2. ATTENTION – AUDIO Options
Advisor Webcast PDF, Recording and
Community Thread:
Recording will be available within 48 hours at Advisor
Webcast PDF & Recording: Oracle Support
Document 2877140.2 - Troubleshooting issues with
TCPS Configuration/Communication on Database
[Video]
https://support.oracle.com/rs?type=doc&id=287714
0.2
Use Community link for Q&A -
https://community.oracle.com/mosc/discussion/xxxx
For upcoming Oracle Database Advisor Webcasts &
recordings, see Doc ID 1456176.2
Option 1: Voice Streaming – Computer Audio
No need to dial in on a telephone, the
Advisor Webcast can be heard through your
computer speakers or an attached headset.
Questions can be asked via Chat box
Option 2: Teleconference (Dial In)
Questions can be asked over phone or in the Chat box
Requires telephone to dial in
Details
Webinar ID: 944 9650 5115
US toll dial in: +1 669 900 6833
US toll dial in: +1 346 248 7799
International numbers available:
https://oracle.zoom.us/u/a87POGYP
Oracle Support Advisor Webcast will start at the scheduled time
Copyright 2022, Oracle and/or affiliates. All rights reserved
3. Check out Doc ID 740966.2 for all
Webcasts.
Select your product Oracle Database
Register for the session of your interest.
For upcoming Oracle Database Advisor
Webcasts & archived recordings, see Doc
ID 1456176.2
Upcoming Advisor Webcast Schedule
Oracle Support Advisor Webcast will begin at the scheduled time
Register for any Oracle Support Advisor Webcast
from:
https://go.oracle.com/oraclesupportadvisorwebca
sts
Copyright 2022, Oracle and/or affiliates. All rights reserved
4. Global Customer Support, Database Security
July 14, 2022
SRINIVASA R
Troubleshooting issues with TCPS Configuration/Communication on
Database
Oracle Support Advisor Webcast
5. Proactive Resources for Tools, Training and Social Channels
Get
ProactivePortfolio
Doc ID 432.1
Learning is ongoing. Select and use learning options to meet your needs.
Self-paced
Live, interactive
Deep-dive instruction
(steps)
Get Proactive
Social Channels
Stay informed via:
My Oracle Support Community here
Blogs here
Examples: EBS / Database
Twitter here
Examples: EBS / Database
Oracle
Support Essentials
Doc ID 553747.2
My Oracle
Support
How To Videos Doc
ID 603505.2
Product
Advisor
Webcasts
Doc ID 740966.1
Oracle
Support
Accreditations
Doc ID 1583898.2
OracleSupport Training andResources Doc ID 1959163.2
High-level (concepts)
Session playback
Copyright 2022, Oracle and/or affiliates. All rights reserved
6. The following is intended to outline our general product direction. It is intended for information purposes
only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development, release,
timing, and pricing of any features or functionality described for Oracle’s products may change and
remains at the sole discretion of Oracle Corporation.
Safe harbor statement
Copyright 2022, Oracle and/or affiliates. All rights reserved
7. Global Customer Support, Database Security
July 14, 2022
SRINIVASA R
Troubleshooting issues with TCPS Configuration/Communication on
Database
Oracle Support Advisor Webcast
8. 5
4
3
2
1
ORA Errors related to SSL adapter
Troubleshooting SSL Handshake failures between DBServer and Client
Validating the SSL wallets and certificates on Server and Client
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Topics
Copyright 2022, Oracle and/or affiliates. All rights reserved
9. 1 Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS
Copyright 2022, Oracle and/or affiliates. All rights reserved
10. 1.What isSSL/TLS?
SSL/TLS creates an encrypted connection between server and client servers allowing for private information to be transmitted without the problems of eavesdropping, data
problems of eavesdropping, data tampering, or message forgery.To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on the server.
you and install it on the server.
2.Whydo I needSSL?
If you are transmitting sensitive information on a web site, such as credentials or personal information, you need to secure it with SSL encryption. It is possible for
encryption. It is possible for every piece of data to be seen by others unless it is secured by an SSL certificate.
3.SSLCertificate
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.
User/ServerCertificate :SSL Certificate issued to a specific server/host is termed as ServerCertificate/User certificate/Identity Certificate.
Certificate.
IntermediateCertificate : Intermediate certificates are used as a stand-in for our root certificate.
Root Certificate: It is public key certificate that identifies the Root CertificateAuthority
4.Certificate authority (CA)
A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed
authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined
they are following defined procedures
1.Basics of Transport Layer Security Configuration
Copyright 2022, Oracle and/or affiliates. All rights reserved
11. 5.Wallet
A wallet is also a repository of security certificates and credentials.Oracle Database and OHS store certificates in wallets.
We can create password-protected wallets(ewallet.p12) and corresponding autologin wallet(cwallet.sso)
6.SignatureAlgorithm
The algorithm used to create the signature.Signature is to verify that it came from the issuer.
It is used to sign the certificates.Signature strength is directly related to the key size, the larger the key the stronger the signature.
signature.
7.Cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a
that can be followed as a procedure
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to
algorithms used to negotiate the security settings for a network connection using theTransport Layer Security (TLS) / Secure Sockets Layer (SSL)
Sockets Layer (SSL) network protocol.
8.SSL Handshake
The client and server establish which algorithms to use.
The server sends its certificate to the client and the client verifies that the server's certificate was signed by a trusted CA.
If client authentication is required, the client sends its own certificate to the server and the server verifies that the client's certificate was signed by a
certificate was signed by a trustedCA.
The client and server exchange key information using public key cryptography. Based on this information, each generates a session key
session key
Copyright 2022, Oracle and/or affiliates. All rights reserved
12. TLS provides authentication, data encryption, and data integrity.
The TLS protocol is the foundation of a public key infrastructure (PKI).
For authentication, TLS uses digital certificates that comply with the
X.509v3 standard and a public and private key pair.
Oracle Database TLS can be used to secure communications between
any client and any server. You can configure TLS to provide
authentication for the server only, the client only, or both client and
server.
Basics of Transport Layer Security Configuration
Copyright 2022, Oracle and/or affiliates. All rights reserved
13. 1. Create the SSL Wallet(ewallet.p12 and cwallet.sso)
$orapki wallet create -wallet <wallet_location> -auto_login
2. Raise Certificate Signing Request(CSR)
orapki wallet add -wallet <wallet_location> -dn <user_dn> -keysize 512|1024|2048|4096 -pwd <wallet_password>
Eg:
orapki wallet add -wallet <wallet_location> -dn CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN -keysize
512|1024|2048|4096 -pwd <wallet_password>
3. Submit CSR to Certificate Authority(CA) to get signed SSL certificates in Base64 format
orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> -request <certificate_request_filename> -pwd <wallet password>
Eg:
orapki wallet export -wallet <wallet_location> -dn CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN -request
csr.txt -pwd <wallet password>
4.I mport trusted and user certificates to wallet
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <root_certificate_location> -pwd <wallet_password>
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <intermediate_certificate_location> -pwd <wallet_password>
orapki wallet add -wallet <wallet_location> -user_cert -cert <user_certificate_location> -pwd <wallet_password>
Review of SSL wallet creation and importing certificates to it
Copyright 2022, Oracle and/or affiliates. All rights reserved
14. 5. Review the wallet created for DB server
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
6. Similarly Create a wallet on Client and import the DB trusted certificates to the Client wallet
7. After the creation of wallets,SSL/TLS is enabled on DB
Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)
Copyright 2022, Oracle and/or affiliates. All rights reserved
15. 1
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS
Copyright 2022, Oracle and/or affiliates. All rights reserved
16. <DB HOME>/bin>lsnrctl status <listener name>
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname.domainname)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date 30-JUN-2022 15:01:08
Uptime 3 days 21 hr. 10 min. 27 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/network/admin/listener.ora
Listener Log File /refresh/home/app/19.8.0.0/oracle/diag/tnslsnr/hostname/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hostname.domainname)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domainname)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domainname)(PORT=5510))(Security=(my_wallet_directory=/refresh/home/app/19.8.0.0/oracle/product/19.8.0
.0/dbhome6/srinivasa/wallets))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "orcl19800.domainname" has 1 instance(s).
Instance "orcl19800", status READY, has 1 handler(s) for this service...
Service "orcl19800XDB.domainname" has 1 instance(s).
Instance "orcl19800", status READY, has 1 handler(s) for this service...
The command completed successfully
1.Status of listener
Copyright 2022, Oracle and/or affiliates. All rights reserved
18. 3.sqlnet.ora on the server
---------
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)
)
)
#Set the below parameter to TRUE, for users to be authenticated by Database with SSL certificates,
SSL_CLIENT_AUTHENTICATION=FALSE
#This parameter is recommended to force the use of TLS latest version 1.2
SSL_VERSION=1.2
#Set this parameter ON so that SSL_SERVER_CERT_DN in tnsnames.ora is effective
#SSL_SERVER_DN_MATCH=ON
Copyright 2022, Oracle and/or affiliates. All rights reserved
19. 4.DB Client files will have Wallet and TCPS connection descriptors
sqlnet.ora on the Client
-----------
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
#Specify the wallet location with wallet_location parameter
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=/u01/db/db12/12.2.0/srinivasa/wallets)
))
#Set the below parameter to TRUE, for users to be authenticated by Database with SSL certificates,
SSL_CLIENT_AUTHENTICATION=FALSE
#This parameter is recommended to force the use of TLS latest version 1.2
SSL_VERSION=1.2
tnsnames.ora
--------
orcl19800_SSL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.domainname)(PORT = 1523))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl19800.domainname)
))
Copyright 2022, Oracle and/or affiliates. All rights reserved
20. 5.Connection to Database over TCPS
$sqlplus srini/<password>@orcl19800_ssl
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Jul 4 16:23:05 2022
Version 19.8.0.0.0
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
SQL> show user
USER is "SRINI“
SQL> select sys_context('USERENV','NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps
Copyright 2022, Oracle and/or affiliates. All rights reserved
21. 1
Validating the SSL wallets and certificates on Server and Client
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS
Copyright 2022, Oracle and/or affiliates. All rights reserved
22. The contents in the wallet can be dumped using the command below.
1.Wallet on DB Server
$export ORACLE_HOME=<DB HOME>
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
2.Wallet on Client
$export ORACLE_HOME=<CLIENT HOME>
$orapki wallet display -wallet /u01/db/db12/12.2.0/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=client.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
3.Validating the SSL Wallets on Server and Client
Copyright 2022, Oracle and/or affiliates. All rights reserved
23. 1
Troubleshooting SSL Handshake failures between DBServer and Client
Validating the SSL wallets and certificates on Server and Client
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS
Copyright 2022, Oracle and/or affiliates. All rights reserved
24. I. Verify if the listener is accessible through SSL port
1.Check the listener hostname/IP and TCPS port set from the status of
listener
$lsnrctl status <listener name>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domain
name)(PORT=1523)))
2.Check the DB Service name is listed under Services Services Summary...
Service "orcl19800.domainname" has 1 instance(s).
Instance "orcl19800", status READY, has 1 handler(s) for this service...
Follow the checklist below when connection to DB fails over SSL connection
Copyright 2022, Oracle and/or affiliates. All rights reserved
25. Copyright 2021, Oracle and/or affiliates. All rights reserved
2.Run the command below to verify if the listener is able to load the certificates.
The command need to return the certificates
$ openssl s_client -connect dbserver.domainname:1523
CONNECTED(00000003)
depth=1 C = IN, ST = KAR, L = BLR, O = ORACLE, OU = DBSEC, CN = DBServerCA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=IN/ST=Karnataka/L=BLR-OTP/O=ORACLE/OU=DBSEC/CN=dbserver.domainname
i:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
1 s:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
i:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
Server certificate
-----BEGIN CERTIFICATE-----
MIIDQzCCAisCAhI2MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAklOMQwwCgYD
VQQIDANLQVIxDDAKBgNVBAcMA0JMUjEPMA0GA1UECgwGT1JBQ0xFMQ4wDAYDVQQL
DAVEQlNFQzEQMA4GA1UEAwwHU1JJQ0VSVDAeFw0yMjA3MDQxNDE0NTFaFw0yMzA3
MDQxNDE0NTFaMHIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEDAO
BgNVBAcTB0JMUi1PVFAxDzANBgNVBAoTBk9SQUNMRTEOMAwGA1UECxMFREJTRUMx
HDAaBgNVBAMTE2Ric2VydmVyLmRvbWFpbm5hbWUwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCCwQJxda+4cClkZjxvdVS+G2Zo4eBsTRSrQWkikKjwySEY
DUhAr7piw3eA0AvCNYYjEnLT93+oK7FprVQz77Gg0KROBdUU/xgd173zGUyfaG8w
aOjuh6BlmU08lE2RqGph7cGiQWvx0XHyaiVaviZNxpY0qP8uL5eEnyYQ0Dd5efrU
5BF5QyCtwR0F0MmpeVvQ3qvvmiYuJfqHDqXnVrsxNIEr114HMlHnEunnk7lUSfoD
vX3ojCz3FjqT0OCeD3+Xwgf6HfaV4i6klyJnoQS19vBWo6LcfMUFVxl8W7QLcE5x
GyPeJgBLDu04euvFYngRwWT8Ozuur2ySpstzTXhLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggEBAJSOJhS9A+8W/TnrMFmDU6BH1qI4XDNKJgiC6R3E4oG4GPVHL4U3is0Y
26. 3. If the output return error as below , then wallets are not loaded during listener startup.
$ openssl s_client -connect dbserver.domainname:1523
CONNECTED(00000003)
140404937381776:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1657277758
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Copyright 2022, Oracle and/or affiliates. All rights reserved
27. 1.Check WALLET_LOCATION specified in listener.ora and validate it is correct
wallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)))
2.Check the DB User has read permissions on the wallet files
3.Dump the contents of wallet and ensure it contain user certificate and trusted certificates
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
4.Dump the certificates and ensure it is valid
$orapki cert display -cert user.txt
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Issuer: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Valid Until: Tue Jul 04 14:14:51 GMT 2023
Solution:
Copyright 2022, Oracle and/or affiliates. All rights reserved
28. II.Check tnsping works on TCPS port from server and client
For a successful connection:
$ tnsping "(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))"
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 06-JUL-2022 21:37:53
Copyright (c) 1997, 2020, Oracle. All rights reserved.
Attempting to contact
(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))
OK (190 msec)
In case of failure:
$ tnsping "(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))"
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 06-JUL-2022 21:37:53
Copyright (c) 1997, 2020, Oracle. All rights reserved.
Attempting to contact
(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))
TNS-12560: TNS:protocol adapter error
Copyright 2022, Oracle and/or affiliates. All rights reserved
29. 1.Check wallet_location in sqlnet.ora on Client/server and if wallets exist in it
wallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)))
2.Check the server/client wallet and ensure the trusted certificates of DB are imported to it
$orapki wallet display -wallet /u01/db/db12/12.2.0/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=client.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
3.If SSL_CLIENT_AUTHENTICATION=TRUE , then ensure the trusted certificates of Client are imported to DB Wallets
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
4.SSL_VERSION set in server need to be supported by client(1.2, 1.1 , 1)
Update SSL_VERSION in client sqlnet.ora with the same value as in Server
SSL_VERSION=1.2
Solution:
Copyright 2022, Oracle and/or affiliates. All rights reserved
30. III.Check connection to DB
sqlplus username/password@orcl19800_ssl
ERROR:
ORA-28865: SSL connection closed
Solution:
1.Check the sqlnet.ora in DB HOME for the wallet location and ensure the wallets are same as set in listener.ora
2.If SSL_CLIENT_AUTHENTICATION=TRUE , then ensure the trusted certificates of Client are imported to DB Wallets
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
3.SSL_VERSION set in server need to be supported by client(1.2, 1.1 , 1)
Update SSL_VERSION in client sqlnet.ora with the same value as in Server .SSL_VERSION=1.2
Copyright 2022, Oracle and/or affiliates. All rights reserved
31. Enable sqlnet tracing to identify and troubleshoot the errors from the
SSL layer using:
Note 395525.1 How to Enable Oracle SQL*Net Client , Server , Listener ,
Kerberos and External procedure Tracing from Net Manager
More debug details will be covered in next Webcast:
Troubleshooting Tcps/SSL through Wireshark
Troubleshooting SSL Handshake failures between DBServer and Client
Copyright 2022, Oracle and/or affiliates. All rights reserved
32. 1
ORA Errors that may occur while you use the Oracle Database SSL adapter
Troubleshooting SSL Handshake failures between DBServer and Client
Validating the SSL wallets and certificates on Server and Client
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS
Copyright 2022, Oracle and/or affiliates. All rights reserved
33. 1.TNS:protocol adapter error (ORA-12560)
Ensure listener is accessible through SSL port and tnsping works correctly
2.ORA-29024:Certificate Validation Failure
-Check the client wallet and ensure the trusted certificates of DB are imported to it
-Check that server certificate is not imported as a trusted certificate
3.ORA-29143/29106: Wallet open failed with error 29143/29106
-For versions less than 12.1.0.2.201020, apply Patch 23184013
-If cwallet.sso is created with auto_login_local and it can be used only by the user who created it.
4.ORA-28860: Fatal SSL error
-There is a mismatch between SSL Protocol version or cipher suite between Client and Server.
5.ORA-28864: SSL connection closed gracefully
-The certificates have been signed using MD5 hashing algorithm and after the database upgrade to 12.2 the handshake uses the TLS1.2 protocol.
6.Additional and new errors if any will be updated in MOS document below
How To Investigate And Troubleshoot SSL/TLS Issues on the Database And Client SQL*Net Layer (Doc ID 2238096.1)
5.ORA Errors that may occur while you use the Oracle Database SSL adapter.
Copyright 2022, Oracle and/or affiliates. All rights reserved
34. Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)
Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with
SCAN) (Doc ID 1448841.1)
SSL Troubleshooting Guide (Doc ID 166492.1)
Note 395525.1 How to Enable Oracle SQL*Net Client , Server , Listener ,
Kerberos and External procedure Tracing from Net Manager
Document Reference:
Copyright 2022, Oracle and/or affiliates. All rights reserved
35. Locating Current Schedule & Archived Recordings
Oracle Support Advisor Webcast Program
Access Advisor Webcasts information for all Oracle
products from Doc ID 740966.2 or directly access
upcoming and prior webcasts for Oracle Database
from Doc ID 1456176.2
Under Prior Webcast Recordings tab access
recordings and webcast slides (.pdf)
Recording available within 48 hours at: Oracle
Document 2877140.2 - Troubleshooting issues with
TCPS Configuration/Communication on Database
[Video]
https://support.oracle.com/rs?type=doc&id=28771
Use Community link to ask webcast related
questions
https://community.oracle.com/mosc/discussion/4521454
Register for any Oracle Support Advisor Webcast or
replay any session from previous month from:
https://go.oracle.com/oraclesupportadvisorwebcast
Copyright 2022, Oracle and/or affiliates. All rights reserved
36. Q & A
To ask a question use Chat
Your question will be read aloud in the order
received
Questions can also be asked after the
session within in My Oracle Support
Communities, thread:
https://community.oracle.com/mosc/discussion/4521454
Copyright 2022, Oracle and/or affiliates. All rights reserved
Mandatory Slide
Start with this slide 15 mins before the session.
Mandatory Slide
Share this one 10 minutes before the session.
Update the KM document/ community links and Product details along with the Webinar ID and the participant phone numbers to match your webcast.
Mandatory Slide
Instructions for the HOST:
Share this one 5 minutes before the session.
Change the picture on the right using Snip & sketch(or equivalent tool) and order the current schedule by date with the earliest session at the top.
If you have many sessions planned only show the ones coming up in the next Month.
Make sure the picture is readable when showing in full slide mode
[Sample text for the host to use in chat 5 mins prior to the call][Please add the title, conference ID and teleconference details for your AW]
[***** NO need to talk to this slide *****]
Welcome to the Oracle Support Advisor Webcast – <Title of the Webcast>!
We will begin at the scheduled time and you do not need to dial in on the phone.
The webcast can be heard through your computer speakers or an attached headset.
Questions can be asked via Chat and will be read out loud during the Q&A session.
If for some reason you do need to dial in via phone, use teleconference details below:
Webinar ID: ### ### ###
US toll dial in: 1 ### ### ###
<2nd Country> toll dial in: +1 ### ### ### International numbers available: https://oracle.zoom.us/u/aeCpOlt6dD
[If you see people join late, at any pause (say after slide 7), The following welcome should be placed in the chat box again for awareness again (without the line-” We will begin at the scheduled time and you do not need to dial in on the phone.“), since any late attendees will not see the prior message]
Welcome to the Oracle Support Advisor Webcast – <Title of the Webcast>!
The webcast can be heard through your computer speakers or an attached headset.
Questions can be asked via Chat and will be read out loud during the Q&A session.
If for some reason you do need to dial in via phone, use teleconference details below:
Webinar ID: ### ### ###
US toll dial in: 1 ### ### ###
<2nd Country> toll dial in: +1 ### ### ### International numbers available: https://oracle.zoom.us/u/aeCpOlt6dD
Mandatory Slide
[NEXT SLIDE]
[HOST formally hands it over to presenter by saying: Now, let’s get stated with our presentation. [Presenter], if you’re ready, I’ll turn the webcast over to you and you can begin.
PRESENTER starts speaking
Instructions for the Host :
This is not a DUPLICATE slide, it’s here and it’s got it’s purpose.
This is the slide to transtion from Host to Presenter
[Repeated from slide 3 - The following welcome should be placed in the chat box again for awareness again (without the line-” We will begin at the scheduled time and you do not need to dial in on the phone.“), since any late attendees will not see the prior message]
Welcome to the Oracle Support Advisor Webcast – <Title of the Webcast>!
The webcast can be heard through your computer speakers or an attached headset.
Questions can be asked via Chat and will be read out loud during the Q&A session.
If for some reason you do need to dial in via phone, use teleconference details below:
Webinar ID: ### ### ###
US toll dial in: 1 ### ### ###
<2nd Country> toll dial in: +1 ### ### ### International numbers available: https://oracle.zoom.us/u/aeCpOlt6dD
Mandatory Slide
[Note for hosts – replace the correct social media links for your product line and remove the social media content not applicable to your product line]
HOST SPEAKS: [Please see below for shorter version , if needed]
******************************************************
Before we begin our session today, this slide provides a quick overview of some of the Proactive programs available such as Oracle Support Essentials, MOS How To Video Series, Advisor Webcasts like this one, Oracle Support Accreditation and the Get Proactive Portfolio. Select from above options to meet your ongoing learning needs.
Lastly, Stay Informed. Leverage our social channels like My Oracle Support Community, blogs, twitter and facebook.
[Note for host -Remove any that are not applicable for your product line]
You can also explore all our latest proactive tools and resources available to you to continually evolve and help you throughout your customer journey using Oracle applications and technology, from the 432.1 KM document and access the Get Proactive info graphic from Oracle.com.
[Links for the host to use in chat]Proactive Portfolio - Doc 432.1Oracle Support Essentials - Doc 553747.1MOS How To Video Series - Doc 603505.2
Advisor Webcast Program - Doc 749066.1
Oracle Support Accreditation - Doc 1583898.2
Our social channels :
My Oracle Support Community https://community.oracle.com/community/support/
Blogs - <Blog link>
Twitter - <Twitter Link>
Facebook - <Facebook Link>
Link to Proactive Infographic on Oracle.com: http://ora.cl/5Dy8
*******************************************************************************************************************************************************
[Note for HOSTS: LONG VERSION]
This slide provides a quick overview of some of the Proactive programs for Training, Tools and Social Channels, including the Get Proactive Portfolio, Oracle Support Essentials, My Oracle Support (MOS) How To Video Series, Oracle Support Product Advisor Webcasts, and Oracle Support Accreditation.
<CLICK>
The Proactive Portfolio Doc ID 432.1) is the main location to get started on proactive tools and resources. Some “Get Proactive” capabilities are only available for certain products, simply select your product to get started.
The Oracle Support Essentials Series is recommended for new and existing customers to learn the basics about the latest My Oracle Support and Cloud Support portal functionality, understand support processes, best practices and how to leverage available proactive support resources and tools. If you miss a webcast, they are recorded and repeated.
The My Oracle Support How-to Videos are designed as short (3-10 minutes), step-by-step instructional videos on support portal features. The how-to videos are arranged by the environment (cloud or on-premises), experience level (beginner or advanced), task, and role. Leverage these videos to learn basic skills, or refresh your knowledge, like how to search for answers in the knowledge base, how to access communities, how to log a service request (SR), and more.
The Oracle Support Advisor Webcast program offers product-based sessions, delivered by Oracle Support experts. Hear from specialists about Oracle services, products, and technologies. Gain insight into support tools and best practices to proactively avoid business problems and optimize your use of Oracle products and cloud services. Engage in Q&A to receive answers to your specific questions. These webcasts are for both new and existing customers. Live sessions are recorded for on-demand viewing. To get started, use the dropdown menu to select a “product”.
The Oracle Support Accreditation Series offers self-paced, guided learning paths with targeted resources and exams to validate your skills. Each accreditation provides easy-to-consume modules designed to grow your skills, increase expertise, save time and drive efficiency by implementing learnings. There are two levels of learning:
Level 1 portals and services learning paths show you how to leverage available features, tools, and resources, and offer you time-saving best practices that you can utilize to gain efficiency and optimize your support interactions.
Level 2 product-based learning paths build on the foundational knowledge from Level 1 by highlighting best practices, product-based diagnostics, and proactive support tools to increase your expertise. The content is designed around common questions, typical troubleshooting scenarios, and 'must-have' support tools.
Lastly, Stay Informed. Leverage our social channels like My Oracle Support Community. Increase your productivity with access to hundreds of on-line support communities that cover topics on a wide range of technologies and applications backed by Oracle support experts. You can access the latest product and support information, and exchange knowledge with industry peers on real-world best practices, tips and tricks.
[Links for the host to use in chat]Proactive Portfolio - Doc 432.1Oracle Support Essentials - Doc 553747.1MOS How To Video Series - Doc 603505.2
Advisor Webcast Program - Doc 749066.1
Oracle Support Accreditation - Doc 1583898.2
Our social channels :
My Oracle Support Community https://community.oracle.com/community/support/
Blogs - <Blog link>
Twitter - <Twitter Link>
Facebook - <Facebook Link>
Link to Proactive Infographic on Oracle.com: http://ora.cl/5Dy8
Mandatory Slide
[Instructions for the host – Start recording again before you begin the safe harbor slide]
HOST SPEAKS:
What you see on the screen now is a reminder that this Advisor Webcast is intended for information purposes only. Any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
[NEXT SLIDE]
Instructions for the Host:
This is a Safe Harbor Front slide, one of two Safe Harbor Statement slides included in this template.
One of the Safe Harbor slides must be used if your presentation covers material affected by Oracle’s Revenue Recognition Policy
To learn more about this policy, e-mail: Revrec-americasiebc_us@oracle.com
For internal communication, Safe Harbor Statements are not required. However, there is an applicable disclaimer (Exhibit E) that should be used, found in the Oracle Revenue Recognition Policy for Future Product Communications. Copy and paste this link into a web browser, to find out more information.
http://my.oracle.com/site/fin/gfo/GlobalProcesses/cnt452504.pdf
For all external communications such as press release, roadmaps, PowerPoint presentations, Safe Harbor Statements are required. You can refer to the link mentioned above to find out additional information/disclaimers required depending on your audience.
Mandatory Slide
[NEXT SLIDE]
[HOST formally hands it over to presenter by saying: Now, let’s get stated with our presentation. [Presenter], if you’re ready, I’ll turn the webcast over to you and you can begin.
PRESENTER starts speaking
Instructions for the Host :
This is not a DUPLICATE slide, it’s here and it’s got it’s purpose.
This is the slide to transtion from Host to Presenter
[Repeated from slide 3 - The following welcome should be placed in the chat box again for awareness again (without the line-” We will begin at the scheduled time and you do not need to dial in on the phone.“), since any late attendees will not see the prior message]
Welcome to the Oracle Support Advisor Webcast – <Title of the Webcast>!
The webcast can be heard through your computer speakers or an attached headset.
Questions can be asked via Chat and will be read out loud during the Q&A session.
If for some reason you do need to dial in via phone, use teleconference details below:
Webinar ID: ### ### ###
US toll dial in: 1 ### ### ###
<2nd Country> toll dial in: +1 ### ### ### International numbers available: https://oracle.zoom.us/u/aeCpOlt6dD
Mandatory Slide
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
Use Key words only and avoid LONG phrases. The Topics should only be 1 short line.
Complete the Topics list with an overview of the Items that will be covered during the Session. This information is similar to what Topics list was in the Advisor Webcast Proposal.
What will you talk about today? Use Key words only and avoid long phrases. Topics should only be one line each. This information is similar to the topic list given in your Advisor Webcast Proposal. Some sample agendas follow:
Sample from EBS:
Overview Of Commitments
Define Commitment Transaction Types
How To Create Commitments
Create And Apply Invoices, Receipts And Credits
Known Issues & Useful Queries
Note: Objectives slide has been removed, to keep the template simple, but prepare to start your agenda with what you would like customers to WALK away with after attending this session. Why should someone attend this session & what will they gain from it? Basically, “What’s In It For ME” from a customer perspective? What knowledge would you like customers to walk away with after attending this session? Objectives should flow naturally in response to questions such as: What will they understand, become familiar with, learn, be able to do to after the webcast that they couldn’t before?
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
D
Instructions for Host and Presenter to build the slides:
Use this slide to start with the first topic. When building just make a copy of this slide and update the topics.
Mandatory Slide
HOST SPEAKS:
[Thank the presenter] Thanks to _________________________ for __________ presentation.
We’re going to open the Q&A in just a moment. Please use the Chat panel to ask any questions.
While we pause to collect your questions, I’d like to share some information on locating Advisor webcasts and how you can access the recording from today’s session.
Advisor Webcast [Updated text] primary [End Updated text] document Doc ID 740966.1 is your starting place to find out all about the Oracle’s Advisor Webcast Program for all Oracle Products.
You can also directly access the <product name> Advisor Webcast Program document Doc ID <doc ID> where you will be able to see upcoming, most popular and prior webcast recordings. [New] Please note that design and user interface of the Advisor webcast index documents has slightly changed although the tabs remain the same.[End new]. For today’s webcast session and a list of all prior webcast recordings, go to the Prior Webcasts Recordings tab and then click on the Recording link.
Pdf file with webcast session slides can also be downloaded from here.
If you have any follow up questions on today’s webcast use the Community link. The Q&A from today’s webcast will be posted to this thread as well as responses to questions that we may not get to during the webcast.
Recording for this webcast will be available within 48 hours.
[Updated text] I would also like to mention that you can visit the [End updated text] Oracle support Advisor Webcast landing page where you can find a listing of all upcoming Advisor Webcasts across product lines and you can register for any webcast that may interest you. This page also provides a listing of all webcasts replay links from the past month on the In Case You Missed It tab. I have posted the link to the landing page in chat for your reference.
[NEXT SLIDE]
[Instructions for the host – replace screen shot with the most recent screen shot from your product line. Please ensure that the screen shot does not extend out of the slide or on the Oracle Logo ]
[Reference - Sample text for hosts to use chat panel – Do not say text below out loud]
[To access the recording and the pdf from today’s webcast, open <your product area> AW document <Doc ID Link> and click on Prior Webcasts tab
Or access the recording and pdf directly from within the MOS document <Doc ID Link> . Recording will be made available within 48h hours.
For questions from today’s session and to continue discussion use https://community.oracle.com/thread/<threadID
Register for a webcast or review recordings from last 30 - 60 days from the Oracle Product Support Advisor Webcast landing page: https://go.oracle.com/oraclesupportadvisorwebcasts]
Mandatory Slide
[Instructions to the Hosts – Remember to not read out customer name from chat during Q&A. If you have audio questions and need to call out to a customer to ask their question, use customer first name only. If the customer introduces themselves with their full name and/or company name during Q&A (audio), make a note to edit and delete before posting the recording.]
HOST SPEAKS:
Now we’re going to open it up for questions.
To ask a question, please use the Chat panel.
[Instructions to the Hosts]
Check to see if there are any raised hands on chat, requesting to ask an audio question. If yes, you can select Allow to Talk and Unmute the attendee, so they can ask a question. If you need to call to the attendee, please use first name only.
Once questions are exhausted or time is up, the host will formally wrap up the call. As the host begins the call wrap up, advance to the Thank You slide and wait until the host closes the webcast.
Mandatory Slide
Stay on this slide until the host closes out the webcast.
WRAP UP -> HOST SPEAKS:
Thanks to _________________________ for __________ presentation and _________________________ for joining during the Q&A.
We hope you found the webcast valuable. I will chat open for a couple more minutes. Please take a moment to share your feedback and let us know what topics you’d like to see covered in future webcasts.
Thank you to each of you for taking time out of your day to join us today.
This concludes our webcast today. Enjoy the remainder of your day!
HOST WILL END THE CONFERENCE - Stay on this slide until the host closes out the webcast.