Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx

ATTENTION – AUDIO Options
Advisor Webcast PDF, Recording and
Community Thread:
 Recording will be available within 48 hours at Advisor
Webcast PDF & Recording: Oracle Support
Document 2877140.2 - Troubleshooting issues with
TCPS Configuration/Communication on Database
[Video]
https://support.oracle.com/rs?type=doc&id=287714
0.2
 Use Community link for Q&A -
https://community.oracle.com/mosc/discussion/xxxx
 For upcoming Oracle Database Advisor Webcasts &
recordings, see Doc ID 1456176.2
Option 1: Voice Streaming – Computer Audio
 No need to dial in on a telephone, the
Advisor Webcast can be heard through your
computer speakers or an attached headset.
 Questions can be asked via Chat box
Option 2: Teleconference (Dial In)
 Questions can be asked over phone or in the Chat box
 Requires telephone to dial in
 Details
 Webinar ID: 944 9650 5115
 US toll dial in: +1 669 900 6833
 US toll dial in: +1 346 248 7799
International numbers available:
https://oracle.zoom.us/u/a87POGYP
Oracle Support Advisor Webcast will start at the scheduled time
Copyright 2022, Oracle and/or affiliates. All rights reserved

 Check out Doc ID 740966.2 for all
Webcasts.
 Select your product Oracle Database
 Register for the session of your interest.
 For upcoming Oracle Database Advisor
Webcasts & archived recordings, see Doc
ID 1456176.2
Upcoming Advisor Webcast Schedule
Oracle Support Advisor Webcast will begin at the scheduled time
Register for any Oracle Support Advisor Webcast
from:
https://go.oracle.com/oraclesupportadvisorwebca
sts

Global Customer Support, Database Security
July 14, 2022
SRINIVASA R
Troubleshooting issues with TCPS Configuration/Communication on
Database
Oracle Support Advisor Webcast

Proactive Resources for Tools, Training and Social Channels
Get
ProactivePortfolio
Doc ID 432.1
Learning is ongoing. Select and use learning options to meet your needs.
Self-paced
Live, interactive
Deep-dive instruction
(steps)
Get Proactive
Social Channels
Stay informed via:
My Oracle Support Community here
Blogs here
Examples: EBS / Database
Twitter here
Examples: EBS / Database
Oracle
Support Essentials
Doc ID 553747.2
My Oracle
Support
How To Videos Doc
ID 603505.2
Product
Advisor
Webcasts
Doc ID 740966.1
Oracle
Support
Accreditations
Doc ID 1583898.2
OracleSupport Training andResources Doc ID 1959163.2
High-level (concepts)
Session playback

The following is intended to outline our general product direction. It is intended for information purposes
only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development, release,
timing, and pricing of any features or functionality described for Oracle’s products may change and
remains at the sole discretion of Oracle Corporation.
Safe harbor statement

5
4
3
2
1
ORA Errors related to SSL adapter
Troubleshooting SSL Handshake failures between DBServer and Client
Validating the SSL wallets and certificates on Server and Client
Validating TCPS Configuration on Database
Basics of Transport Layer Security Configuration
Topics

1 Basics of Transport Layer Security Configuration
Troubleshooting issues withTCPS

1.What isSSL/TLS?
SSL/TLS creates an encrypted connection between server and client servers allowing for private information to be transmitted without the problems of eavesdropping, data
problems of eavesdropping, data tampering, or message forgery.To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on the server.
you and install it on the server.
2.Whydo I needSSL?
If you are transmitting sensitive information on a web site, such as credentials or personal information, you need to secure it with SSL encryption. It is possible for
encryption. It is possible for every piece of data to be seen by others unless it is secured by an SSL certificate.
3.SSLCertificate
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.
User/ServerCertificate :SSL Certificate issued to a specific server/host is termed as ServerCertificate/User certificate/Identity Certificate.
Certificate.
IntermediateCertificate : Intermediate certificates are used as a stand-in for our root certificate.
Root Certificate: It is public key certificate that identifies the Root CertificateAuthority
4.Certificate authority (CA)
A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed
authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined
they are following defined procedures
1.Basics of Transport Layer Security Configuration

5.Wallet
A wallet is also a repository of security certificates and credentials.Oracle Database and OHS store certificates in wallets.
We can create password-protected wallets(ewallet.p12) and corresponding autologin wallet(cwallet.sso)
6.SignatureAlgorithm
The algorithm used to create the signature.Signature is to verify that it came from the issuer.
It is used to sign the certificates.Signature strength is directly related to the key size, the larger the key the stronger the signature.
signature.
7.Cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a
that can be followed as a procedure
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to
algorithms used to negotiate the security settings for a network connection using theTransport Layer Security (TLS) / Secure Sockets Layer (SSL)
Sockets Layer (SSL) network protocol.
8.SSL Handshake
The client and server establish which algorithms to use.
The server sends its certificate to the client and the client verifies that the server's certificate was signed by a trusted CA.
If client authentication is required, the client sends its own certificate to the server and the server verifies that the client's certificate was signed by a
certificate was signed by a trustedCA.
The client and server exchange key information using public key cryptography. Based on this information, each generates a session key
session key

 TLS provides authentication, data encryption, and data integrity.
 The TLS protocol is the foundation of a public key infrastructure (PKI).
For authentication, TLS uses digital certificates that comply with the
X.509v3 standard and a public and private key pair.
 Oracle Database TLS can be used to secure communications between
any client and any server. You can configure TLS to provide
authentication for the server only, the client only, or both client and
server.

1. Create the SSL Wallet(ewallet.p12 and cwallet.sso)
$orapki wallet create -wallet <wallet_location> -auto_login
2. Raise Certificate Signing Request(CSR)
orapki wallet add -wallet <wallet_location> -dn <user_dn> -keysize 512|1024|2048|4096 -pwd <wallet_password>
Eg:
orapki wallet add -wallet <wallet_location> -dn CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN -keysize
512|1024|2048|4096 -pwd <wallet_password>
3. Submit CSR to Certificate Authority(CA) to get signed SSL certificates in Base64 format
orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> -request <certificate_request_filename> -pwd <wallet password>
Eg:
orapki wallet export -wallet <wallet_location> -dn CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN -request
csr.txt -pwd <wallet password>
4.I mport trusted and user certificates to wallet
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <root_certificate_location> -pwd <wallet_password>
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <intermediate_certificate_location> -pwd <wallet_password>
orapki wallet add -wallet <wallet_location> -user_cert -cert <user_certificate_location> -pwd <wallet_password>
Review of SSL wallet creation and importing certificates to it

5. Review the wallet created for DB server
$orapki wallet display -wallet /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets
Requested Certificates:
User Certificates:
Subject: CN=dbserver.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
Trusted Certificates:
Subject: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
6. Similarly Create a wallet on Client and import the DB trusted certificates to the Client wallet
7. After the creation of wallets,SSL/TLS is enabled on DB
Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)

1

<DB HOME>/bin>lsnrctl status <listener name>
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname.domainname)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date 30-JUN-2022 15:01:08
Uptime 3 days 21 hr. 10 min. 27 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/network/admin/listener.ora
Listener Log File /refresh/home/app/19.8.0.0/oracle/diag/tnslsnr/hostname/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hostname.domainname)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domainname)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domainname)(PORT=5510))(Security=(my_wallet_directory=/refresh/home/app/19.8.0.0/oracle/product/19.8.0
.0/dbhome6/srinivasa/wallets))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "orcl19800.domainname" has 1 instance(s).
Instance "orcl19800", status READY, has 1 handler(s) for this service...
Service "orcl19800XDB.domainname" has 1 instance(s).
The command completed successfully
1.Status of listener

2. DB Configuration files should have TCPS connection descriptors
listener.ora
-------
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST=
(ADDRESS = (PROTOCOL = TCP)(HOST = hostname.domainname)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.domainname)(PORT = 1523))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
)
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)
)
)
SSL_CLIENT_AUTHENTICATION=FALSE
SSL_VERSION=1.2

3.sqlnet.ora on the server
---------
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)
)
)
#Set the below parameter to TRUE, for users to be authenticated by Database with SSL certificates,
#This parameter is recommended to force the use of TLS latest version 1.2
SSL_VERSION=1.2
#Set this parameter ON so that SSL_SERVER_CERT_DN in tnsnames.ora is effective
#SSL_SERVER_DN_MATCH=ON

4.DB Client files will have Wallet and TCPS connection descriptors
sqlnet.ora on the Client
-----------
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
#Specify the wallet location with wallet_location parameter
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=/u01/db/db12/12.2.0/srinivasa/wallets)
))
#Set the below parameter to TRUE, for users to be authenticated by Database with SSL certificates,
#This parameter is recommended to force the use of TLS latest version 1.2
SSL_VERSION=1.2
tnsnames.ora
--------
orcl19800_SSL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.domainname)(PORT = 1523))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl19800.domainname)
))

5.Connection to Database over TCPS
$sqlplus srini/<password>@orcl19800_ssl
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Jul 4 16:23:05 2022
Version 19.8.0.0.0
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
SQL> show user
USER is "SRINI“
SQL> select sys_context('USERENV','NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps

1

The contents in the wallet can be dumped using the command below.
1.Wallet on DB Server
$export ORACLE_HOME=<DB HOME>
User Certificates:
Subject: CN=ClientCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
2.Wallet on Client
$export ORACLE_HOME=<CLIENT HOME>
$orapki wallet display -wallet /u01/db/db12/12.2.0/srinivasa/wallets
User Certificates:
Subject: CN=client.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
3.Validating the SSL Wallets on Server and Client

1

I. Verify if the listener is accessible through SSL port
1.Check the listener hostname/IP and TCPS port set from the status of
listener
$lsnrctl status <listener name>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostname.domain
name)(PORT=1523)))
2.Check the DB Service name is listed under Services Services Summary...
Service "orcl19800.domainname" has 1 instance(s).
Follow the checklist below when connection to DB fails over SSL connection

2.Run the command below to verify if the listener is able to load the certificates.
The command need to return the certificates
$ openssl s_client -connect dbserver.domainname:1523
CONNECTED(00000003)
depth=1 C = IN, ST = KAR, L = BLR, O = ORACLE, OU = DBSEC, CN = DBServerCA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=IN/ST=Karnataka/L=BLR-OTP/O=ORACLE/OU=DBSEC/CN=dbserver.domainname
i:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
1 s:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
i:/C=IN/ST=KAR/L=BLR/O=ORACLE/OU=DBSEC/CN=DBServerCA
Server certificate
-----BEGIN CERTIFICATE-----
MIIDQzCCAisCAhI2MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAklOMQwwCgYD
VQQIDANLQVIxDDAKBgNVBAcMA0JMUjEPMA0GA1UECgwGT1JBQ0xFMQ4wDAYDVQQL
DAVEQlNFQzEQMA4GA1UEAwwHU1JJQ0VSVDAeFw0yMjA3MDQxNDE0NTFaFw0yMzA3
MDQxNDE0NTFaMHIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEDAO
BgNVBAcTB0JMUi1PVFAxDzANBgNVBAoTBk9SQUNMRTEOMAwGA1UECxMFREJTRUMx
HDAaBgNVBAMTE2Ric2VydmVyLmRvbWFpbm5hbWUwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCCwQJxda+4cClkZjxvdVS+G2Zo4eBsTRSrQWkikKjwySEY
DUhAr7piw3eA0AvCNYYjEnLT93+oK7FprVQz77Gg0KROBdUU/xgd173zGUyfaG8w
aOjuh6BlmU08lE2RqGph7cGiQWvx0XHyaiVaviZNxpY0qP8uL5eEnyYQ0Dd5efrU
5BF5QyCtwR0F0MmpeVvQ3qvvmiYuJfqHDqXnVrsxNIEr114HMlHnEunnk7lUSfoD
vX3ojCz3FjqT0OCeD3+Xwgf6HfaV4i6klyJnoQS19vBWo6LcfMUFVxl8W7QLcE5x
GyPeJgBLDu04euvFYngRwWT8Ozuur2ySpstzTXhLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggEBAJSOJhS9A+8W/TnrMFmDU6BH1qI4XDNKJgiC6R3E4oG4GPVHL4U3is0Y

3. If the output return error as below , then wallets are not loaded during listener startup.
$ openssl s_client -connect dbserver.domainname:1523
CONNECTED(00000003)
140404937381776:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1657277758
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

1.Check WALLET_LOCATION specified in listener.ora and validate it is correct
wallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)))
2.Check the DB User has read permissions on the wallet files
3.Dump the contents of wallet and ensure it contain user certificate and trusted certificates
User Certificates:
4.Dump the certificates and ensure it is valid
$orapki cert display -cert user.txt
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
Issuer: CN=DBServerCA,OU=DBSEC,O=ORACLE,L=BLR,ST=KAR,C=IN
Valid Until: Tue Jul 04 14:14:51 GMT 2023
Solution:

II.Check tnsping works on TCPS port from server and client
For a successful connection:
$ tnsping "(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))"
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 06-JUL-2022 21:37:53
Copyright (c) 1997, 2020, Oracle. All rights reserved.
Attempting to contact
(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))
OK (190 msec)
In case of failure:
$ tnsping "(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))"
TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 06-JUL-2022 21:37:53
Copyright (c) 1997, 2020, Oracle. All rights reserved.
Attempting to contact
(ADDRESS=(PROTOCOL=tcps)(HOST=dbserver.domainname)(PORT=1523))
TNS-12560: TNS:protocol adapter error

1.Check wallet_location in sqlnet.ora on Client/server and if wallets exist in it
wallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=/refresh/home/app/19.8.0.0/oracle/product/19.8.0.0/dbhome6/srinivasa/wallets)))
2.Check the server/client wallet and ensure the trusted certificates of DB are imported to it
$orapki wallet display -wallet /u01/db/db12/12.2.0/srinivasa/wallets
User Certificates:
Subject: CN=client.domainname,OU=DBSEC,O=ORACLE,L=BLR-OTP,ST=Karnataka,C=IN
3.If SSL_CLIENT_AUTHENTICATION=TRUE , then ensure the trusted certificates of Client are imported to DB Wallets
User Certificates:
4.SSL_VERSION set in server need to be supported by client(1.2, 1.1 , 1)
Update SSL_VERSION in client sqlnet.ora with the same value as in Server
SSL_VERSION=1.2
Solution:

III.Check connection to DB
sqlplus username/password@orcl19800_ssl
ERROR:
ORA-28865: SSL connection closed
Solution:
1.Check the sqlnet.ora in DB HOME for the wallet location and ensure the wallets are same as set in listener.ora
2.If SSL_CLIENT_AUTHENTICATION=TRUE , then ensure the trusted certificates of Client are imported to DB Wallets
User Certificates:
3.SSL_VERSION set in server need to be supported by client(1.2, 1.1 , 1)
Update SSL_VERSION in client sqlnet.ora with the same value as in Server .SSL_VERSION=1.2

Enable sqlnet tracing to identify and troubleshoot the errors from the
SSL layer using:
Note 395525.1 How to Enable Oracle SQL*Net Client , Server , Listener ,
Kerberos and External procedure Tracing from Net Manager
More debug details will be covered in next Webcast:
Troubleshooting Tcps/SSL through Wireshark

1
ORA Errors that may occur while you use the Oracle Database SSL adapter

1.TNS:protocol adapter error (ORA-12560)
Ensure listener is accessible through SSL port and tnsping works correctly
2.ORA-29024:Certificate Validation Failure
-Check the client wallet and ensure the trusted certificates of DB are imported to it
-Check that server certificate is not imported as a trusted certificate
3.ORA-29143/29106: Wallet open failed with error 29143/29106
-For versions less than 12.1.0.2.201020, apply Patch 23184013
-If cwallet.sso is created with auto_login_local and it can be used only by the user who created it.
4.ORA-28860: Fatal SSL error
-There is a mismatch between SSL Protocol version or cipher suite between Client and Server.
5.ORA-28864: SSL connection closed gracefully
-The certificates have been signed using MD5 hashing algorithm and after the database upgrade to 12.2 the handshake uses the TLS1.2 protocol.
6.Additional and new errors if any will be updated in MOS document below
How To Investigate And Troubleshoot SSL/TLS Issues on the Database And Client SQL*Net Layer (Doc ID 2238096.1)
5.ORA Errors that may occur while you use the Oracle Database SSL adapter.

Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)
Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with
SCAN) (Doc ID 1448841.1)
SSL Troubleshooting Guide (Doc ID 166492.1)
Note 395525.1 How to Enable Oracle SQL*Net Client , Server , Listener ,
Kerberos and External procedure Tracing from Net Manager
Document Reference:

Locating Current Schedule & Archived Recordings
Oracle Support Advisor Webcast Program
 Access Advisor Webcasts information for all Oracle
products from Doc ID 740966.2 or directly access
upcoming and prior webcasts for Oracle Database
from Doc ID 1456176.2
 Under Prior Webcast Recordings tab access
recordings and webcast slides (.pdf)
 Recording available within 48 hours at: Oracle
Document 2877140.2 - Troubleshooting issues with
TCPS Configuration/Communication on Database
[Video]
https://support.oracle.com/rs?type=doc&id=28771
 Use Community link to ask webcast related
questions
https://community.oracle.com/mosc/discussion/4521454
 Register for any Oracle Support Advisor Webcast or
replay any session from previous month from:
https://go.oracle.com/oraclesupportadvisorwebcast

Q & A
 To ask a question use Chat
 Your question will be read aloud in the order
received
 Questions can also be asked after the
session within in My Oracle Support
Communities, thread:
https://community.oracle.com/mosc/discussion/4521454

Thank you
SrinivasaR
GlobalCustomer Support, Database Security

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx

Recommended

Recommended

More Related Content

Similar to Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx

Similar to Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx (20)

Recently uploaded

Recently uploaded (20)

Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx

Editor's Notes