SlideShare a Scribd company logo

OTN tour 2015 Experience in implementing SSL between oracle db and oracle clients

Andrejs Vorobjovs
Andrejs Vorobjovs

The TCP buffer size was too small for the SSL handshake. Increasing the TCP send/receive buffer sizes on the listeners resolved the issue.

1 of 39
Download to read offline
Experience in implementing SSL between Oracle DB and Oracle Clients
Agenda ● Project overview ● SSL session (1 way/2 ways) ● Certificate Authorities & Certificates ● 3 Different Oracle Listeners configurations (insecure/secure/ssl) ● SSL & Oracle Clients setup (tns configuration parameters) ● Issues faced & troubleshooting tools ● Conclusion ● Q & A
RAC Cluster Project overview SSL Listener SEC Listener SCAN Listeners Developers & End users / tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener
How does SSL/TLS work? How does SSL/TLS work? from http://security.stackexchange.com/ => here How does SSL work? What is an SSL handshake? from http://www.symantec.com/ => here Transport Layer Security from https://en.wikipedia.org/ => here
SSL session overview (1 way) ServerInitial request (to https://domainname.com) Hello .... SSLv2, SSLv3, TLSv1, .... ciphers, hash function ● Server Certificate ● Server Private Key Server Certificate (signed by Certificate Authority) Public Key + Domain Name (subject) + Org name ....● List of Trusted CA certificates Establish trust ... Agree on the symmetric encryption key ... premaster secret master secret & generate session keys Use session key and agreed encryption cipher to send data ...
SSL session overview (2 way) Server ● Server Certificate ● Server Private Key● List of Trusted CA certificates Establish trust ... Agree on the symmetric encryption key ... master secret & generate session keys Use session key and agreed encryption cipher to send data ... premaster secret ● Client Certificate ● Client Private Key ● List of Trusted CA certificates
● There are 3 options to obtain an SSL certificate a. Generate your own self-signed certificate (from https://www.linux.com here) b. Request certificate from your organisation CA c. Request certificate from public CA ■ VeriSign ■ GeoTrust ■ ... https://en.wikipedia.org/wiki/Certificate_authority ● In A & B you or your organisation controls hashing and encryption protocols ● However no clients will recognize certificate by default ● In option C you will need to make sure your client versions supports protocols dictated by external CA a. Recent example => Many CAs announced that they will not support SHA-1 forcing SHA256/SHA-2 implementation Certificate Authorities & Certificates
● Intermediate certificate authorities ○ https://en.wikipedia.org/wiki/Intermediate_certificate_authorities Certificate Authorities & Certificates
● Certificate Authorities & Certificates
● Certificate Authorities & Certificates
● Certificate Authorities & Certificates
Oracle
Listener Config
3 Different Oracle Listeners configurations ● Default Listener (insecure) ○ Username/password are encrypted ● Secure Listener ○ Use encryption the same way as SSL Listener ○ No authentication phase (SSL handshake) ● SSL Listener ○ Use encryption ○ Could be configured with 1 way or 2 ways authentication
Default Listener (insecure) listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCP)(HOST = db_host)(PORT = 1521)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) )
Secure Listener listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCP)(HOST = db_host)(PORT = 1522)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) ) sqlnet.ora sqlnet.crypto_checksum_server = REQUIRED sqlnet.encryption_server = REQUIRED sqlnet.crypto_checksum_types_server = (SHA1) sqlnet.encryption_types_server = (AES256)
listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCPS)(HOST = db_host)(PORT = 1523)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) ) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/SSL/certs) ) ) SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) SSL Listener
oracle@host > openssl s_client -connect db_host:1523 CONNECTED(00000003) depth=0 CN = PROD ... verify return:1 Certificate chain 0 s:/CN=PROD i:/CN=PROD --- Server certificate -----BEGIN CERTIFICATE----- MIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZFQlNMTlAwHhcN MTQwNzAyMDQzNTI4WhcNNDExMTE2MDUzNTI4WjARMQ8wDQYDVQQDEwZFQlNMTlAw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJGbN1hxmtFKx1SpUU8JPvRyjMzW ... -----END CERTIFICATE----- subject=/CN=PROD issuer=/CN=PROD --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- SSL handshake has read 1269 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA ... SSL & Oracle Clients setup
SSL & Oracle Clients setup ... --- SSL handshake has read 1269 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 68E402B5CD161618522350EE... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1447632207 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- oracle@host >
Client Config
== TCP ========================================================================== tnsnames.ora PROD = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 1523)) ) (CONNECT_DATA = (SERVICE_NAME = PROD_ETL01) ) ) == TCPS ========================================================================= tnsnames.ora PROD_SSL = (DESCRIPTION = (SECURITY=(SSL_SERVER_CERT_DN="CN=prod-db.corp.myorg.lv,O=MyOrg Inc,L=Riga,C=Latvia")) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 7048)) ) (CONNECT_DATA = (SERVICE_NAME = PROD_ETL01) ) ) SSL & Oracle Clients setup (OCI)
== TCPS ========================================================================== sqlnet.ora SSL_SERVER_DN_MATCH = yes SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/SSL/cert) ) ) SSL & Oracle Clients setup (OCI)
● java … -Doracle.net.ssl_server_dn_match=true … ● jdbc:oracle:thin:@ (DESCRIPTION =( SECURITY=(SSL_SERVER_CERT_DN="CN=prod-db.corp.myorg.lv,O=MyOrg Inc,L=Riga,C=Latvia")) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 7048) ))(CONNECT_DATA = (SERVICE_NAME = PROD_ETL01))) ● Java has it own certificate store SSL & Oracle Clients setup (JDBC)
Certificates Config
SSL & Oracle Clients setup (OCI) Using the orapki Utility to Manage PKI Elements https://docs.oracle.com/database/121/DBSEG/asoappf.htm#DBSEG610
$ ls -l /u01/app/oracle/SSL/cert/* total 16 -rw-r--r--@ 1 yvel 5000 1365 Aug 21 2014 cwallet.sso -rw-r--r--@ 1 yvel 5000 1288 Aug 21 2014 ewallet.p12 oracle@host:/home/oracle> orapki wallet display -wallet /u01/app/oracle/SSL/cert ; date Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=PROD Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Wed Sep 9 16:27:36 PDT 2015 oracle@kpfp2:/home/oracle> orapki wallet create -wallet $WALLET -auto_login -pwd $v_pwd orapki wallet remove -wallet $WALLET -trusted_cert_all -pwd $v_pwd orapki wallet display -wallet $WALLET -pwd $v_pwd orapki wallet jks_to_pkcs12 -wallet $WALLET -keystore /full/path/to/certificate.jks -jkspwd <pwd> orapki wallet add -wallet $WALLET -trusted_cert -cert GIAG2.crt -pwd $v_pwd SSL & Oracle Clients setup (OCI)
SSL & Oracle Clients setup (OCI) $ openssl pkcs12 -info -in /u01/app/oracle/SSL/cert/ewallet.p12 Enter Import Password: MAC Iteration 1024 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024 Certificate bag Bag Attributes localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 subject=/C=US/O=MyOrg Inc/CN=MyOrg Internet Authority G2 issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ... PKCS 12 => https://en.wikipedia.org/wiki/PKCS_12 It defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate.
● JDBC Clients ○ Have it own default certificate store with preloaded trusted CA list $ v_java_cert=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts $ keytool -list -keystore $v_java_cert -storepass changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 93 entries digicertassuredidrootca, Apr 16, 2008, trustedCertEntry, Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 comodorsaca, May 12, 2015, trustedCertEntry, Certificate fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 thawtepremiumserverca, May 26, 2015, trustedCertEntry, Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66 ... $ keytool -exportcert -alias digicertassuredidrootca -keystore $v_java_cert -storepass changeit - file test.crt -rfc $ keytool -printcert -file test.crt Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial number: ce7e0e517d846fe8fe560fc1bf03039 Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031 Certificate fingerprints: MD5: 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 SSL & Oracle Clients setup (JBDC)
SSL & Oracle Clients setup (JDBC) ● A JRE client must be updated with the JCE to enable TLS_RSA_WITH_AES_256_CBC_SHA cipher. ○ Download appropriate JCE archive with 2 jar files ○ Copy the jar files to $JAVA_HOME/jre/lib/security/ directory ● The JCE could be obtained from the URL below depending on a JRE version ○ 1.6 JCE ○ 1.7 JCE ○ 1.8 JCE
Issues faced
RAC Cluster Variety of clients and versions to cover ... SSL Listener SEC Listener SCAN Listeners Developers & End users using tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener 1. 2.3.
Some components used old Oracle Clients ● Essbase ○ Blend in 11.1.0.7 Oracle Client ○ Challenging to update ● OBIEE ○ Presentation layer use 11.1.0.7 Oracle Client
SSL Listener & TCP Buffer Problem definition Initial: ● DB Instances doesn't register DB Services with a remote SCAN listeners, after a new certificate has been added to server wallet Current: ● All SSL connections from one node hangs connecting to any SSL enabled listeners that runs on a remote node if a listener is able to send data out quickly enough
SSL Listener & TCP Buffer SSL Listener works if …. a) strace-ing the listener process b) turning debug logging up to a high level in the listener c) Running the listener on a non-bonded interface d) Having the listener increase its send buffer size from 16k (default) to 32k or 64k on the socket d1) We can also do this at the OS level via `echo "4096 32768 4194304" > /proc/sys/net/ipv4/tcp_wmem'
SSL Listener & TCP Buffer Normal / Expected processing sPORT:sIP - cIP:cPORT TCP socketTCP socket buffer Process owner of the socket O_NONBLOCK W3 W2 W1 DATA Data writes O_NONBLOCK sPORT:sIP - cIP:cPORTProcess owner of the socket DATA Kernel waits a bit for more data and sends it out Buffer is full. Kernel sends EAGAIN back 5k 1k 3k 3k W3b 2k W3bEAGAIN sPORT:sIP - cIP:cPORTProcess owner of the socket The process code handles error and keep sending the rest of the data until successful 3k W3b 3k Kernel refuses writes until buffer is free
Oracle Listener - fails to process EAGAIN TCP socketTCP socket buffer O_NONBLOCK Data writes O_NONBLOCK sPORT:sIP - cIP:cPORTSSL Listener DATA Buffer is full. Kernel sends EAGAIN back 3k W3b 2k W3bEAGAIN sPORT:sIP - cIP:cPORTSSL Listener Listener never re-sends the W3b part Kernel ready to process writes after some time Oracle Listener ssl handshake function fails to process EAGAIN errors sPORT:sIP - cIP:cPORTSSL Listener DATA Buffer is full. Kernel sends EAGAIN back 2k W3b 3k W3b The W3b part is dropped Where is client's response? W3b The W3b part is dropped SSL Listener & TCP Buffer
Conclusions
RAC Cluster Variety of clients and versions to cover ... SSL Listener SEC Listener SCAN Listeners Developers & End users using tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener
Q & A

Recommended

SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
 
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Nelson Calero
 
Automate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operationAutomate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operation
Nelson Calero
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
Seyed Ehsan Beheshtian
 
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
Marcus Vinicius Miguel Pedro
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
SrbIT
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Krunal Jain
 

Recommended

SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
 
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Nelson Calero
 
Automate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operationAutomate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operation
Nelson Calero
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
Seyed Ehsan Beheshtian
 
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
2020 - GUOB Tech Day / Groundbreakers LAD Tour - How to Create an AutoScale C...
Marcus Vinicius Miguel Pedro
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
SrbIT
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Krunal Jain
 
Mirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 OverviewMirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 Overview
Mirantis
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
Mobarak Hossain
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
DevDay.org
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
Michel Schildmeijer
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
Toni Ramirez
 
Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013Mirantis
 
Open stack
Open stackOpen stack
Open stackLuan Cestari
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CloudIDSummit
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
chenvi123
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Keith Tobin
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
Knoldus Inc.
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
Openstackoverview-DEC2013
Openstackoverview-DEC2013Openstackoverview-DEC2013
Openstackoverview-DEC2013
Michael Lessard
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Stephen Gordon
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
Priti Desai
 
Oracle db subprograms
Oracle db subprogramsOracle db subprograms
Oracle db subprogramsSimon Huang
 
Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2
Prem Kumar
 

More Related Content

What's hot

Mirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 OverviewMirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 Overview
Mirantis
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
Mobarak Hossain
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
DevDay.org
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
Michel Schildmeijer
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
Toni Ramirez
 
Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013Mirantis
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CloudIDSummit
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
chenvi123
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Keith Tobin
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
Knoldus Inc.
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
Openstackoverview-DEC2013
Openstackoverview-DEC2013Openstackoverview-DEC2013
Openstackoverview-DEC2013
Michael Lessard
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Stephen Gordon
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
Priti Desai
 

What's hot (20)

Mirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 OverviewMirantis OpenStack 5.0 Overview
Mirantis OpenStack 5.0 Overview
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013Open stack architecture overview-meetup-6-6_2013
Open stack architecture overview-meetup-6-6_2013
 
Open stack
Open stackOpen stack
Open stack
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
Openstackoverview-DEC2013
Openstackoverview-DEC2013Openstackoverview-DEC2013
Openstackoverview-DEC2013
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
 

Viewers also liked

Oracle db subprograms
Oracle db subprogramsOracle db subprograms
Oracle db subprogramsSimon Huang
 
Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2
Prem Kumar
 
Konsolidace Oracle DB na systémech s procesory M7
Konsolidace Oracle DB na systémech s procesory M7Konsolidace Oracle DB na systémech s procesory M7
Konsolidace Oracle DB na systémech s procesory M7
MarketingArrowECS_CZ
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
 
Oracle DB 12c SQL Tuning
Oracle DB 12c SQL TuningOracle DB 12c SQL Tuning
Oracle DB 12c SQL Tuning
OPITZ CONSULTING Deutschland
 
Oracle SQL Performance Tuning and Optimization v26 chapter 1
Oracle SQL Performance Tuning and Optimization v26 chapter 1Oracle SQL Performance Tuning and Optimization v26 chapter 1
Oracle SQL Performance Tuning and Optimization v26 chapter 1Kevin Meade
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuningSimon Huang
 

Viewers also liked (7)

Oracle db subprograms
Oracle db subprogramsOracle db subprograms
Oracle db subprograms
 
Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2
 
Konsolidace Oracle DB na systémech s procesory M7
Konsolidace Oracle DB na systémech s procesory M7Konsolidace Oracle DB na systémech s procesory M7
Konsolidace Oracle DB na systémech s procesory M7
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)
 
Oracle DB 12c SQL Tuning
Oracle DB 12c SQL TuningOracle DB 12c SQL Tuning
Oracle DB 12c SQL Tuning
 
Oracle SQL Performance Tuning and Optimization v26 chapter 1
Oracle SQL Performance Tuning and Optimization v26 chapter 1Oracle SQL Performance Tuning and Optimization v26 chapter 1
Oracle SQL Performance Tuning and Optimization v26 chapter 1
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
 

Similar to OTN tour 2015 Experience in implementing SSL between oracle db and oracle clients

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!
Joerg Henning
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
Simon Haslam
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
Manish Kc
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
Adel Karimi
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
Nisheed KM
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Karri Huhtanen
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 

Similar to OTN tour 2015 Experience in implementing SSL between oracle db and oracle clients (20)

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
Java security
Java securityJava security
Java security
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Tech t18
Tech t18Tech t18
Tech t18
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 

More from Andrejs Vorobjovs

Peteris Arajs - Where is my data
Peteris Arajs - Where is my dataPeteris Arajs - Where is my data
Peteris Arajs - Where is my data
Andrejs Vorobjovs
 
Maksims Greckis - Trace File Analyzer
Maksims Greckis - Trace File Analyzer Maksims Greckis - Trace File Analyzer
Maksims Greckis - Trace File Analyzer
Andrejs Vorobjovs
 
Aleksejs Nemirovskis - Manage your data using oracle BDA
Aleksejs Nemirovskis - Manage your data using oracle BDAAleksejs Nemirovskis - Manage your data using oracle BDA
Aleksejs Nemirovskis - Manage your data using oracle BDA
Andrejs Vorobjovs
 
LVOUG meetup #18
LVOUG meetup #18LVOUG meetup #18
LVOUG meetup #18
Andrejs Vorobjovs
 
LVOUG meetup #17
LVOUG meetup #17LVOUG meetup #17
LVOUG meetup #17
Andrejs Vorobjovs
 
My two cents about Mysql backup
My two cents about Mysql backupMy two cents about Mysql backup
My two cents about Mysql backup
Andrejs Vorobjovs
 
LVOUG meetup #16
LVOUG meetup #16LVOUG meetup #16
LVOUG meetup #16
Andrejs Vorobjovs
 
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Andrejs Vorobjovs
 
Top 15 MySQL parameters
Top 15 MySQL parameters Top 15 MySQL parameters
Top 15 MySQL parameters
Andrejs Vorobjovs
 
Riga Dev Day vestule
Riga Dev Day vestuleRiga Dev Day vestule
Riga Dev Day vestule
Andrejs Vorobjovs
 
Rdd2016 featured talks
Rdd2016 featured talksRdd2016 featured talks
Rdd2016 featured talks
Andrejs Vorobjovs
 
Rdd2016 flyer
Rdd2016 flyerRdd2016 flyer
Rdd2016 flyer
Andrejs Vorobjovs
 
meetup #15
meetup #15meetup #15
meetup #15
Andrejs Vorobjovs
 
OTN tour 2015 press release in Russian
OTN tour 2015 press release in RussianOTN tour 2015 press release in Russian
OTN tour 2015 press release in Russian
Andrejs Vorobjovs
 
OTN tour 2015, 100miles
OTN tour 2015, 100milesOTN tour 2015, 100miles
OTN tour 2015, 100miles
Andrejs Vorobjovs
 
OTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
OTN tour 2015 benchmarking oracle io performance with Orion by Alex GorbachevOTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
OTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
Andrejs Vorobjovs
 
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of ConceptOTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
Andrejs Vorobjovs
 
OTN tour Oracle db Cloud by Alex Gorbachev
OTN tour Oracle db Cloud by Alex GorbachevOTN tour Oracle db Cloud by Alex Gorbachev
OTN tour Oracle db Cloud by Alex Gorbachev
Andrejs Vorobjovs
 
OTN tour 2015 AWR data mining
OTN tour 2015 AWR data miningOTN tour 2015 AWR data mining
OTN tour 2015 AWR data mining
Andrejs Vorobjovs
 
OTN tour 2015 opening speech
OTN tour 2015 opening speechOTN tour 2015 opening speech
OTN tour 2015 opening speech
Andrejs Vorobjovs
 

More from Andrejs Vorobjovs (20)

Peteris Arajs - Where is my data
Peteris Arajs - Where is my dataPeteris Arajs - Where is my data
Peteris Arajs - Where is my data
 
Maksims Greckis - Trace File Analyzer
Maksims Greckis - Trace File Analyzer Maksims Greckis - Trace File Analyzer
Maksims Greckis - Trace File Analyzer
 
Aleksejs Nemirovskis - Manage your data using oracle BDA
Aleksejs Nemirovskis - Manage your data using oracle BDAAleksejs Nemirovskis - Manage your data using oracle BDA
Aleksejs Nemirovskis - Manage your data using oracle BDA
 
LVOUG meetup #18
LVOUG meetup #18LVOUG meetup #18
LVOUG meetup #18
 
LVOUG meetup #17
LVOUG meetup #17LVOUG meetup #17
LVOUG meetup #17
 
My two cents about Mysql backup
My two cents about Mysql backupMy two cents about Mysql backup
My two cents about Mysql backup
 
LVOUG meetup #16
LVOUG meetup #16LVOUG meetup #16
LVOUG meetup #16
 
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories.
 
Top 15 MySQL parameters
Top 15 MySQL parameters Top 15 MySQL parameters
Top 15 MySQL parameters
 
Riga Dev Day vestule
Riga Dev Day vestuleRiga Dev Day vestule
Riga Dev Day vestule
 
Rdd2016 featured talks
Rdd2016 featured talksRdd2016 featured talks
Rdd2016 featured talks
 
Rdd2016 flyer
Rdd2016 flyerRdd2016 flyer
Rdd2016 flyer
 
meetup #15
meetup #15meetup #15
meetup #15
 
OTN tour 2015 press release in Russian
OTN tour 2015 press release in RussianOTN tour 2015 press release in Russian
OTN tour 2015 press release in Russian
 
OTN tour 2015, 100miles
OTN tour 2015, 100milesOTN tour 2015, 100miles
OTN tour 2015, 100miles
 
OTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
OTN tour 2015 benchmarking oracle io performance with Orion by Alex GorbachevOTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
OTN tour 2015 benchmarking oracle io performance with Orion by Alex Gorbachev
 
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of ConceptOTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of Concept
 
OTN tour Oracle db Cloud by Alex Gorbachev
OTN tour Oracle db Cloud by Alex GorbachevOTN tour Oracle db Cloud by Alex Gorbachev
OTN tour Oracle db Cloud by Alex Gorbachev
 
OTN tour 2015 AWR data mining
OTN tour 2015 AWR data miningOTN tour 2015 AWR data mining
OTN tour 2015 AWR data mining
 
OTN tour 2015 opening speech
OTN tour 2015 opening speechOTN tour 2015 opening speech
OTN tour 2015 opening speech
 

Recently uploaded

Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 

Recently uploaded (20)

Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 

OTN tour 2015 Experience in implementing SSL between oracle db and oracle clients

  • 1. Experience in implementing SSL between Oracle DB and Oracle Clients
  • 2. Agenda ● Project overview ● SSL session (1 way/2 ways) ● Certificate Authorities & Certificates ● 3 Different Oracle Listeners configurations (insecure/secure/ssl) ● SSL & Oracle Clients setup (tns configuration parameters) ● Issues faced & troubleshooting tools ● Conclusion ● Q & A
  • 3. RAC Cluster Project overview SSL Listener SEC Listener SCAN Listeners Developers & End users / tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener
  • 4. How does SSL/TLS work? How does SSL/TLS work? from http://security.stackexchange.com/ => here How does SSL work? What is an SSL handshake? from http://www.symantec.com/ => here Transport Layer Security from https://en.wikipedia.org/ => here
  • 5. SSL session overview (1 way) ServerInitial request (to https://domainname.com) Hello .... SSLv2, SSLv3, TLSv1, .... ciphers, hash function ● Server Certificate ● Server Private Key Server Certificate (signed by Certificate Authority) Public Key + Domain Name (subject) + Org name ....● List of Trusted CA certificates Establish trust ... Agree on the symmetric encryption key ... premaster secret master secret & generate session keys Use session key and agreed encryption cipher to send data ...
  • 6. SSL session overview (2 way) Server ● Server Certificate ● Server Private Key● List of Trusted CA certificates Establish trust ... Agree on the symmetric encryption key ... master secret & generate session keys Use session key and agreed encryption cipher to send data ... premaster secret ● Client Certificate ● Client Private Key ● List of Trusted CA certificates
  • 7. ● There are 3 options to obtain an SSL certificate a. Generate your own self-signed certificate (from https://www.linux.com here) b. Request certificate from your organisation CA c. Request certificate from public CA ■ VeriSign ■ GeoTrust ■ ... https://en.wikipedia.org/wiki/Certificate_authority ● In A & B you or your organisation controls hashing and encryption protocols ● However no clients will recognize certificate by default ● In option C you will need to make sure your client versions supports protocols dictated by external CA a. Recent example => Many CAs announced that they will not support SHA-1 forcing SHA256/SHA-2 implementation Certificate Authorities & Certificates
  • 8. ● Intermediate certificate authorities ○ https://en.wikipedia.org/wiki/Intermediate_certificate_authorities Certificate Authorities & Certificates
  • 14. 3 Different Oracle Listeners configurations ● Default Listener (insecure) ○ Username/password are encrypted ● Secure Listener ○ Use encryption the same way as SSL Listener ○ No authentication phase (SSL handshake) ● SSL Listener ○ Use encryption ○ Could be configured with 1 way or 2 ways authentication
  • 15. Default Listener (insecure) listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCP)(HOST = db_host)(PORT = 1521)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) )
  • 16. Secure Listener listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCP)(HOST = db_host)(PORT = 1522)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) ) sqlnet.ora sqlnet.crypto_checksum_server = REQUIRED sqlnet.encryption_server = REQUIRED sqlnet.crypto_checksum_types_server = (SHA1) sqlnet.encryption_types_server = (AES256)
  • 17. listener.ora LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL=TCPS)(HOST = db_host)(PORT = 1523)) (ADDRESS = (PROTOCOL=IPC)(KEY = REGLSNR_LISTENER)) ) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/SSL/certs) ) ) SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) SSL Listener
  • 18. oracle@host > openssl s_client -connect db_host:1523 CONNECTED(00000003) depth=0 CN = PROD ... verify return:1 Certificate chain 0 s:/CN=PROD i:/CN=PROD --- Server certificate -----BEGIN CERTIFICATE----- MIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZFQlNMTlAwHhcN MTQwNzAyMDQzNTI4WhcNNDExMTE2MDUzNTI4WjARMQ8wDQYDVQQDEwZFQlNMTlAw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJGbN1hxmtFKx1SpUU8JPvRyjMzW ... -----END CERTIFICATE----- subject=/CN=PROD issuer=/CN=PROD --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- SSL handshake has read 1269 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA ... SSL & Oracle Clients setup
  • 19. SSL & Oracle Clients setup ... --- SSL handshake has read 1269 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 68E402B5CD161618522350EE... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1447632207 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- oracle@host >
  • 21. == TCP ========================================================================== tnsnames.ora PROD = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 1523)) ) (CONNECT_DATA = (SERVICE_NAME = PROD_ETL01) ) ) == TCPS ========================================================================= tnsnames.ora PROD_SSL = (DESCRIPTION = (SECURITY=(SSL_SERVER_CERT_DN="CN=prod-db.corp.myorg.lv,O=MyOrg Inc,L=Riga,C=Latvia")) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 7048)) ) (CONNECT_DATA = (SERVICE_NAME = PROD_ETL01) ) ) SSL & Oracle Clients setup (OCI)
  • 22. == TCPS ========================================================================== sqlnet.ora SSL_SERVER_DN_MATCH = yes SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/SSL/cert) ) ) SSL & Oracle Clients setup (OCI)
  • 23. ● java … -Doracle.net.ssl_server_dn_match=true … ● jdbc:oracle:thin:@ (DESCRIPTION =( SECURITY=(SSL_SERVER_CERT_DN="CN=prod-db.corp.myorg.lv,O=MyOrg Inc,L=Riga,C=Latvia")) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = prod-db-scan.corp.myorg.lv)(PORT = 7048) ))(CONNECT_DATA = (SERVICE_NAME = PROD_ETL01))) ● Java has it own certificate store SSL & Oracle Clients setup (JDBC)
  • 25. SSL & Oracle Clients setup (OCI) Using the orapki Utility to Manage PKI Elements https://docs.oracle.com/database/121/DBSEG/asoappf.htm#DBSEG610
  • 26. $ ls -l /u01/app/oracle/SSL/cert/* total 16 -rw-r--r--@ 1 yvel 5000 1365 Aug 21 2014 cwallet.sso -rw-r--r--@ 1 yvel 5000 1288 Aug 21 2014 ewallet.p12 oracle@host:/home/oracle> orapki wallet display -wallet /u01/app/oracle/SSL/cert ; date Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=PROD Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Wed Sep 9 16:27:36 PDT 2015 oracle@kpfp2:/home/oracle> orapki wallet create -wallet $WALLET -auto_login -pwd $v_pwd orapki wallet remove -wallet $WALLET -trusted_cert_all -pwd $v_pwd orapki wallet display -wallet $WALLET -pwd $v_pwd orapki wallet jks_to_pkcs12 -wallet $WALLET -keystore /full/path/to/certificate.jks -jkspwd <pwd> orapki wallet add -wallet $WALLET -trusted_cert -cert GIAG2.crt -pwd $v_pwd SSL & Oracle Clients setup (OCI)
  • 27. SSL & Oracle Clients setup (OCI) $ openssl pkcs12 -info -in /u01/app/oracle/SSL/cert/ewallet.p12 Enter Import Password: MAC Iteration 1024 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024 Certificate bag Bag Attributes localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 subject=/C=US/O=MyOrg Inc/CN=MyOrg Internet Authority G2 issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ... PKCS 12 => https://en.wikipedia.org/wiki/PKCS_12 It defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate.
  • 28. ● JDBC Clients ○ Have it own default certificate store with preloaded trusted CA list $ v_java_cert=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts $ keytool -list -keystore $v_java_cert -storepass changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 93 entries digicertassuredidrootca, Apr 16, 2008, trustedCertEntry, Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 comodorsaca, May 12, 2015, trustedCertEntry, Certificate fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 thawtepremiumserverca, May 26, 2015, trustedCertEntry, Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66 ... $ keytool -exportcert -alias digicertassuredidrootca -keystore $v_java_cert -storepass changeit - file test.crt -rfc $ keytool -printcert -file test.crt Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial number: ce7e0e517d846fe8fe560fc1bf03039 Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031 Certificate fingerprints: MD5: 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 SSL & Oracle Clients setup (JBDC)
  • 29. SSL & Oracle Clients setup (JDBC) ● A JRE client must be updated with the JCE to enable TLS_RSA_WITH_AES_256_CBC_SHA cipher. ○ Download appropriate JCE archive with 2 jar files ○ Copy the jar files to $JAVA_HOME/jre/lib/security/ directory ● The JCE could be obtained from the URL below depending on a JRE version ○ 1.6 JCE ○ 1.7 JCE ○ 1.8 JCE
  • 31. RAC Cluster Variety of clients and versions to cover ... SSL Listener SEC Listener SCAN Listeners Developers & End users using tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener 1. 2.3.
  • 32. Some components used old Oracle Clients ● Essbase ○ Blend in 11.1.0.7 Oracle Client ○ Challenging to update ● OBIEE ○ Presentation layer use 11.1.0.7 Oracle Client
  • 33. SSL Listener & TCP Buffer Problem definition Initial: ● DB Instances doesn't register DB Services with a remote SCAN listeners, after a new certificate has been added to server wallet Current: ● All SSL connections from one node hangs connecting to any SSL enabled listeners that runs on a remote node if a listener is able to send data out quickly enough
  • 34. SSL Listener & TCP Buffer SSL Listener works if …. a) strace-ing the listener process b) turning debug logging up to a high level in the listener c) Running the listener on a non-bonded interface d) Having the listener increase its send buffer size from 16k (default) to 32k or 64k on the socket d1) We can also do this at the OS level via `echo "4096 32768 4194304" > /proc/sys/net/ipv4/tcp_wmem'
  • 35. SSL Listener & TCP Buffer Normal / Expected processing sPORT:sIP - cIP:cPORT TCP socketTCP socket buffer Process owner of the socket O_NONBLOCK W3 W2 W1 DATA Data writes O_NONBLOCK sPORT:sIP - cIP:cPORTProcess owner of the socket DATA Kernel waits a bit for more data and sends it out Buffer is full. Kernel sends EAGAIN back 5k 1k 3k 3k W3b 2k W3bEAGAIN sPORT:sIP - cIP:cPORTProcess owner of the socket The process code handles error and keep sending the rest of the data until successful 3k W3b 3k Kernel refuses writes until buffer is free
  • 36. Oracle Listener - fails to process EAGAIN TCP socketTCP socket buffer O_NONBLOCK Data writes O_NONBLOCK sPORT:sIP - cIP:cPORTSSL Listener DATA Buffer is full. Kernel sends EAGAIN back 3k W3b 2k W3bEAGAIN sPORT:sIP - cIP:cPORTSSL Listener Listener never re-sends the W3b part Kernel ready to process writes after some time Oracle Listener ssl handshake function fails to process EAGAIN errors sPORT:sIP - cIP:cPORTSSL Listener DATA Buffer is full. Kernel sends EAGAIN back 2k W3b 3k W3b The W3b part is dropped Where is client's response? W3b The W3b part is dropped SSL Listener & TCP Buffer
  • 38. RAC Cluster Variety of clients and versions to cover ... SSL Listener SEC Listener SCAN Listeners Developers & End users using tools directly connecting to DB Main application technology stack OBIEE, WLS, Forms, Reports Integrations Other DBs, Essbase, Ora Net Clients SSL Listener SEC Listener SSL Listener SEC Listener
  • 39. Q & A