by setting the SSL_CIPHER_SUITES
parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA
, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
The level of security you want to use. For example, triple-DES encryption is stronger than DES.
The impact on performance. For example, triple-DES encryption is slower than DES. Refer to Configuring Your System to Use Hardware Security Modules for information about using SSL hardware accelerators with Oracle Database.
Administrative requirements. The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication, which disallows the exchange of certificates.
You typically prioritize cipher suites starting with the strongest and moving to the weakest.
Table 18-1 lists the currently supported Secure Sockets Layer cipher suites. These cipher suites are set by default when you install Oracle Database. The table also lists the authentication, encryption, and data integrity types each cipher suite uses.
Note:
If the SSL_CLIENT_AUTHENTICATION
parameter is set to true
in the sqlnet.ora
file, then disable all cipher suites that use Diffie-Hellman anonymous authentication. Otherwise, the connection fails.
The SSL_VERSION
parameter defines the version of SSL that must run on the systems with which the client communicates.
You must set the SSL_VERSION
parameter in the sqlnet.ora
file. You can require these systems to use any valid version.
The default setting for this parameter in sqlnet.ora
is undetermined
, which is set by selecting Any from the list in the SSL tab of the Network Security window. When Any is selected, TLS 1.0 is tried first, then SSL 3.0, and SSL 2.0 are tried in that order. Ensure that the client SSL version is compatible with the version the server uses.
The SQLNET.AUTHENTICATION_SERVICES
parameter enables SSL authentication in conjunction with another authentication method supported by Oracle Database.
For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using RADIUS.
To set the SQLNET.AUTHENTICATION_SERVICES
parameter, you must edit the sqlnet.ora
file, which is located in the same directory as the other network configuration files.
Depending on the platform, the sqlnet.ora
file is in the following directory location:
(UNIX) $ORACLE_HOME
/network/admin
(Windows) ORACLE_BASE
\
ORACLE_HOME
\network\admin\
You can set the SQLNET.AUTHENTICATION_SERVICES
parameter in the sqlnet.ora
file.
To set the client SQLNET.AUTHENTICATION_SERVICES
parameter, add TCP/IP with SSL (TCPS
) to this parameter in the sqlnet.ora
file by using a text editor.
For example, if you want to use SSL authentication in conjunction with RADIUS authentication, then set this parameter as follows:
SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius)
If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter.
The SQLNET.SSL_EXTENDED_KEY_USAGE
parameter in the sqlnet.ora file specifies which certificate to use in authenticating to the database server
You should set the SQLNET.SSL_EXTENDED_KEY_USAGE
parameter if you have multiple certificates in the security module, but there is only one certificate with extended key usage field of client authentication
, and this certificate is exactly the one you want to use to authenticate to the database.
For example, use this parameter if you have multiple certificates in a smart card, only one of which has an extended key usage field of client authentication
, and you want to use this certificate C
to authenticate to the database. By setting this parameter on a Windows client to client authentication
, the MSCAPI certificate selection box will not appear, and the certificate C
is automatically used for the SSL authentication of the client to the server.
You can set the SQLNET.SSL_EXTENDED_KEY_USAGE
to set the client authentication.
To set the client SQLNET.SSL_EXTENDED_KEY_USAGE
parameter, edit the sqlnet.ora
file to have the following line:
SQLNET.SSL_EXTENDED_KEY_USAGE = "client authentication"
If you do not want to use the certificate filtering, then remove the SQLNET.SSL_EXTENDED_KEY_USAGE
parameter setting from the sqlnet.ora
file.
After you have completed the configuration, you are ready to log in to the database.
Start SQL*Plus and then enter one of the following connection commands:
If you are using SSL authentication for the client (SSL_CLIENT_AUTHENTICATION=true
in the sqlnet.ora
file):
CONNECT/@net_service_name
If you are not using SSL authentication (SSL_CLIENT_AUTHENTICATION=false
in the sqlnet.ora
file):
CONNECT username@net_service_name Enter password: password
See Also:
Certificate Validation with Certificate Revocation Lists for information about configuring the client for certificate validation with certificate revocation lists
Common errors may occur while you use the Oracle Database SSL adapter.
It may be necessary to enable Oracle Net tracing to determine the cause of an error. For information about setting tracing parameters to enable Oracle Net tracing, refer to Oracle Database Net Services Administrator's Guide.
Cause: The system could not open the specified file. Typically, this error occurs because the wallet cannot be found.
Cause: An incorrect password was used to decrypt an encrypted private key. Frequently, this happens because an auto-login wallet is not being used.
Cause: This is a generic error that can occur during SSL handshake negotiation between two processes.
Cause: An error occurred during the negotiation between two processes as part of the SSL protocol. This error can occur when two sides of the connection do not support a common cipher suite.
Cause: This error occurred because the peer closed the connection.
Cause: The SSL connection closed because of an error in the underlying transport layer, or because the peer process quit unexpectedly.
Cause: When the peer presented the certificate chain, it was checked and that check failed. This failure can be caused by a number of problems, including:
One of the certificates in the chain has expired.
A certificate authority for one of the certificates in the chain is not recognized as a trust point.
The signature in one of the certificates cannot be verified.
Cause: Your certificate was not created with the appropriate X.509 version 3 key usage extension.
Cause: The certificate sent by the other side could not be validated. This may occur if the certificate has expired, has been revoked, or is invalid for any other reason.
Cause: A certificate chain cannot be created with the existing trust points for the certificate being installed. Typically, this error is returned when the peer does not give the complete chain and you do not have the appropriate trust points to complete it.
Oracle provides tools that enable you to validate certificates using certificate revocation lists.
Topics:
The process of determining whether a given certificate can be used in a given context is referred to as certificate validation.
Certificate validation includes determining that the following takes place:
A trusted certificate authority (CA) has digitally signed the certificate
The certificate's digital signature corresponds to the independently-calculated hash value of the certificate itself and the certificate signer's (CA's) public key
The certificate has not expired
The certificate has not been revoked
The SSL network layer automatically performs the first three validation checks, but you must configure certificate revocation list (CRL) checking to ensure that certificates have not been revoked. CRLs are signed data structures that contain a list of revoked certificates. They are usually issued and signed by the same entity who issued the original certificate. (See certificate revocation list (CRL).)
You should have CRLs for all of the trust points that you honor.
The trust points are the trusted certificates from a third party identity that is qualified with a level of trust.
Typically, the certificate authorities you trust are called trust points.
Oracle Database checks the certificate revocation status against CRLs.
These CRLs are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate.
Typically, CRL definitions are valid for a few days. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use a CRL Distribution Point (CRL DP), then CRLs are downloaded each time a certificate is used, so there is no need to regularly refresh the CRLs.
The server searches for CRLs in the following locations in the order listed. When the system finds a CRL that matches the certificate CA's DN, it stops searching.
Local file system
The system checks the sqlnet.ora
file for the SSL_CRL_FILE
parameter first, followed by the SSL_CRL_PATH
parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs.
Note: if you store CRLs on your local file system, then you must use the orapki
utility to periodically update them. For more information, refer to Renaming CRLs with a Hash Value for Certificate Validation.
Oracle Internet Directory
If the server cannot locate the CRL on the local file system and directory connection information has been configured in an ldap.ora
file, then the server searches in the directory. It searches the CRL subtree by using the CA's distinguished name (DN) and the DN of the CRL subtree.
The server must have a properly configured ldap.ora
file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. Also note that if you store CRLs in the directory, then you must use the orapki
utility to periodically update them. For details, refer to Uploading CRLs to Oracle Internet Directory
CRL DP
If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the appropriate CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Database supports downloading CRLs over LDAP.
Note the following:
For performance reasons, only user certificates are checked.
Oracle recommends that you store CRLs in the directory rather than the local file system.
You can edit the sqlnet.ora
file to configure certificate validation with certificate revocation lists.
Topics:
The SSL_CERT_REVOCATION
parameter must be set to REQUIRED
or REQUESTED
in the sqlnet.ora
file to enable certificate revocation status checking.
The SSL_CERT_REVOCATION
parameter must be set to REQUIRED
or REQUESTED
in the sqlnet.ora
file to enable certificate revocation status checking.
By default this parameter is set to NONE
indicating that certificate revocation status checking is turned off.
Note:
If you want to store CRLs on your local file system or in Oracle Internet Directory, then you must use the command line utility, orapki
, to rename CRLs in your file system or upload them to the directory. See Certificate Revocation List Management for information about using orapki
.
You can enable certificate the revocation status checking for a client or a server.
You can disable certificate revocation status checking.
See Also:
Troubleshooting CRL Certificate Validation for information about resolving certificate validation errors.
Certificate revocation list management entails ensuring that the CRLs are the correct format before you enable certificate revocation checking.
Topics:
Oracle Database provides a command-line utility, orapki
, that you can use to manage certificates.
Before you can enable certificate revocation status checking, you must ensure that the CRLs you receive from the CAs you use are in a form (renamed with a hash value) or in a location (uploaded to the directory) where your computer can use them.
You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory.
Note:
CRLs must be updated at regular intervals (before they expire) for successful validation. You can automate this task by using orapki
commands in a script
You can display all the orapki
commands that are available for managing CRLs.
To display all the orapki
available CRL management commands and their options, enter the following at the command line:
orapki crl help
Note:
Using the -summary
, -complete
, or -wallet
command options is always optional. A command will still run if these command options are not specified.
When the system validates a certificate, it must locate the CRL issued by the CA who created the certificate.
The system locates the appropriate CRL by matching the issuer name in the certificate with the issuer name in the CRL.
When you specify a CRL storage location for the Certificate Revocation Lists Path field in Oracle Net Manager, which sets the SSL_CRL_PATH
parameter in the sqlnet.ora
file, use the orapki
utility to rename CRLs with a hash value that represents the issuer's name. Creating the hash value enables the server to load the CRLs.
On UNIX operating systems, orapki
creates a symbolic link to the CRL. On Windows operating systems, it creates a copy of the CRL file. In either case, the symbolic link or the copy created by orapki
are named with a hash value of the issuer's name. Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded.
Depending on the operating system, enter one of the following commands to rename CRLs stored in the file system:
To rename CRLs stored in UNIX file systems:
orapki crl hash -crl crl_filename [-wallet wallet_location] -symlink crl_directory [-summary]
To rename CRLs stored in Windows file systems:
orapki crl hash -crl crl_filename [-wallet wallet_location] -copy crl_directory [-summary]
In this specification, crl_filename
is the name of the CRL file, wallet_location
is the location of a wallet that contains the certificate of the CA that issued the CRL, and crl_directory
is the directory where the CRL is located.
Using -wallet
and -summary
are optional. Specifying -wallet
causes the tool to verify the validity of the CRL against the CA's certificate prior to renaming the CRL. Specifying the -summary
option causes the tool to display the CRL issuer's name.
Publishing CRLs in the directory enables CRL validation throughout your enterprise, eliminating the need for individual applications to configure their own CRLs.
All applications can use the CRLs stored in the directory where they can be centrally managed, greatly reducing the administrative overhead of CRL management and use. The user who uploads CRLs to the directory by using orapki
must be a member of the directory group CRLAdmins
(cn=CRLAdmins,cn=groups,%s_OracleContextDN%
). This is a privileged operation because these CRLs are accessible to the entire enterprise. Contact your directory administrator to get added to this administrative directory group.
To upload CRLs to the directory, enter the following at the command line:
orapki crl upload -crl crl_location -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary]
In this specification, crl_location
is the file name or URL where the CRL is located, hostname
and ssl_port
(SSL port with no authentication) are for the system on which your directory is installed, username
is the directory user who has permission to add CRLs to the CRL subtree, and wallet_location
is the location of a wallet that contains the certificate of the CA that issued the CRL.
Using -wallet
and -summary
are optional. Specifying -wallet
causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. Specifying the -summary
option causes the tool to print the CRL issuer's name and the LDAP entry where the CRL is stored in the directory.
The following example illustrates uploading a CRL with the orapki
utility:
orapki crl upload -crl /home/user1/wallet/crldir/crl.txt -ldap host1.example.com:3533 -user cn=orcladmin
Note:
The orapki
utility will prompt you for the directory password when you perform this operation.
Ensure that you specify the directory SSL port on which the Diffie-Hellman-based SSL server is running. This is the SSL port that does not perform authentication. Neither the server authentication nor the mutual authentication SSL ports are supported by the orapki
utility.
You can display a list of all CRLs stored in the directory with orapki
, which is useful for browsing to locate a particular CRL to view or download to your local computer.
This command displays the CA who issued the CRL (Issuer) and its location (DN) in the CRL subtree of your directory.
To list CRLs in Oracle Internet Directory, enter the following at the command line:
orapki crl list -ldap hostname:ssl_port
where the hostname
and ssl_port
are for the system on which your directory is installed. Note that this is the directory SSL port with no authentication as described in the preceding section.
Oracle Internet Directory CRLS are available in a summarized format; you also can request a listing of revoked certificates for a CRL.
You can view CRLs stored in Oracle Internet Directory in a summarized format or you can request a complete listing of revoked certificates for a CRL.
A summary listing provides the CRL issuer's name and its validity period. A complete listing provides a list of all revoked certificates contained in the CRL.
To view a summary listing of a CRL in Oracle Internet Directory, enter the following at the command line:
orapki crl display -crl crl_location [-wallet wallet_location] -summary
where crl_location
is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list
command. See Listing CRLs Stored in Oracle Internet Directory.
To view a list of all revoked certificates contained in a specified CRL, which is stored in Oracle Internet Directory, you can enter the following at the command line:
orapki crl display -crl crl_location [-wallet wallet_location] -complete
For example, the following orapki
command:
orapki crl display -crl $T_WORK/pki/wlt_crl/nzcrl.txt -wallet $T_WORK/pki/wlt_crl -complete
produces the following output, which lists the CRL issuer's DN, its publication date, date of its next update, and the revoked certificates it contains:
issuer = CN=root,C=us, thisUpdate = Sun Nov 16 10:56:58 PST 2003, nextUpdate = Mon Sep 30 11:56:58 PDT 2013, revokedCertificates = {(serialNo = 153328337133459399575438325845117876415, revocationDate - Sun Nov 16 10:56:58 PST 2003)} CRL is valid
Using the -wallet
option causes the orapki crl display
command to validate the CRL against the CA's certificate.
Depending on the size of your CRL, choosing the -complete
option may take a long time to display.
You can also use Oracle Directory Manager, a graphical user interface tool that is provided with Oracle Internet Directory, to view CRLs in the directory. CRLs are stored in the following directory location:
cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
The user who deletes CRLs from the directory by using orapki
must be a member of the directory group CRLAdmins
.
Refer to Uploading CRLs to Oracle Internet Directory for information about this directory administrative group.
To delete CRLs from the directory, enter the following at the command line:
orapki crl delete -issuer issuer_name -ldap host:ssl_port -user username [-summary]
In this specification, issuer_name
is the name of the CA who issued the CRL, the hostname
and ssl_port
are for the system on which your directory is installed, and username
is the directory user who has permission to delete CRLs from the CRL subtree. Ensure that this must be a directory SSL port with no authentication. See Uploading CRLs to Oracle Internet Directory for more information about this port.
Using the -summary
option causes the tool to print the CRL LDAP entry that was deleted.
For example, the following orapki
command:
orapki crl delete -issuer "CN=root,C=us" -ldap machine1:3500 -user cn=orcladmin -summary
produces the following output, which lists the location of the deleted CRL in the directory:
Deleted CRL at cn=root cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
To determine whether certificates are being validated against CRLs, you can enable Oracle Net tracing.
When a revoked certificate is validated by using CRLs, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry
and exit
:
nzcrlVCS_VerifyCRLSignature: entry nzcrlVCS_VerifyCRLSignature: exit nzcrlVCD_VerifyCRLDate: entry nzcrlVCD_VerifyCRLDate: exit nzcrlCCS_CheckCertStatus: entry nzcrlCCS_CheckCertStatus: Certificate is listed in CRL nzcrlCCS_CheckCertStatus: exit
Note:
Note that when certificate validation fails, the peer in the SSL handshake sees an ORA-29024: Certificate Validation Failure
. If this message displays, refer to Oracle Net Tracing File Error Messages Associated with Certificate Validation for information about how to resolve the error.
See Also:
Oracle Database Net Services Administrator's Guide for information about setting tracing parameters to enable Oracle Net tracing
Oracle generates trace messages that are relevant to certificate validation.
These trace messages may be logged between the entry
and exit
entries in the Oracle Net tracing file. Oracle SSL looks for CRLs in multiple locations, so there may be multiple errors in the trace.
You can check the following list of possible error messages for information about how to resolve them.
Cause: The CRL signature cannot be verified.
Cause: The current time is later than the time listed in the next update field. You should not see this error if CRL DP is used. The systems searches for the CRL in the following order:
File system
Oracle Internet Directory
CRL DP
The first CRL found in this search may not be the latest.
Cause: The CRL could not be found at the configured locations. This will return error ORA-29024 if the configuration specifies that certificate validation is require.
Cause: Oracle Internet Directory connection information is not set. Note that this is not a fatal error. The search continues with CRL DP.
Cause: The CRL could not be fetched by using the CRL Distribution Point (CRL DP). This happens if the certificate does not have a location specified in its CRL DP extension, or if the URL specified in the CRL DP extension is incorrect.
Oracle Database supports hardware security modules that use APIs that conform to the RSA Security, Inc., PKCS #11 specification.
Typically, these hardware devices are used to securely store and manage private keys in tokens or smart cards, or to accelerate cryptographic processing.
Topics:
Oracle provides a set of guidelines to follow if you are using a hardware security module with Oracle Database.
Contact your hardware device vendor to obtain the necessary hardware, software, and PKCS #11 libraries.
Install the hardware, software, and libraries where appropriate for the hardware security module you are using.
Test your hardware security module installation to ensure that it is operating correctly. Refer to your device documentation for instructions.
Create a wallet of the type PKCS11
by using Oracle Wallet Manager and specify the absolute path to the PKCS #11 library (including the library name) if you wish to store the private key in the token. Oracle PKCS11
wallets contain information that points to the token for private key access.
You can use the wallet containing PKCS #11 information just as you would use any Oracle wallet, except the private keys are stored on the hardware device and the cryptographic operations are performed on the device as well.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for information about creating an Oracle wallet to store hardware security module credentials
You can configure your system to use nCipher hardware security modules for cryptographic processing.
Topics:
Hardware security modules made by nCipher Corporation are certified to operate with Oracle Database.
These modules provide a secure way to store keys and off-load cryptographic processing. Primarily, these devices provide the following benefits:
Off-load cryptographic processing that frees your server to respond to other requests
Secure private key storage on the device
Allow key administration through the use of smart cards
Note:
You must contact your nCipher representative to obtain certified hardware and software to use with Oracle Database.
To use an nCipher hardware security module, you must have a special set of components.
These components are as follows:
nCipher Hardware Security Module
Supporting nCipher PKCS #11 library
The following platform-specific PKCS#11 library is required:
libcknfast.so
library for UNIX 32-Bit
libcknfast-64.so
library for UNIX 64-Bit
cknfast.dll
library for Windows
Note:
You must contact your nCipher representative to have the hardware security module or the secure accelerator installed, and to acquire the necessary library.
These tasks must be performed before you can use an nCipher hardware security module with Oracle Database.
The nCipher hardware security module uses the nCipher PKCS #11 library.
To use the secure accelerator, you must provide the absolute path to the directory that contains the nCipher PKCS #11 library (including the library name) when you create the wallet by using Oracle Wallet Manager. This enables the library to be loaded at runtime.
Typically, the nCipher card is installed at the following locations:
/opt/nfast
for UNIX
C:\nfast
for Windows
The nCipher PKCS #11 library is located at the following location for typical installations:
/opt/nfast/toolkits/pkcs11/libcknfast.so
for UNIX 32-Bit
/opt/nfast/toolkits/pkcs11/libcknfast-64.so
for UNIX 64-Bit
C:\nfast\toolkits\pkcs11\cknfast.dll
for Windows
Note:
Use the 32-bit library version when using the 32-bit release of Oracle Database and use the 64-bit library version when using the 64-bit release of Oracle Database. For example, use the 64-bit nCipher PKCS #11 library for the Oracle Database for Solaris Operating System (SPARC 64-bit).
You can configure your system to use SafeNET hardware security modules for cryptographic processing.
Topics:
Hardware security modules made by SafeNET Incorporated are certified to operate with Oracle Database.
These modules provide a secure way to store keys and off-load cryptographic processing. Primarily, these devices provide the following benefits:
Off-load of cryptographic processing to free your server to respond to more requests
Secure private key storage on the device
Note:
You must contact your SafeNET representative to obtain certified hardware and software to use with Oracle Database.
To use a SafeNET Luna SA hardware security module, you must have a special set of components.
These components are as follows:
SafeNET Luna SA Hardware Security Module
Supporting SafeNET Luna SA PKCS #11 library
The following platform-specific PKCS#11 library is required:
libCryptoki2.so
library for UNIX
cryptoki.dll
library for Windows
Note:
You must contact your SafeNET representative to have the hardware security module or the secure accelerator installed, and to acquire the necessary library.
These tasks must be performed before you can use a SafeNET hardware security module with Oracle Database.
The SafeNET hardware security module uses the SafeNET PKCS #11 library.
To use the secure accelerator, you must provide the absolute path to the directory that contains the SafeNET PKCS #11 library (including the library name) when you create the wallet using Oracle Wallet Manager. This enables the library to be loaded at runtime.
Typically, the SafeNET Luna SA client is installed at the following location:
/usr/lunasa
for UNIX
C:\Program Files\LunaSA
for Windows
The SafeNET Luna SA PKCS #11 library is located at the following location for typical installations:
/usr/lunasa/lib/libCryptoki2.so
for UNIX
C:\Program Files\LunaSA\cryptoki2.dll
for Windows
Oracle provides troubleshooting advice for hardware security modules.
Topics:
To detect whether the module is being used, you can turn on Oracle Net tracing.
If the wallet contains PKCS #11 information and the private key on the module is being used, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry
and exit
:
nzpkcs11_Init: entry nzpkcs11CP_ChangeProviders: entry nzpkcs11CP_ChangeProviders: exit nzpkcs11GPK_GetPrivateKey: entry nzpkcs11GPK_GetPrivateKey: exit nzpkcs11_Init: exit ... nzpkcs11_Decrypt: entry nzpkcs11_Decrypt: exit nzpkcs11_Sign: entry nzpkcs11_Sign: exit
See Also:
Oracle Database Net Services Administrator's Guide for information about setting tracing parameters to enable Oracle Net tracing
Errors that are associated with using PKCS #11 hardware security modules can appear.
Cause: The system cannot locate the PKCS #11 library at the location specified when the wallet was created. This happens only when the library is moved after the wallet is created.
Cause: The smart card that was used to create the wallet is not present in the hardware security module slot.
Cause: This can occur when an incorrect password is specified at wallet creation, or the PKCS #11 device password is changed after the wallet is created and not updated in the wallet by using Oracle Wallet Manager.
See Also:
Oracle Database Enterprise User Security Administrator's Guide about creating an Oracle wallet to store hardware security credentials
Note:
The nCipher log file is in the directory where the module is installed at the following location:
/log/logfile
See Also:
nCipher and SafeNET documentation for more information about troubleshooting nCipher and SafeNET devices