Sie sind auf Seite 1von 31

By Geetanjali Mehra

About Me

• Over 7 years of IT Industry Experience


• Currently working with Paytm as Senior
Database Administrator
• 9i/10g/11g Oracle Certified Administrator
Professional
• Oracle 11g Security Certified Implementation
Specialist
• Blog: http://oracle.linuxmantra.com
• @geetanjalidba
• E-mail: mailtogeetanjali@gmail.com
Agenda

• What is SSL/TLS and its importance


• What do you require to integrate SSL with
Oracle Database 11g
• Steps to configure SSL with Oracle Database
11g
• Using SSL in Oracle
What is SSL?

• SSL/TLS , a protocol , used for securing network


connections.
• Uses PKI to provide authentication, encryption,
and data integrity.
SSL Handshake

• The server sends its certificate to the client.


This step verifies the identity of the server.
• The client generates a session key and sends
this key to the second party using public key
cryptography
• All subsequent communications between the
client and the server is encrypted and
decrypted by using this session key.
Why to integrate Oracle with SSL

• Only the server authenticates itself to the


client
• Both client and server authenticate themselves
to each other
• Neither the client nor the server authenticates
itself to the other, thus using the SSL
encryption feature by itself
What is required?
• Oracle Advanced Security on the client.
• Oracle Advanced Security on the Server.
• To configure SSL, use Oracle Network Manager
Steps to configure SSL

1. Configure SSL on the Server.


2. Configure SSL on the client.
3. Using SSL
Step 1: Configure SSL on the Server

• Wallet creation on the server.


• Create certificate request
• Send certificate request to the CA
• Import certificate to the wallet.
• Use netmgr to specify the location of wallet
and configuring SSL.
• Configure various network-related files.
Step 2: Configure SSL on the Client

• Wallet creation on the client


• Create certificate request
• Send certificate request to the CA.
• Import certificate to the wallet.
• Use netmgr to specify the location of wallet
and configuring SSL.
• Configure various network-related files.
Step 3: Using SSL

1. Creation of user to be authenticated using SSL


certificate
2. Logon to the database using newly created
user.
Demonstration
• Same machine will be used for client as well as for server.

• Database name is db1.oracle.local running on RHEL 5.4.

• Machine name is host1.oracle.local.

• Database version 11.2.0.1.0.

• Tools used: orapki

• client side configuration files : $ORACLE_HOME/network/user

• server side configuration files: $ORACLE_HOME/network/admin


Demonstration
• Create necessary directories:
for any wallet
mkdir $ORACLE_HOME/owm/wallets
for wallet with self-signed root certificate
mkdir $ORACLE_HOME/owm/wallets/root

for database wallet


mkdir $ORACLE_HOME/owm/wallets/db
for user wallet
mkdir $ORACLE_HOME/owm/wallets/user
Demonstration
• Create wallet that will contain a root certificate (self-signed ) to sign database and users certificates

$ orapki wallet create -wallet $ORACLE_HOME/owm/wallets/root


Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter password:
Add self-signed certificate
orapki wallet add -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -keysize 2048 -self_signed -
validity 365
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:


Export root certificate
orapki wallet export -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -cert
$ORACLE_HOME/owm/wallets/root/root.cer
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:


Demonstration
• Create database wallet

Create auto-login (and password) database wallet


orapki wallet create -wallet $ORACLE_HOME/owm/wallets/db -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter password:
Import root certificate into database wallet
orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -trusted_cert -cert
$ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Create certificate request for database


orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -dn
'CN=orcl,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1
Demonstration
Create database wallet continued:
Export certificate request for signing
orapki wallet export -wallet $ORACLE_HOME/owm/wallets/db -dn
'CN=orcl,DC=oracle,DC=local' -request $ORACLE_HOME/owm/wallets/db/dbcert.req
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved

Sign request with root private key


orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request
$ORACLE_HOME/owm/wallets/db/dbcert.req -cert
$ORACLE_HOME/owm/wallets/db/dbcert.cer -validity 365
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:


• cat $ORACLE_HOME/owm/wallets/db/dbcert.cer
-----BEGIN CERTIFICATE-----
MIICPDCCASQCAQAwDQYJKoZIhvcNAQEEBQAwDzENMAsGA1UEAxMEcm9vdDAeFw0xNTAyMTIwNjQy
NDZaFw0xNjAyMTIwNjQyNDZaMD0xFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEWMBQGCgmSJomT8ixk
ARkWBm9yYWNsZTEMMAoGA1UEAxMDZGIxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo1jwB
lBPHsdSXFJPeUEzpyiPXPlA+OUwA3nS3HzFrx/Iu0c8ZYXmAymfZlxtTAmsfRmWqlqHEZfqO16GY
rpFEnr8C5hAI++CjHmxS1d1JWB0OiWzKKCEt0jvT/XAL8+wgwX/SS9ysa9cxy8wpV/U8xLZpVSII
XwydCY3qvZeVawIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQBSceM9GbjElG/BCencL2s4dNtwZh/n
6XizvrOpCtTmMhr44Tx51Qc10DXeQcWysMXWvtB2EsCBQjbG/lPLLthr0IpwGRRRUtrKcMUd38yI
5Ns41EjAmXmPhXA0eXKT9Ykw4jgydOg8HVHR55PWZh8sPSMHGWbUQzpgQkYC3895A9ksn3jCD6Jt
qv5+LdzUTMHdhzZ0jzvPklz83lNlggXQEKQ3+1V5ePuBihpeJhLV7rQF3MMdj4nP/M1Jx1hOENFn
lkpAgszbLZmWTZptnSZ8DhOV+OfOmqCXtqH1iL4awAjf6FysjXr0zTdp7UBC18fWPoHtjxCX/YPQ
erbtWEhG

-----END CERTIFICATE-
cat $ORACLE_HOME/owm/wallets/db/dbcert.req
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfDCB5gIBADA9MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZvcmFj
bGUxDDAKBgNVBAMTA2RiMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqNY8AZQTx7HUlxST
3lBM6coj1z5QPjlMAN50tx8xa8fyLtHPGWF5gMpn2ZcbUwJrH0ZlqpahxGX6jtehmK6RRJ6/AuYQ
CPvgox5sUtXdSVgdDolsyighLdI70/1wC/PsIMF/0kvcrGvXMcvMKVf1PMS2aVUiCF8MnQmN6r2X
lWsCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBACnIa6jIYfO3QLDBAGTJzKAxiNp8PUS/LgznDqq1
ceJ3tYKszHJoouKaY2cz8fOT8opizYk4yTtxVkg3mPS0L5SwwXUQIarnELDBjku1m68wg7VJBAuy
I6UZkezbU0Hvhqm93YFXrcQS/VJnt+tZILzFyX9BMU2IhGxSfWlVaEek
-----END NEW CERTIFICATE REQUEST-----
Demonstration

Create database wallet continued:

• Import database certificate into database wallet


orapki wallet add -wallet
$ORACLE_HOME/owm/wallets/db -user_cert -cert
$ORACLE_HOME/owm/wallets/db/dbcert.cer -pwd
Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates.
All rights reserved.
• Create user wallet (have to do for each user)
Create auto-login (and password) user wallet
orapki wallet create -wallet $ORACLE_HOME/owm/wallets/user -auto_login
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter password:

Import root certificate into user wallet


orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -trusted_cert -cert
$ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Create certificate request for user


orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -dn
'CN=ssluser,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Demonstration
Export certificate request for signing
orapki wallet export -wallet $ORACLE_HOME/owm/wallets/user -dn
'CN=ssluser,DC=oracle,DC=local' -request
$ORACLE_HOME/owm/wallets/user/usercert.req
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Sign request with root private key
orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request
$ORACLE_HOME/owm/wallets/user/usercert.req -cert
$ORACLE_HOME/owm/wallets/user/usercert.cer -validity 365
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:


Import user certificate into user wallet
orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -user_cert -cert
$ORACLE_HOME/owm/wallets/user/usercert.cer -pwd Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved
Demonstration

• Configure netmgr for server side


Demonstration

• Sqlnet.ora file:
SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/oracle/product/11.2.0/db_1/owm/wallets/db)
)
)
ADR_BASE = /u01/app/oracle
• Listener.ora
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = ORCL.ORACLE.LOCAL)
(ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1)
(SID_NAME = orcl)
)
)
SSL_CLIENT_AUTHENTICATION = true
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/11.2.0/db_1/owm/wallets/db)
)
)
LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = host1.oracle.local)(PORT = 2484))
)
ADR_BASE_LISTENER = /u01/app/oracle
• Configure netmgr for client side
• Sqlnet.ora

SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION =TRUE
SSL_SERVER_DN_MATCH = YES
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/oracle/product/11.2.0/db_1/owm/wallets/user)
)
)
ADR_BASE = /u01/app/oracle
• Tnsnames.ora
ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST =
host1.oracle.local)(PORT = 2484))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL.oracle.local)
)
)
• Restart the listener
$lsnrctl stop
$lsnrctl start

• Create a database user


SQL>create user ssluser identified externally as
‘cn=ssluser,dc=oracle,dc=local’;

SQL> grant create session to ssluser;


• Logon into database

$sqlplus /@orcl
SQL*Plus: Release 11.2.0.1.0 Production on Tue Apr 23 23:14:15 2013
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – Production
With the Partitioning, OLAP, Data Mining and Real Application Testing
options
Questions?

Thanks for listening