Tuesday, May 23, 2023

Oracle Database configure TCP/IP with SSL and TLS for Database Connections

11:44 AM Posted by Dilli Raj Maharjan , No comments

    Encryption is the method to convert information into secret codes to protect from the bad guys. The real meaning of the information is hidden and the process of encrypting and decrypting data is called cryptography. The formulas used for cryptography are called encryption algorithms, or ciphers.

    Oracle supports two network encryption: Oracle Native Network Encryption and TCP/IP with SSL and TLS.

    Oracle native network encryption is very simple and needs to change a parameter in sqlnet.ora to enable encryption.  All you need is to configure the server to use network encryption. The advantage of native network encryption over TLS/SSL is easy configuration. However, the downside of this method is that to a certain extent, a man-in-the-middle attack is still possible. If an attacker can get into the network and redirect clients to use a malicious database, clients will not be knowing about this although all the communications will be encrypted.

    In a nutshell, if you want easy configuration, oracle Native network encryption works for you. For maximum security, use TLS/SSL. The only downside of the TLS/SSL is harder to set up and maintain.

Here are the step-by-step guide to setup and maintaining TLS/SSL.

Server hostname: ora19c
Client hostname: oraclient

1. Execute the commands below in the server.

a. Create a directory in the client and server to store the wallet. In my case, I am planning to use /u01/app/oracle/wallet as my wallet directory in both the Oracle database client and the server.
mkdir -p /u01/app/oracle/wallet

b. Create auto login local wallet with the command below. 
orapki wallet create -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 -auto_login_local

c. Create a self-signed certificate with 10 years of validity and load it into the recently created wallet.
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
  -dn "CN=$(hostname)" -keysize 1024 -self_signed -validity 3650

d. Check wallet contents. You will notice one user certificate and one trusted certificate with CN exactly the same as the server hostname.
orapki wallet display -wallet "/u01/app/oracle/wallet" -pwd myWallet_321

e. Export wallet so that it can be loaded to the client end. Ship the server-$(hostname)-certificate.txt file once the export is completed. 
orapki wallet export -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
   -dn "CN=$(hostname)" -cert /tmp/server-$(hostname)-certificate.crt

f. Validate the content of the server-certificate.crt file. The file should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. The output will be something similar to the screenshot below.
cat /tmp/server-$(hostname)-certificate.crt

2. Execute the command below at the client end.

a. Create a directory to store the wallet.
mkdir -p /u01/app/oracle/wallet

b. Create auto login local wallet with the command below. 
orapki wallet create -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 -auto_login_local

c. Create a self-signed certificate with 10 years of validity and load it into the recently created wallet.
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
-dn "CN=$(hostname)" -keysize 1024 -self_signed -validity 3650

d. Display the contents of the wallet.
orapki wallet display -wallet "/u01/app/oracle/wallet" -pwd myWallet_321

e. Export the wallet so that it can be added to the server as a trusted certificate.
orapki wallet export -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
-dn "CN=$(hostname)" -cert /tmp/client-$(hostname)-certificate.crt

f. Check exported file contents.
cat /tmp/client-$(hostname)-certificate.crt

3. Ship server-$(hostname)-certificate.crt to the client host and client-$(hostname)-certificate.crt to the server host. In my case /mnt is the shared directory between both the hosts.

cp /tmp/client-oraclient-certificate.crt /mnt/certs/
cp /tmp/server-ora19c-certificate.crt /mnt/certs/

4. Add client certificate to server wallet as trusted cert in the server host.
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
-trusted_cert -cert /mnt/certs/client-oraclient-certificate.crt

# Before Adding the trusted cert

# Adding the trusted cert

# After adding the trusted cert.


5. Add server certificate to client wallet as a trusted cert
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd myWallet_321 \
-trusted_cert -cert /mnt/certs/server-ora19c-certificate.crt

# Before adding the server trusted cert.

# Adding the server trusted cert.

# After adding the server trusted cert.

6. Server sqlnet.ora configuration.
WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u01/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


7. Client sqlnet.ora configuration.
WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u01/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)


8. Server-side Listener configuration
SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/wallet)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = ora19c)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = ora19c)(PORT = 2484))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

# Existing listener status

Bounce listener to reflect the change on listener configuration file: listener.ora
lsnrctl stop
lsnrctl start



Validate listener configuration
lsnrctl status


9. Add the following tnsnames in the tnsnames.ora file of client tnsnames configuration
orclpdb1=
  (DESCRIPTION=
    (ADDRESS=
      (PROTOCOL=TCP)
      (HOST=ora19c)
      (PORT=1521)
    )
    (CONNECT_DATA=
      (SERVER=dedicated)
      (SERVICE_NAME=orclpdb1)
    )
  )


orclpdb1_ssl=
  (DESCRIPTION=
    (ADDRESS=
      (PROTOCOL=TCPS)
      (HOST=ora19c)
      (PORT=2484)
    )
    (CONNECT_DATA=
      (SERVER=dedicated)
      (SERVICE_NAME=orclpdb1)
    )
  )

10. Testing connection.

# Tnsping output

Using TCP connection. The network protocol used will be TCP while executing the select statement.
sqlplus test/test123@orclpdb1
set sqlp "_user @ _connect_identifier >"
SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;


Using TCPS connection. The network protocol used will be TCPS while executing the select statement.
sqlplus test/test123@orclpdb1_ssl
set sqlp "_user @ _connect_identifier >"
SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;


0 comments:

Post a Comment