SlideShare a Scribd company logo

SSL certificates in the Oracle Database without surprises

Nelson Calero
Nelson Calero

Presentation delivered on UKOUG conference in December 2019. Abstract: Nowadays database installations are required to use secure connections to communicate with clients, from connecting to the database listener to interact with external services (for example to send emails from the database). Also since a couple of years ago, it has been required to use stronger protocols like TLS 1.2 (SHA2 algorithm), which requires extra configuration in older database releases. This presentation shows how SSL certificates work from a DBA perspective, which tools are available and examples of configuring and troubleshooting their usage from the Oracle database. It also explores the implications and how to implement TLS 1.2 and common errors found in real life usage.

1 of 51
Download to read offline
SSL certificates in the Oracle Database without surprises UKOUG – December 2018 Nelson Calero
Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 2 © 2018 Pythian Intended audience: DBAs and Developers
• Database Consultant at Pythian since 2014 • Working with Oracle tools and Linux environments since 1996 • DBA Oracle (2001) & MySQL (2005) • Co-founder and President of the Oracle user Group of Uruguay (2009) • LAOUC Director of events (2013) • Computer Engineer (1998) • Oracle ACE (2014), Oracle ACE Director (2017) • Oracle Certified Professional 10g/11g/12c, OCE, Cloud DB & Infra • Amazon Solutions Architect – Associate (2016) • Google Cloud Architect (2017), Google Cloud Data Engineer (2017) • Oracle University Instructor (2011) • Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences About me 3 © 2018 Pythian http://www.linkedin.com/in/ncalero @ncalerouy
3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate bit.ly/OracleACEProgram 500+ Technical Experts Helping Peers Globally Connect: Nominate yourself or someone you know: acenomination.oracle.com @oracleace Facebook.com/oracleaces oracle-ace_ww@oracle.com
Security Basis • SSL • Public/private keys • PKI • Certificates • CA • Publicly trusted CA 7 © 2018 Pythian • Signatures • Certificate chain • Certificate hierarchy • Wallets • Handshake • Protocols in Oracle versions
Basis – Secure Sockets Layer • SSL is the standard security technology for establishing an encrypted link between a server and a client • Provides network-level authentication, data encryption, and data integrity, ensuring that all data passed between them remain private and integral • Examples: – webserver and browser – mail server and mail client • Based on Public Key Cryptography using Public Key Infrastructure (PKI) 8 © 2018 Pythian
SSL with the Oracle database • Since 10gR2 SSL/TLS are no longer part of the Advanced Security Option • Since 12c SSL/TLS is available in Oracle Standard Edition • Enabled by default in Oracle Cloud Database services 9 © 2018 Pythian
Basis – SSL History • SSL - Secure Socket Layers Protocol – Developed by Netscape • TLS - Transport Layer Security Protocol – new version of SSL, based on SSL 3.0 – SSL 2.0 and 3.0 deprecated in 2011 and 2015 • SSL and TLS protocols do not interoperate • SSL Certificates do not depend on protocol • Several algorithms to use in signing stages 10 © 2018 Pythian Protocol Year SSL 1.0 No SSL 2.0 1995 SSL 3.0 1996 TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018
Basis – SSL History • SSL - Secure Socket Layers Protocol – Developed by Netscape • TLS - Transport Layer Security Protocol – new version of SSL, based on SSL 3.0 – SSL 2.0 and 3.0 deprecated in 2011 and 2015 • SSL and TLS protocols do not interoperate • SSL Certificates do not depend on protocol • Several algorithms to use in signing stages 11 © 2018 Pythian Protocol Year Oracle SSL 1.0 No SSL 2.0 1995 SSL 3.0 1996 TLS 1.0 1999 11.1 (2007) TLS 1.1 2006 TLS 1.2 2008 12.1 (2013) TLS 1.3 2018
Basis – Public and private key encryption • Also known as asymmetric encryption • Requires more computational power than symmetric encryption • Vulnerabilities: – Brute force: reduced by using larger keys – Man in the middle: resolved using signatures and Certificate Authorities (CA) 12 © 2018 Pythian Sender Receiver Private key Public key Message Encrypted Message Message Encrypted Message Sender Public key
Basis – Public Key Infrastructure (PKI) • Framework using public and privates key, certificates and method for key distribution • SSL/TLS uses a key-exchange algorithm to allow symmetric keys (hybrid cryptosystem), less computationally intensive than using asymmetric keys • Components: – Certificate Authority (CA): a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. – Certificates: created when an entity's public key is signed by a trusted certificate authority (CA). – Wallet: a container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates SSL – Certificates revocation lists: validity of CA signed certificates 13 © 2018 Pythian
Basis – Certificates • Used for authentication • Follows X.509 specification • Associates public key with an organization’s details (AKA DN): – A domain name, server name or hostname – An organizational identity (i.e. company name) and location • It also includes – CA name, the CA signature, and the certificate effective dates – Digital signature (explained later) • They can be self-signed - for use in test environments 14 © 2018 Pythian
Basis – Certificate Authority (CA) • A third party trusted by both of the communicating parties (e.g. Verisign) • Validates, identities and issue/revoke certificates • The CA uses its private key to encrypt a message • The CA public key is well known and does not have to be authenticated each time it is accessed (browsers, wallets, etc.) • Organization can use in-house CA (e.g. MS Certificate services) 15 © 2018 Pythian
Basis – Signature • One-way hash of the data (certificate) encrypted with signer’s private key – it cannot be reversed • Receiver validates the integrity of the data: – Receiver gets the data and signature – Data is decrypted using sender’s public key – Signature is decrypted using sender’s public key – New signature is created using same algorithm – Both new and received signature should match if data was not tampered 16 © 2018 Pythian
Basis – Publicly Trusted CAs • A trusted third party (TTP) used as CA for the certificates • Commercial – Verisign, Digicert, GoDaddy • Web browsers includes by default public keys of TTPs CA • De-facto standard for websites, as certificates from non trusted CAs are reported by default as dangerous 17 © 2018 Pythian
Basis – Certificate hierarchy and chain 18 https://docs.oracle.com/cd/E19424-01/820-4811/gdzen/index.html
Basis – Wallet • A file storing authentication and signing credentials, including private keys, certificates, and trusted certificates SSL needs. • Oracle server and client using SSL needs a wallet file – configured in sqlnet.ora, listener.ora, optional in tnsnames.ora (instead of sqlnet) – Must be auto-login • Managed with Oracle Wallet Manager and orapki tool • Creation process for an SSL wallet: – Generate a public-private pair – Create a certificate request – Submit the certificate request to the CA – Import the signed server certificate into the wallet – Install the wallet into the server – Distribute server certificate to clients (exchange w/client) 19 © 2018 Pythian
Basis – SSL handshake in Oracle 1) The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers. 2) The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. This step verifies the identity of the server. 3) Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA. 4) The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this session key and the negotiated cipher suite. 20 © 2018 Pythian
Basis – SSL handshake in Oracle Authentication: • On a client, the user initiates an Oracle Net connection to the server by using SSL • SSL performs the handshake between the client and the server • If the handshake is successful, then the server verifies that the user has the appropriate authorization to access the database Possible configurations: - Only the server authenticates itself to the client - Both client and server authenticate themselves to each other - Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself 21 © 2018 Pythian
Basis – handshake changes in TLS v1.3 22 https://blog.cloudflare.com/introducing-tls-1-3/
Basis – Protocols in Oracle versions Default TLS version included with Oracle releases: – Oracle 11.1 - TLS 1.0 – Oracle 12.1 - TLS 1.2 PSUs include update/new algorithms, using MES SDK: – 11.2.0.4.0 - BSAFE 6.3.2.2 and Certicom SSL plus 3.0 supported SSLv3 (SHA2) – 12.1.0.2.0 - MESv405 supported TLSv1.2, FIPS 140-2 (MESv405 is deprecated). – 12.2.0.2.0 - MESv415 supported TLSv1.2, FIPS 140-2 (validated). – 18c – MES416 – 19c – MES4161 NOTE: no more one-off or overlay patches needed for MES (Doc ID 2274242.1) 11g Standard Edition: TCPS adapter needs to be enabled in oracle binaries before MES bundle patch is applied using Note 1457854.1 23 © 2018 Pythian
Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 24 © 2018 Pythian
Case 1: SSL for database connections 1. Create a wallet – using signed CA in this example a. Create a certificate request b. Submit the certificate request to the CA c. Import the signed server certificate 2. Configure server sqlnet.ora / listener.ora a. Add wallet directory to both b. Optionally, restrict cipher algorithms and protocol versions, client authentication c. Add TCPS listener endpoint 3. Add new TCPS listener to LOCAL_LISTENER parameter 4. Restart listener 5. Distribute wallet to clients 6. Configure wallet directory in client sqlnet.ora / tnsnames.ora Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1) 25 © 2018 Pythian
Case 1: 1 - Create a wallet 26 © 2018 Pythian orapki wallet create -wallet . -auto_login -pwd $MYPASSchmod 775 ewallet.p12 cwallet.sso orapki wallet display -wallet . orapki wallet remove -trusted_cert_all -wallet . -pwd $MYPASS
Case 1: 1 - Create a wallet 27 © 2018 Pythian orapki wallet create -wallet . -auto_login -pwd $MYPASSchmod 775 ewallet.p12 cwallet.sso orapki wallet display -wallet . orapki wallet remove -trusted_cert_all -wallet . -pwd $MYPASS [oracle@myserver wallet2018]$ ls -lrt total 0 [oracle@myserver wallet2018]$ orapki wallet create -wallet . -auto_login -pwd xxx Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. [oracle@myserver wallet2018]$ orapki wallet display -wallet . Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Case 1: 1 - Create a wallet Note: self signed certificates can be used instead of step a), skipping b) a. Create a certificate request 28 © 2018 Pythian orapki wallet add -wallet . -dn "CN=myserver.domain,O=Acme,L=New York,ST=New York,C=US" -keysize 2048 -pwd $MYPASS orapki wallet export -wallet . -dn "CN=myserver.domain,O=Acme,L=New York,ST=New York,C=US" -request ./myserver.req -pwd $MYPASS Known issue: orapki uses MD5 algorithm for requests (cannot be changed). Above won’t work if we want SHA2 signed request (validated by CAs nowadays). Use openssl instead: openssl pkcs12 -in ewallet.p12 -nodes -out mywallet.pem openssl req -new -key mywallet.pem -sha256 -out mywallet-sha2.csr
Case 1: 1 - Create a wallet b. Submit the certificate request to the CA if we don’t use external CA (for testing), a Self-Signed Certificate can be created. c. Import the signed server certificate We can see the cipher algorithm used to sign the certificate received: 29 © 2018 Pythian $ openssl x509 -in mysignedcert.cer –text Certificate: Data: Version: 3 (0x2) Serial Number: 96:c2:92:71:11:1e:70:c1:5e:5e:62:a3:fe:44:f9:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA orapki cert create -wallet $ORACLE_BASE/wallet_CA -request ./myserver.req -cert ./usercert.txt -sign_alg sha256 -validity 3650
Case 1: 1 - Create a wallet (cont.) Break up Intermediates/root certificate into the constituent components, based on -BEGIN CERTIFICATE- / -END CERTIFICATE- tags, creating one file per each certificate Then, import them into the wallet: We can validate the wallet contains now our certificates: NOTE: if imported into a different server than used to generate the request: PKI-04006: No matching private key in the wallet 30 © 2018 Pythian orapki wallet add -wallet . -trusted_cert -cert mycert1.cer -pwd xxx orapki wallet add -wallet . -trusted_cert -cert mycert2.cer -pwd xxx orapki wallet add -wallet . -trusted_cert -cert mycert3.cer -pwd xxx orapki wallet display -wallet .
Case 1: 2 - Configure server • Configure server sqlnet.ora / listener.ora – Add wallet directory to both – Optionally, restrict cipher algorithms and protocol versions, client authentication – Add TCPS listener endpoint NOTE for RAC: - SSL configuration needs to be on SCAN listeners and local listeners - Wallet should be available in all nodes 31 © 2018 Pythian WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/orcl/wallet) ) )
Case 1: 2 – Add TCPS listener endpoints 32 © 2018 Pythian [oracle@myserver ~]$ crsctl stat res -p |grep ENDPOINTS ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 [oracle@myserver ~]$ srvctl modify listener -p "TCP:1521/TCPS:2484" [oracle@myserver ~]$ srvctl modify scan_listener -p "TCP:1521/TCPS:2484" [oracle@myserver ~]$ crsctl stat res -p |grep -B20 ENDPOINTS | grep -e ENDPOINTS -e "^NAME=" NAME=ora.LISTENER.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN1.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN2.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN3.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.MGMTLSNR ENDPOINTS=TCP:1521
Case 1: 3 – Adjust LOCAL_LISTENER • New TCPS listener should be added to the list of listeners in the LOCAL_LISTENER database parameter – Static registration can be used for single instances instead 33 © 2018 Pythian ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)...) (ADDRESS=(PROTOCOL=TCPS)...)))' scope=both;
Case 1: Final steps and tests • 4 - Restart listeners Do it by node to minimize downtime (add -n node parameter) Optionally restart database to confirm all changes done to configuration files are good • 5 - Distribute wallet to clients – Clients could use their own certificates to add extra security. Server and Client certificates should be included in each wallet for that (export/import of each certificate) • 6 - Configure wallet directory in client sqlnet.ora / tnsnames.ora tnsnames.ora entry overwrites sqlnet.ora configuration: 34 © 2018 Pythian $ srvctl stop scan_listener ; srvctl start scan_listener ; srvctl status scan_listener $ srvctl stop listener ; srvctl start listener ; srvctl status listener orclSSL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = orcl-scan)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = orcl) ) (SECURITY=(MY_WALLET_DIRECTORY=C:OracleClientwallet)) )
Case 1: Extra considerations Wallets for PDBs • Each PDB use its own wallet with its own certificates for TLS authentication • Shared sqlnet.ora, place PDB wallet in a subdirectory of the wallet directory where the name of the subdirectory is the GUID of the PDB that uses the wallet • DBA_PDBS data dictionary view has existing PDBs and their GUIDs – example: $ORACLE_HOME/admin/db_unique_name/wallet/PDB_GUID https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/configuring-secure-sockets-layer-authentication.html Configuration using JDBC https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets 35 © 2018 Pythian
Case 2: utl_smtp PL/SQL • Requirements: – SSL for utl_smtp available since Oracle 11.2.0.2 – Credentials to authenticate with mail server • Steps: – Get the SSL certificates used by email server – Import those SSL certificates into an Oracle Wallet – Create ACL to allow traffic for the user/port (MOS note 1209644.1) – Call utl_smtp using sample code from MOS note 1323140.1 • Example using Amazon Simple Email Service (SES): https://blog.pythian.com/oracle-and-amazon-simple-email-service/ • Issues when mail server certificates are changed (it will!) 36 © 2018 Pythian
Case 2: utl_smtp PL/SQL Get the SSL certificates used by email server 37 © 2018 Pythian openssl s_client -showcerts -connect smtp.gmail.com:993 CONNECTED(00000003) depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign -----BEGIN CERTIFICATE-----
Case 3: Oracle Enterprise Manager It has • TLS protocol used by its components (OMS, Agent, WLS, OPMN, OHS) • Ciphers used by SSL certificates on those ports • Key strength of those certificates All changes with versions: • 12c: use MOS note 1602983.1 to enable usage of TLSv1.0 Protocol • 13.1: EM Oracle Management Service is configured to use TLS v1.0, v1.1 and v1.2 protocols out-of-the-box – It can be changed to restrict OMS to use specific protocols like TLS v1.1 or TLS v1.2. Details in MOS note 2212006.1 • 13.2: TLS v1.2 is default • 13.3: OMS has java version 1.7.0_171 out-of-the-box 38 © 2018 Pythian
Case 3: OEM fun – possible changes OEM 12c: uses 10.3.6 WLS. Demo cert. has 512 bit keystrength signed with MD5withRSA OEM 13c: uses 12.1.3 WLS. Demo cert. has 2048 bit keystrength signed with SHA256withRSA We can make changes following steps from below notes: • How to Check and Increase the Key Strength of Certificates Used in Enterprise Manager Grid Control (Doc ID 1476567.1) - EM 12c: How to Disable Weak SSLCipherSuites Used by Enterprise Manager 12c Cloud Control (Doc ID 1477287.1) - New SSL Protocol and Cipher Options for Oracle Fusion Middleware's OPMN/ONS Component (Doc ID 1905314.1) - Regenerating OEM 12c SSL certificates with Higher Keystrength and Signature Algorithm (Doc ID 1611578.1) - WebLogic Server - Migrating a 1024-bit key certficate (CSR) to a 2048-bit key (Doc ID 949316.1) - EM 13c, 12c: How to Configure Enterprise Manager's Weblogic Server (WLS) for Secure Socket Layer Certificates (Doc ID 2220788.1) 39 © 2018 Pythian
Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 40 © 2018 Pythian
Management • Certificates – Create, sign and distribute – Renew (before expiration date) – Re-generate with different cipher suite (e.g.: SHA2) – Wallets: create, import certificates, distribute to clients • SQL*Net configuration – Change cipher suites (SHA1, SHA2, etc.) – Restrict protocol versions to use • Oracle homes – Patch server/clients to incorporate newer protocol versions and cipher algorithms 41 © 2018 Pythian
Enforcing particular protocols/ciphers Why? • To comply with security policies • If using older Database versions that have weak protocols enabled Example: Enforcing TLS 1.2 (disabling 1.0/1.1) 1) sqlnet.ora (GI and DB home) 42 © 2018 Pythian SSL_VERSION=1.2 SSL_CIPHER_SUITES = ((SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_EC DSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WI TH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384))
Enforcing particular protocols/ciphers (cont.) 2) Restart listeners (SCAN too if using RAC) 43 © 2018 Pythian $ lsnrctl stop listener ; lsnrctl start listener ; lsnrctl status ... Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.15.232.29)(PORT=2484))) Services Summary... 3) Test connectivity Easy way is to configure a client enforcing one of the non-accepted protocols or ciphers, or using a certificate with a non accepted signing algorithm. $ sqlplus test/test@ORCLCSSL ... SQL> select sys_context('userenv','network_protocol') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') -------------------------------------------------------------------------------- tcps
Troubleshooting - Steps 1) Use tnsping to test the connection to the database TNS entry over TCPS 2) Verify the listener.ora and sqlnet.ora files on the database server 3) Verify the permissions of the wallet files 4) Check the SSL_VERSION is supported by Oracle binaries 5) Enable sqlnet tracing for the listener and sqlplus connections 6) Capture traffic with tcpdump and check handshake 7) Is using utl_http service, get a trace for the event 10937 8) Verify patches installed (look for latest MES in PSU since July 2018) 44 © 2018 Pythian
Confirm protocols accepted So far we have enabled SSL in the listener to use all available TLS protocols and signing algorithms for our installed version. To check that: 45 © 2018 Pythian [oracle@myhost ~]$ openssl s_client -host server-vip -port 2484 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root … SSL handshake has read 5942 bytes and written 573 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: … --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit … SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA
Confirm protocols accepted 46 © 2018 Pythian We can inspect the traffic: - Enabling SQL*Net trace – no details about protocol used in handsake - Use tcpdump and wireshark to confirm protocols and ciphers [root@myserver ~]# tcpdump -nnvvXSs0 -i eth1 host myhost.mydomain -w /tmp/tcpdump.out tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes Perform activity from client and stop capture: SQL> select * from dual; [root@myserver ~]# ^C 926 packets captured 926 packets received by filter 0 packets dropped by kernel Open the generated file using wireshark. - Mark the port used for SSL (Analyze -> Decode As -> Transport)
Wireshark 47 © 2018 Pythian
SSL Troubleshooting Guide (Doc ID 166492.1) • ORA-12560: TNS:protocol adapter error • ORA-28862: SSL connection failed – 28759, 00000, "Failed to open file" – 28859, 00000, "SSL negotiation failure" – ntzCreateConnection: failed with error 549 • ORA-29024:Certificate Validation Failure • ORA-29143: Message 29143 not found • ORA-29106: Can not import PKCS # 12 wallet • ORA-28860: Fatal SSL error • ORA-29263: HTTP protocol error • ORA-28868: certificate chain check failed • ORA-28750: unknown error 48 © 2018 Pythian • ORA-28865: SSL connection closed • ORA-01004: Default username feature not supported; log denied • ORA-28864: SSL connection closed gracefully • ORA-01017: invalid username/password; logon denied • alert.log: "SSL Client: Server DN doesn't contain expected SID name" • ORA-29113: Cannot access attributes from a PKCS #12 key bag. • ORA-29002: SSL transport detected invalid or obsolete server certificate • ORA-29003: SSL transport detected mismatched server certificate • ORA-28857: Unknown SSL Error
Common errors found • PKI-04006: No matching private key in the wallet – Caused when imported certs into a server that did not generated the request – Repeat the same procedure in the server that generated the request worked without errors • ORA-29024: Certificate validation failure – Expired certificate – Wallet not in the path (sqlnet.ora, listener.ora), privileges • ORA-28864: ssl connection closed gracefully – Client installation, firewall • ORA-28865: SSL connection closed – No matching protocol or cipher suite on server/client configuration 49 © 2018 Pythian
THANK YOU Questions? 50 calero@pythian.com @ncalerouy http://www.linkedin.com/in/ncalero © 2017 Pythian
References - documentation • Oracle Database Security Guide 18c – Configuring SSL authentication https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/configuring-secure-sockets-layer- authentication.html#GUID-6AD89576-526F-4D6B-A539-ADF4B840819F • Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1) • TLS 1.2 in Oracle Database and MES415 (Doc ID 2274242.1) • How To Investigate And Troubleshoot SSL/TLS Issues on the Database And Client SQL*Net Layer (Doc ID 2238096.1) 51 © 2018 Pythian

Recommended

Oracle GoldenGate 18c - REST API Examples
Oracle GoldenGate 18c - REST API ExamplesOracle GoldenGate 18c - REST API Examples
Oracle GoldenGate 18c - REST API Examples
Bobby Curtis
 
Working with Terraform on Azure
Working with Terraform on AzureWorking with Terraform on Azure
Working with Terraform on Azure
tombuildsstuff
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Migration From Oracle to PostgreSQL
Migration From Oracle to PostgreSQLMigration From Oracle to PostgreSQL
Migration From Oracle to PostgreSQL
PGConf APAC
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana
Dhrubaji Mandal ♛
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Markus Michalewicz
 

Recommended

Oracle GoldenGate 18c - REST API Examples
Oracle GoldenGate 18c - REST API ExamplesOracle GoldenGate 18c - REST API Examples
Oracle GoldenGate 18c - REST API Examples
Bobby Curtis
 
Working with Terraform on Azure
Working with Terraform on AzureWorking with Terraform on Azure
Working with Terraform on Azure
tombuildsstuff
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Migration From Oracle to PostgreSQL
Migration From Oracle to PostgreSQLMigration From Oracle to PostgreSQL
Migration From Oracle to PostgreSQL
PGConf APAC
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana
Dhrubaji Mandal ♛
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Markus Michalewicz
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
Shiao-An Yuan
 
Prometheus Overview
Prometheus OverviewPrometheus Overview
Prometheus Overview
Brian Brazil
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
Marco Pas
 
Server monitoring using grafana and prometheus
Server monitoring using grafana and prometheusServer monitoring using grafana and prometheus
Server monitoring using grafana and prometheus
Celine George
 
Best Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with TerraformBest Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with Terraform
DevOps.com
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group Replication
Frederic Descamps
 
Graylog
GraylogGraylog
Graylog
Diwakar Upadhyay
 
AZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptxAZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptx
JavierMadrigal29
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
Mithun Shanbhag
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
DimitrisFinas1
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance Tuning
Ricardo Santos
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introduction
Rico Chen
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
WinWire Technologies Inc
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to Prometheus
Julien Pivotto
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Secure socket later
Secure socket laterSecure socket later
Secure socket laterMuhammad Ahmad Nazar
 

More Related Content

What's hot

Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
Shiao-An Yuan
 
Prometheus Overview
Prometheus OverviewPrometheus Overview
Prometheus Overview
Brian Brazil
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
Marco Pas
 
Server monitoring using grafana and prometheus
Server monitoring using grafana and prometheusServer monitoring using grafana and prometheus
Server monitoring using grafana and prometheus
Celine George
 
Best Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with TerraformBest Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with Terraform
DevOps.com
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group Replication
Frederic Descamps
 
Graylog
GraylogGraylog
Graylog
Diwakar Upadhyay
 
AZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptxAZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptx
JavierMadrigal29
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
Mithun Shanbhag
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
DimitrisFinas1
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance Tuning
Ricardo Santos
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introduction
Rico Chen
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
WinWire Technologies Inc
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to Prometheus
Julien Pivotto
 

What's hot (20)

Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
Prometheus Overview
Prometheus OverviewPrometheus Overview
Prometheus Overview
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
 
Server monitoring using grafana and prometheus
Server monitoring using grafana and prometheusServer monitoring using grafana and prometheus
Server monitoring using grafana and prometheus
 
Best Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with TerraformBest Practices of Infrastructure as Code with Terraform
Best Practices of Infrastructure as Code with Terraform
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group Replication
 
Graylog
GraylogGraylog
Graylog
 
AZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptxAZ-204T00A-PowerPoint_00.pptx
AZ-204T00A-PowerPoint_00.pptx
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance Tuning
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introduction
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to Prometheus
 

Similar to SSL certificates in the Oracle Database without surprises

All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
Maarten Smeets
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
Null talk
Null talkNull talk
Null talk
Agam Jain
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3
Alexandra N. Martinez
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
Deploy360 Programme (Internet Society)
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
SSL247®
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
 

Similar to SSL certificates in the Oracle Database without surprises (20)

All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
Null talk
Null talkNull talk
Null talk
 
Unit08
Unit08Unit08
Unit08
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 

More from Nelson Calero

Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023
Nelson Calero
 
Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022
Nelson Calero
 
Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021
Nelson Calero
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Nelson Calero
 
Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19
Nelson Calero
 
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Nelson Calero
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
 
Practical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environmentsPractical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environments
Nelson Calero
 
Automate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operationAutomate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operation
Nelson Calero
 
Welcome to databases in the Cloud
Welcome to databases in the CloudWelcome to databases in the Cloud
Welcome to databases in the Cloud
Nelson Calero
 
Redefining tables online without surprises
Redefining tables online without surprisesRedefining tables online without surprises
Redefining tables online without surprises
Nelson Calero
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero
 
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Nelson Calero
 
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Nelson Calero
 
My Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12cMy Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12c
Nelson Calero
 
Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014
Nelson Calero
 
Alta disponibilidad con Pacemaker
Alta disponibilidad con PacemakerAlta disponibilidad con Pacemaker
Alta disponibilidad con Pacemaker
Nelson Calero
 
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQLAROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
Nelson Calero
 
MariaDB y FOSS en infraestructura de salud y estándares
MariaDB y FOSS en infraestructura de salud y estándaresMariaDB y FOSS en infraestructura de salud y estándares
MariaDB y FOSS en infraestructura de salud y estándares
Nelson Calero
 
UYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New featuresUYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New features
Nelson Calero
 

More from Nelson Calero (20)

Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023
 
Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022
 
Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
 
Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19
 
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
 
Practical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environmentsPractical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environments
 
Automate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operationAutomate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operation
 
Welcome to databases in the Cloud
Welcome to databases in the CloudWelcome to databases in the Cloud
Welcome to databases in the Cloud
 
Redefining tables online without surprises
Redefining tables online without surprisesRedefining tables online without surprises
Redefining tables online without surprises
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
 
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
 
My Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12cMy Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12c
 
Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014
 
Alta disponibilidad con Pacemaker
Alta disponibilidad con PacemakerAlta disponibilidad con Pacemaker
Alta disponibilidad con Pacemaker
 
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQLAROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
 
MariaDB y FOSS en infraestructura de salud y estándares
MariaDB y FOSS en infraestructura de salud y estándaresMariaDB y FOSS en infraestructura de salud y estándares
MariaDB y FOSS en infraestructura de salud y estándares
 
UYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New featuresUYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New features
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

SSL certificates in the Oracle Database without surprises

  • 1. SSL certificates in the Oracle Database without surprises UKOUG – December 2018 Nelson Calero
  • 2. Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 2 © 2018 Pythian Intended audience: DBAs and Developers
  • 3. • Database Consultant at Pythian since 2014 • Working with Oracle tools and Linux environments since 1996 • DBA Oracle (2001) & MySQL (2005) • Co-founder and President of the Oracle user Group of Uruguay (2009) • LAOUC Director of events (2013) • Computer Engineer (1998) • Oracle ACE (2014), Oracle ACE Director (2017) • Oracle Certified Professional 10g/11g/12c, OCE, Cloud DB & Infra • Amazon Solutions Architect – Associate (2016) • Google Cloud Architect (2017), Google Cloud Data Engineer (2017) • Oracle University Instructor (2011) • Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences About me 3 © 2018 Pythian http://www.linkedin.com/in/ncalero @ncalerouy
  • 4.
  • 5.
  • 6. 3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate bit.ly/OracleACEProgram 500+ Technical Experts Helping Peers Globally Connect: Nominate yourself or someone you know: acenomination.oracle.com @oracleace Facebook.com/oracleaces oracle-ace_ww@oracle.com
  • 7. Security Basis • SSL • Public/private keys • PKI • Certificates • CA • Publicly trusted CA 7 © 2018 Pythian • Signatures • Certificate chain • Certificate hierarchy • Wallets • Handshake • Protocols in Oracle versions
  • 8. Basis – Secure Sockets Layer • SSL is the standard security technology for establishing an encrypted link between a server and a client • Provides network-level authentication, data encryption, and data integrity, ensuring that all data passed between them remain private and integral • Examples: – webserver and browser – mail server and mail client • Based on Public Key Cryptography using Public Key Infrastructure (PKI) 8 © 2018 Pythian
  • 9. SSL with the Oracle database • Since 10gR2 SSL/TLS are no longer part of the Advanced Security Option • Since 12c SSL/TLS is available in Oracle Standard Edition • Enabled by default in Oracle Cloud Database services 9 © 2018 Pythian
  • 10. Basis – SSL History • SSL - Secure Socket Layers Protocol – Developed by Netscape • TLS - Transport Layer Security Protocol – new version of SSL, based on SSL 3.0 – SSL 2.0 and 3.0 deprecated in 2011 and 2015 • SSL and TLS protocols do not interoperate • SSL Certificates do not depend on protocol • Several algorithms to use in signing stages 10 © 2018 Pythian Protocol Year SSL 1.0 No SSL 2.0 1995 SSL 3.0 1996 TLS 1.0 1999 TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018
  • 11. Basis – SSL History • SSL - Secure Socket Layers Protocol – Developed by Netscape • TLS - Transport Layer Security Protocol – new version of SSL, based on SSL 3.0 – SSL 2.0 and 3.0 deprecated in 2011 and 2015 • SSL and TLS protocols do not interoperate • SSL Certificates do not depend on protocol • Several algorithms to use in signing stages 11 © 2018 Pythian Protocol Year Oracle SSL 1.0 No SSL 2.0 1995 SSL 3.0 1996 TLS 1.0 1999 11.1 (2007) TLS 1.1 2006 TLS 1.2 2008 12.1 (2013) TLS 1.3 2018
  • 12. Basis – Public and private key encryption • Also known as asymmetric encryption • Requires more computational power than symmetric encryption • Vulnerabilities: – Brute force: reduced by using larger keys – Man in the middle: resolved using signatures and Certificate Authorities (CA) 12 © 2018 Pythian Sender Receiver Private key Public key Message Encrypted Message Message Encrypted Message Sender Public key
  • 13. Basis – Public Key Infrastructure (PKI) • Framework using public and privates key, certificates and method for key distribution • SSL/TLS uses a key-exchange algorithm to allow symmetric keys (hybrid cryptosystem), less computationally intensive than using asymmetric keys • Components: – Certificate Authority (CA): a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. – Certificates: created when an entity's public key is signed by a trusted certificate authority (CA). – Wallet: a container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates SSL – Certificates revocation lists: validity of CA signed certificates 13 © 2018 Pythian
  • 14. Basis – Certificates • Used for authentication • Follows X.509 specification • Associates public key with an organization’s details (AKA DN): – A domain name, server name or hostname – An organizational identity (i.e. company name) and location • It also includes – CA name, the CA signature, and the certificate effective dates – Digital signature (explained later) • They can be self-signed - for use in test environments 14 © 2018 Pythian
  • 15. Basis – Certificate Authority (CA) • A third party trusted by both of the communicating parties (e.g. Verisign) • Validates, identities and issue/revoke certificates • The CA uses its private key to encrypt a message • The CA public key is well known and does not have to be authenticated each time it is accessed (browsers, wallets, etc.) • Organization can use in-house CA (e.g. MS Certificate services) 15 © 2018 Pythian
  • 16. Basis – Signature • One-way hash of the data (certificate) encrypted with signer’s private key – it cannot be reversed • Receiver validates the integrity of the data: – Receiver gets the data and signature – Data is decrypted using sender’s public key – Signature is decrypted using sender’s public key – New signature is created using same algorithm – Both new and received signature should match if data was not tampered 16 © 2018 Pythian
  • 17. Basis – Publicly Trusted CAs • A trusted third party (TTP) used as CA for the certificates • Commercial – Verisign, Digicert, GoDaddy • Web browsers includes by default public keys of TTPs CA • De-facto standard for websites, as certificates from non trusted CAs are reported by default as dangerous 17 © 2018 Pythian
  • 18. Basis – Certificate hierarchy and chain 18 https://docs.oracle.com/cd/E19424-01/820-4811/gdzen/index.html
  • 19. Basis – Wallet • A file storing authentication and signing credentials, including private keys, certificates, and trusted certificates SSL needs. • Oracle server and client using SSL needs a wallet file – configured in sqlnet.ora, listener.ora, optional in tnsnames.ora (instead of sqlnet) – Must be auto-login • Managed with Oracle Wallet Manager and orapki tool • Creation process for an SSL wallet: – Generate a public-private pair – Create a certificate request – Submit the certificate request to the CA – Import the signed server certificate into the wallet – Install the wallet into the server – Distribute server certificate to clients (exchange w/client) 19 © 2018 Pythian
  • 20. Basis – SSL handshake in Oracle 1) The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers. 2) The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. This step verifies the identity of the server. 3) Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA. 4) The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this session key and the negotiated cipher suite. 20 © 2018 Pythian
  • 21. Basis – SSL handshake in Oracle Authentication: • On a client, the user initiates an Oracle Net connection to the server by using SSL • SSL performs the handshake between the client and the server • If the handshake is successful, then the server verifies that the user has the appropriate authorization to access the database Possible configurations: - Only the server authenticates itself to the client - Both client and server authenticate themselves to each other - Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself 21 © 2018 Pythian
  • 22. Basis – handshake changes in TLS v1.3 22 https://blog.cloudflare.com/introducing-tls-1-3/
  • 23. Basis – Protocols in Oracle versions Default TLS version included with Oracle releases: – Oracle 11.1 - TLS 1.0 – Oracle 12.1 - TLS 1.2 PSUs include update/new algorithms, using MES SDK: – 11.2.0.4.0 - BSAFE 6.3.2.2 and Certicom SSL plus 3.0 supported SSLv3 (SHA2) – 12.1.0.2.0 - MESv405 supported TLSv1.2, FIPS 140-2 (MESv405 is deprecated). – 12.2.0.2.0 - MESv415 supported TLSv1.2, FIPS 140-2 (validated). – 18c – MES416 – 19c – MES4161 NOTE: no more one-off or overlay patches needed for MES (Doc ID 2274242.1) 11g Standard Edition: TCPS adapter needs to be enabled in oracle binaries before MES bundle patch is applied using Note 1457854.1 23 © 2018 Pythian
  • 24. Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 24 © 2018 Pythian
  • 25. Case 1: SSL for database connections 1. Create a wallet – using signed CA in this example a. Create a certificate request b. Submit the certificate request to the CA c. Import the signed server certificate 2. Configure server sqlnet.ora / listener.ora a. Add wallet directory to both b. Optionally, restrict cipher algorithms and protocol versions, client authentication c. Add TCPS listener endpoint 3. Add new TCPS listener to LOCAL_LISTENER parameter 4. Restart listener 5. Distribute wallet to clients 6. Configure wallet directory in client sqlnet.ora / tnsnames.ora Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1) 25 © 2018 Pythian
  • 26. Case 1: 1 - Create a wallet 26 © 2018 Pythian orapki wallet create -wallet . -auto_login -pwd $MYPASSchmod 775 ewallet.p12 cwallet.sso orapki wallet display -wallet . orapki wallet remove -trusted_cert_all -wallet . -pwd $MYPASS
  • 27. Case 1: 1 - Create a wallet 27 © 2018 Pythian orapki wallet create -wallet . -auto_login -pwd $MYPASSchmod 775 ewallet.p12 cwallet.sso orapki wallet display -wallet . orapki wallet remove -trusted_cert_all -wallet . -pwd $MYPASS [oracle@myserver wallet2018]$ ls -lrt total 0 [oracle@myserver wallet2018]$ orapki wallet create -wallet . -auto_login -pwd xxx Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. [oracle@myserver wallet2018]$ orapki wallet display -wallet . Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
  • 28. Case 1: 1 - Create a wallet Note: self signed certificates can be used instead of step a), skipping b) a. Create a certificate request 28 © 2018 Pythian orapki wallet add -wallet . -dn "CN=myserver.domain,O=Acme,L=New York,ST=New York,C=US" -keysize 2048 -pwd $MYPASS orapki wallet export -wallet . -dn "CN=myserver.domain,O=Acme,L=New York,ST=New York,C=US" -request ./myserver.req -pwd $MYPASS Known issue: orapki uses MD5 algorithm for requests (cannot be changed). Above won’t work if we want SHA2 signed request (validated by CAs nowadays). Use openssl instead: openssl pkcs12 -in ewallet.p12 -nodes -out mywallet.pem openssl req -new -key mywallet.pem -sha256 -out mywallet-sha2.csr
  • 29. Case 1: 1 - Create a wallet b. Submit the certificate request to the CA if we don’t use external CA (for testing), a Self-Signed Certificate can be created. c. Import the signed server certificate We can see the cipher algorithm used to sign the certificate received: 29 © 2018 Pythian $ openssl x509 -in mysignedcert.cer –text Certificate: Data: Version: 3 (0x2) Serial Number: 96:c2:92:71:11:1e:70:c1:5e:5e:62:a3:fe:44:f9:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA orapki cert create -wallet $ORACLE_BASE/wallet_CA -request ./myserver.req -cert ./usercert.txt -sign_alg sha256 -validity 3650
  • 30. Case 1: 1 - Create a wallet (cont.) Break up Intermediates/root certificate into the constituent components, based on -BEGIN CERTIFICATE- / -END CERTIFICATE- tags, creating one file per each certificate Then, import them into the wallet: We can validate the wallet contains now our certificates: NOTE: if imported into a different server than used to generate the request: PKI-04006: No matching private key in the wallet 30 © 2018 Pythian orapki wallet add -wallet . -trusted_cert -cert mycert1.cer -pwd xxx orapki wallet add -wallet . -trusted_cert -cert mycert2.cer -pwd xxx orapki wallet add -wallet . -trusted_cert -cert mycert3.cer -pwd xxx orapki wallet display -wallet .
  • 31. Case 1: 2 - Configure server • Configure server sqlnet.ora / listener.ora – Add wallet directory to both – Optionally, restrict cipher algorithms and protocol versions, client authentication – Add TCPS listener endpoint NOTE for RAC: - SSL configuration needs to be on SCAN listeners and local listeners - Wallet should be available in all nodes 31 © 2018 Pythian WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/admin/orcl/wallet) ) )
  • 32. Case 1: 2 – Add TCPS listener endpoints 32 © 2018 Pythian [oracle@myserver ~]$ crsctl stat res -p |grep ENDPOINTS ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 [oracle@myserver ~]$ srvctl modify listener -p "TCP:1521/TCPS:2484" [oracle@myserver ~]$ srvctl modify scan_listener -p "TCP:1521/TCPS:2484" [oracle@myserver ~]$ crsctl stat res -p |grep -B20 ENDPOINTS | grep -e ENDPOINTS -e "^NAME=" NAME=ora.LISTENER.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN1.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN2.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.LISTENER_SCAN3.lsnr ENDPOINTS=TCP:1521 TCPS:2484 NAME=ora.MGMTLSNR ENDPOINTS=TCP:1521
  • 33. Case 1: 3 – Adjust LOCAL_LISTENER • New TCPS listener should be added to the list of listeners in the LOCAL_LISTENER database parameter – Static registration can be used for single instances instead 33 © 2018 Pythian ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)...) (ADDRESS=(PROTOCOL=TCPS)...)))' scope=both;
  • 34. Case 1: Final steps and tests • 4 - Restart listeners Do it by node to minimize downtime (add -n node parameter) Optionally restart database to confirm all changes done to configuration files are good • 5 - Distribute wallet to clients – Clients could use their own certificates to add extra security. Server and Client certificates should be included in each wallet for that (export/import of each certificate) • 6 - Configure wallet directory in client sqlnet.ora / tnsnames.ora tnsnames.ora entry overwrites sqlnet.ora configuration: 34 © 2018 Pythian $ srvctl stop scan_listener ; srvctl start scan_listener ; srvctl status scan_listener $ srvctl stop listener ; srvctl start listener ; srvctl status listener orclSSL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = orcl-scan)(PORT = 2484)) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = orcl) ) (SECURITY=(MY_WALLET_DIRECTORY=C:OracleClientwallet)) )
  • 35. Case 1: Extra considerations Wallets for PDBs • Each PDB use its own wallet with its own certificates for TLS authentication • Shared sqlnet.ora, place PDB wallet in a subdirectory of the wallet directory where the name of the subdirectory is the GUID of the PDB that uses the wallet • DBA_PDBS data dictionary view has existing PDBs and their GUIDs – example: $ORACLE_HOME/admin/db_unique_name/wallet/PDB_GUID https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/configuring-secure-sockets-layer-authentication.html Configuration using JDBC https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets 35 © 2018 Pythian
  • 36. Case 2: utl_smtp PL/SQL • Requirements: – SSL for utl_smtp available since Oracle 11.2.0.2 – Credentials to authenticate with mail server • Steps: – Get the SSL certificates used by email server – Import those SSL certificates into an Oracle Wallet – Create ACL to allow traffic for the user/port (MOS note 1209644.1) – Call utl_smtp using sample code from MOS note 1323140.1 • Example using Amazon Simple Email Service (SES): https://blog.pythian.com/oracle-and-amazon-simple-email-service/ • Issues when mail server certificates are changed (it will!) 36 © 2018 Pythian
  • 37. Case 2: utl_smtp PL/SQL Get the SSL certificates used by email server 37 © 2018 Pythian openssl s_client -showcerts -connect smtp.gmail.com:993 CONNECTED(00000003) depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign -----BEGIN CERTIFICATE-----
  • 38. Case 3: Oracle Enterprise Manager It has • TLS protocol used by its components (OMS, Agent, WLS, OPMN, OHS) • Ciphers used by SSL certificates on those ports • Key strength of those certificates All changes with versions: • 12c: use MOS note 1602983.1 to enable usage of TLSv1.0 Protocol • 13.1: EM Oracle Management Service is configured to use TLS v1.0, v1.1 and v1.2 protocols out-of-the-box – It can be changed to restrict OMS to use specific protocols like TLS v1.1 or TLS v1.2. Details in MOS note 2212006.1 • 13.2: TLS v1.2 is default • 13.3: OMS has java version 1.7.0_171 out-of-the-box 38 © 2018 Pythian
  • 39. Case 3: OEM fun – possible changes OEM 12c: uses 10.3.6 WLS. Demo cert. has 512 bit keystrength signed with MD5withRSA OEM 13c: uses 12.1.3 WLS. Demo cert. has 2048 bit keystrength signed with SHA256withRSA We can make changes following steps from below notes: • How to Check and Increase the Key Strength of Certificates Used in Enterprise Manager Grid Control (Doc ID 1476567.1) - EM 12c: How to Disable Weak SSLCipherSuites Used by Enterprise Manager 12c Cloud Control (Doc ID 1477287.1) - New SSL Protocol and Cipher Options for Oracle Fusion Middleware's OPMN/ONS Component (Doc ID 1905314.1) - Regenerating OEM 12c SSL certificates with Higher Keystrength and Signature Algorithm (Doc ID 1611578.1) - WebLogic Server - Migrating a 1024-bit key certficate (CSR) to a 2048-bit key (Doc ID 949316.1) - EM 13c, 12c: How to Configure Enterprise Manager's Weblogic Server (WLS) for Secure Socket Layer Certificates (Doc ID 2220788.1) 39 © 2018 Pythian
  • 40. Today’s topics • Security basis • Use cases in the Oracle Database 1. SSL for database connections 2. Email from PL/SQL 3. Oracle Enterprise Manager • Management • Troubleshooting 40 © 2018 Pythian
  • 41. Management • Certificates – Create, sign and distribute – Renew (before expiration date) – Re-generate with different cipher suite (e.g.: SHA2) – Wallets: create, import certificates, distribute to clients • SQL*Net configuration – Change cipher suites (SHA1, SHA2, etc.) – Restrict protocol versions to use • Oracle homes – Patch server/clients to incorporate newer protocol versions and cipher algorithms 41 © 2018 Pythian
  • 42. Enforcing particular protocols/ciphers Why? • To comply with security policies • If using older Database versions that have weak protocols enabled Example: Enforcing TLS 1.2 (disabling 1.0/1.1) 1) sqlnet.ora (GI and DB home) 42 © 2018 Pythian SSL_VERSION=1.2 SSL_CIPHER_SUITES = ((SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_EC DSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WI TH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384))
  • 43. Enforcing particular protocols/ciphers (cont.) 2) Restart listeners (SCAN too if using RAC) 43 © 2018 Pythian $ lsnrctl stop listener ; lsnrctl start listener ; lsnrctl status ... Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.15.232.29)(PORT=2484))) Services Summary... 3) Test connectivity Easy way is to configure a client enforcing one of the non-accepted protocols or ciphers, or using a certificate with a non accepted signing algorithm. $ sqlplus test/test@ORCLCSSL ... SQL> select sys_context('userenv','network_protocol') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') -------------------------------------------------------------------------------- tcps
  • 44. Troubleshooting - Steps 1) Use tnsping to test the connection to the database TNS entry over TCPS 2) Verify the listener.ora and sqlnet.ora files on the database server 3) Verify the permissions of the wallet files 4) Check the SSL_VERSION is supported by Oracle binaries 5) Enable sqlnet tracing for the listener and sqlplus connections 6) Capture traffic with tcpdump and check handshake 7) Is using utl_http service, get a trace for the event 10937 8) Verify patches installed (look for latest MES in PSU since July 2018) 44 © 2018 Pythian
  • 45. Confirm protocols accepted So far we have enabled SSL in the listener to use all available TLS protocols and signing algorithms for our installed version. To check that: 45 © 2018 Pythian [oracle@myhost ~]$ openssl s_client -host server-vip -port 2484 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root … SSL handshake has read 5942 bytes and written 573 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: … --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit … SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA
  • 46. Confirm protocols accepted 46 © 2018 Pythian We can inspect the traffic: - Enabling SQL*Net trace – no details about protocol used in handsake - Use tcpdump and wireshark to confirm protocols and ciphers [root@myserver ~]# tcpdump -nnvvXSs0 -i eth1 host myhost.mydomain -w /tmp/tcpdump.out tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes Perform activity from client and stop capture: SQL> select * from dual; [root@myserver ~]# ^C 926 packets captured 926 packets received by filter 0 packets dropped by kernel Open the generated file using wireshark. - Mark the port used for SSL (Analyze -> Decode As -> Transport)
  • 48. SSL Troubleshooting Guide (Doc ID 166492.1) • ORA-12560: TNS:protocol adapter error • ORA-28862: SSL connection failed – 28759, 00000, "Failed to open file" – 28859, 00000, "SSL negotiation failure" – ntzCreateConnection: failed with error 549 • ORA-29024:Certificate Validation Failure • ORA-29143: Message 29143 not found • ORA-29106: Can not import PKCS # 12 wallet • ORA-28860: Fatal SSL error • ORA-29263: HTTP protocol error • ORA-28868: certificate chain check failed • ORA-28750: unknown error 48 © 2018 Pythian • ORA-28865: SSL connection closed • ORA-01004: Default username feature not supported; log denied • ORA-28864: SSL connection closed gracefully • ORA-01017: invalid username/password; logon denied • alert.log: "SSL Client: Server DN doesn't contain expected SID name" • ORA-29113: Cannot access attributes from a PKCS #12 key bag. • ORA-29002: SSL transport detected invalid or obsolete server certificate • ORA-29003: SSL transport detected mismatched server certificate • ORA-28857: Unknown SSL Error
  • 49. Common errors found • PKI-04006: No matching private key in the wallet – Caused when imported certs into a server that did not generated the request – Repeat the same procedure in the server that generated the request worked without errors • ORA-29024: Certificate validation failure – Expired certificate – Wallet not in the path (sqlnet.ora, listener.ora), privileges • ORA-28864: ssl connection closed gracefully – Client installation, firewall • ORA-28865: SSL connection closed – No matching protocol or cipher suite on server/client configuration 49 © 2018 Pythian
  • 51. References - documentation • Oracle Database Security Guide 18c – Configuring SSL authentication https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/configuring-secure-sockets-layer- authentication.html#GUID-6AD89576-526F-4D6B-A539-ADF4B840819F • Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1) • TLS 1.2 in Oracle Database and MES415 (Doc ID 2274242.1) • How To Investigate And Troubleshoot SSL/TLS Issues on the Database And Client SQL*Net Layer (Doc ID 2238096.1) 51 © 2018 Pythian