1

I configure mutual authentication via SSL between client (Windows 7) and server (Windows Server 2008 R2). I create wallet via Oracle Wallet Manager (OWM) both on client and server, then I create certificate requests for client and server in OWM, as it's shown in image below.Certificate request via OWM

I create CA-certificate in OpenSSL according to:

openssl> genrsa -out root.key 2048 
openssl> req -x509 -new -key root.key -days 1000 -out root.crt

Then I create sertificate request:

openssl> genrsa -out serv.key 2048
openssl> req -new –key serv.key –out serv.csr

Further I copy contents of cerfiticate request from OWM to *.csr file, that was created via OpenSSL, create sertificate from this file and sign it with CA certificate.

openssl> x509 -req –in serv.csr -CA root.crt -CAkey root.key -CAcreateserial -out serv.crt -days 500

Similary, I create a client certificate and sign it with CA certificate. Next, I import CA-certificate to OWM via "Import Trusted Certificate" both in client and server and a client or server sertificate via "Import User Certificate" on client or server-machine accordingly. Then save wallets and set "Auto Login" flag.

Next I create connection via Net Manager -> Local -> Profile -> Oracle Advanced Security -> SSL on both client and server. Listener.ora on server now contains this:

SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\OraWallet) ) )

LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = WIN-QV6N8G35RD5.localdomain)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = WIN-QV6N8G35RD5.localdomain)(PORT = 2484)) ) )

Then I add new "TCP/IP with SSL" connection on client and test it, but error appears on client:

ORA-28864: SSL connection closed gracefully

I made trace on server and there is 2 errors:

TNS-12560:TNS: protocol adapter error

TNS-00540:SSL protocol adapter failure

Well, now I don't know, how to fix them.

asked Oct 26, 2017 at 22:32
6
  • did you check if your listener is restarted and does listen on port 2484? do your listener log show anything useful? You should enable tracing in your client's sqlnet.ora to troubleshoot the issue Commented Oct 27, 2017 at 8:44
  • Another issue: Does the database user have permissions to read the wallet? Commented Oct 27, 2017 at 8:55
  • @jmk, I set "Full access" to Everyone on ewallet.p12 files both on client and server. Started with pid=1384 Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=WIN-QV6N8G35RD5)(PORT=1521))) Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=WIN-QV6N8G35RD5)(PORT=2484))) Listener completed notification to CRS on start - from listener.log on server, and no errors in file Commented Oct 27, 2017 at 21:33
  • Are you on a RAC system with scan listeners as the notification to CRS suggests? Commented Oct 27, 2017 at 21:38
  • No, it's Oracle Database 11g Enterprise Edition 11.2.0.1.0 Commented Oct 27, 2017 at 22:13

1 Answer 1

0

Problem was solved via using orapki for creating wallets and sertificates for client and server. This manual helped me to solve the problem.

answered Nov 17, 2017 at 13:53

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.