top of page

 IT Knowledge oracle

1. Configure tcps

​
Generate Self-Signed Certificates
 
Create a private key for the CA:
​
openssl genrsa -out ca.key 2048
​
Create a self-signed CA certificate:
​
         openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/CN=MyCA"
​
Create a private key for the server:
​
         openssl genrsa -out server.key 2048
​
Create a certificate signing request (CSR) for the server:
​
         openssl req -new -key server.key -out server.csr -subj "/CN=your_host_name"
​
Sign the server CSR with the CA certificate:
​
        openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
​
​​
Import the Private Key into the Wallet
​
 openssl pkcs12 -export -in /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.crt -inkey /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.key -out server.p12 -name "servercert" -passout pass:exportPassword
​
Import the PKCS#12 file into the Oracle Wallet:
​
orapki wallet import_pkcs12 -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pkcs12file server.p12 -pwd WalletPassword123 -pkcs12pwd exportPassword
​
Verify the Wallet
​
​
​
orapki wallet display -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pwd WalletPassword123
​
​

​

Oracle PKI Tool Release 19.0.0.0.0 - Production

Version 19.3.0.0.0

Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

 

Requested Certificates:

User Certificates:

Subject:        CN=dg01

Trusted Certificates:

Subject:        CN=MyCA

​

Step 2: Create an Oracle Wallet
​
     mkdir -p /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet
​
Generate the Wallet:

​

​

       orapki wallet create -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pwd WalletPassword123 -auto_login
​
Add the CA Certificate:
​​

/u01/app/oracle/product/19.3.0.0/dbhome_1/certs

[oracle@dg01 certs]$ cp ca.crt  ../network/admin/wallet/

​

# Create the wallet (if not already done)

orapki wallet create -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pwd WalletPassword123 -auto_login

 

# Generate the CSR within the wallet

orapki wallet add -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -dn "CN=your_host_name" -keysize 2048 -pwd WalletPassword123

orapki wallet export -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -dn "CN=your_host_name" -request /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.csr -pwd WalletPassword123

 

# Sign the CSR with the CA certificate

openssl x509 -req -in /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.csr -CA /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/ca.crt -CAkey ca.key -CAcreateserial -out /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.crt -days 365 -sha256

 

# Add the CA certificate to the wallet

orapki wallet add -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -trusted_cert -cert /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/ca.crt -pwd WalletPassword123

 

# Add the signed server certificate to the wallet

orapki wallet add -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -user_cert -cert /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet/server.crt -pwd WalletPassword123

 

# Verify the wallet contents

orapki wallet display -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pwd WalletPassword123

​
Step 3: Configure the Listener
​

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCPS)(HOST = your_host_name)(PORT = 2484))

    )

  )

 

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet)

    )

  )

 

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256)

​

Restart the Listener:

​

lsnrctl stop

lsnrctl start

​

Step 4: Configure SQL*Net on the Server Side

​

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet)

    )

  )

 

SSL_VERSION = 1.0

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256)

​

Step 5: Configure SQL*Net on the Client Side

​

mkdir -p /path/to/client/wallet

orapki wallet create -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -pwd ClientWalletPassword123 -auto_login

orapki wallet add -wallet /u01/app/oracle/product/19.3.0.0/dbhome_1/network/admin/wallet -trusted_cert -cert ca.crt -pwd ClientWalletPassword123

​

Edit the sqlnet.ora file on the client side 

​

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /path/to/client/wallet)

    )

  )

 

SSL_VERSION = 1.0

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256)

​

​

Tnsnames.ora in client

​

​

pridb =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCPS)(HOST = pridb)(PORT = 1521))

    (CONNECT_DATA =

      (SERVICE_NAME = pridb)

    )

  )

​

​

​

​
bottom of page