Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • TLS SSL Configuration in Oracle

    Загружено:

    Kumar Gummula
    138 просмотров31 страница
    TLS_SSL_Configuration_in_Oracle

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    TLS_SSL_Configuration_in_Oracle

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    138 просмотров31 страница

    TLS SSL Configuration in Oracle

    Загружено:

    Kumar Gummula
    TLS_SSL_Configuration_in_Oracle

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 31

    By Geetanjali Mehra

    About Me

    • Over 7 years of IT Industry Experience


    • Currently working with Paytm as Senior
    Database Administrator
    • 9i/10g/11g Oracle Certified Administrator
    Professional
    • Oracle 11g Security Certified Implementation
    Specialist
    • Blog: http://oracle.linuxmantra.com
    • @geetanjalidba
    • E-mail: mailtogeetanjali@gmail.com
    Agenda

    • What is SSL/TLS and its importance


    • What do you require to integrate SSL with
    Oracle Database 11g
    • Steps to configure SSL with Oracle Database
    11g
    • Using SSL in Oracle
    What is SSL?

    • SSL/TLS , a protocol , used for securing network


    connections.
    • Uses PKI to provide authentication, encryption,
    and data integrity.
    SSL Handshake

    • The server sends its certificate to the client.


    This step verifies the identity of the server.
    • The client generates a session key and sends
    this key to the second party using public key
    cryptography
    • All subsequent communications between the
    client and the server is encrypted and
    decrypted by using this session key.
    Why to integrate Oracle with SSL

    • Only the server authenticates itself to the


    client
    • Both client and server authenticate themselves
    to each other
    • Neither the client nor the server authenticates
    itself to the other, thus using the SSL
    encryption feature by itself
    What is required?
    • Oracle Advanced Security on the client.
    • Oracle Advanced Security on the Server.
    • To configure SSL, use Oracle Network Manager
    Steps to configure SSL

    1. Configure SSL on the Server.


    2. Configure SSL on the client.
    3. Using SSL
    Step 1: Configure SSL on the Server

    • Wallet creation on the server.


    • Create certificate request
    • Send certificate request to the CA
    • Import certificate to the wallet.
    • Use netmgr to specify the location of wallet
    and configuring SSL.
    • Configure various network-related files.
    Step 2: Configure SSL on the Client

    • Wallet creation on the client


    • Create certificate request
    • Send certificate request to the CA.
    • Import certificate to the wallet.
    • Use netmgr to specify the location of wallet
    and configuring SSL.
    • Configure various network-related files.
    Step 3: Using SSL

    1. Creation of user to be authenticated using SSL


    certificate
    2. Logon to the database using newly created
    user.
    Demonstration
    • Same machine will be used for client as well as for server.

    • Database name is db1.oracle.local running on RHEL 5.4.

    • Machine name is host1.oracle.local.

    • Database version 11.2.0.1.0.

    • Tools used: orapki

    • client side configuration files : $ORACLE_HOME/network/user

    • server side configuration files: $ORACLE_HOME/network/admin


    Demonstration
    • Create necessary directories:
    for any wallet
    mkdir $ORACLE_HOME/owm/wallets
    for wallet with self-signed root certificate
    mkdir $ORACLE_HOME/owm/wallets/root

    for database wallet


    mkdir $ORACLE_HOME/owm/wallets/db
    for user wallet
    mkdir $ORACLE_HOME/owm/wallets/user
    Demonstration
    • Create wallet that will contain a root certificate (self-signed ) to sign database and users certificates

    $ orapki wallet create -wallet $ORACLE_HOME/owm/wallets/root


    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter password:
    Add self-signed certificate
    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -keysize 2048 -self_signed -
    validity 365
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter wallet password:


    Export root certificate
    orapki wallet export -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -cert
    $ORACLE_HOME/owm/wallets/root/root.cer
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter wallet password:


    Demonstration
    • Create database wallet

    Create auto-login (and password) database wallet


    orapki wallet create -wallet $ORACLE_HOME/owm/wallets/db -auto_login
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter password:
    Import root certificate into database wallet
    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -trusted_cert -cert
    $ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Create certificate request for database


    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -dn
    'CN=orcl,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1
    Demonstration
    Create database wallet continued:
    Export certificate request for signing
    orapki wallet export -wallet $ORACLE_HOME/owm/wallets/db -dn
    'CN=orcl,DC=oracle,DC=local' -request $ORACLE_HOME/owm/wallets/db/dbcert.req
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved

    Sign request with root private key


    orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request
    $ORACLE_HOME/owm/wallets/db/dbcert.req -cert
    $ORACLE_HOME/owm/wallets/db/dbcert.cer -validity 365
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter wallet password:


    • cat $ORACLE_HOME/owm/wallets/db/dbcert.cer
    -----BEGIN CERTIFICATE-----
    MIICPDCCASQCAQAwDQYJKoZIhvcNAQEEBQAwDzENMAsGA1UEAxMEcm9vdDAeFw0xNTAyMTIwNjQy
    NDZaFw0xNjAyMTIwNjQyNDZaMD0xFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEWMBQGCgmSJomT8ixk
    ARkWBm9yYWNsZTEMMAoGA1UEAxMDZGIxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo1jwB
    lBPHsdSXFJPeUEzpyiPXPlA+OUwA3nS3HzFrx/Iu0c8ZYXmAymfZlxtTAmsfRmWqlqHEZfqO16GY
    rpFEnr8C5hAI++CjHmxS1d1JWB0OiWzKKCEt0jvT/XAL8+wgwX/SS9ysa9cxy8wpV/U8xLZpVSII
    XwydCY3qvZeVawIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQBSceM9GbjElG/BCencL2s4dNtwZh/n
    6XizvrOpCtTmMhr44Tx51Qc10DXeQcWysMXWvtB2EsCBQjbG/lPLLthr0IpwGRRRUtrKcMUd38yI
    5Ns41EjAmXmPhXA0eXKT9Ykw4jgydOg8HVHR55PWZh8sPSMHGWbUQzpgQkYC3895A9ksn3jCD6Jt
    qv5+LdzUTMHdhzZ0jzvPklz83lNlggXQEKQ3+1V5ePuBihpeJhLV7rQF3MMdj4nP/M1Jx1hOENFn
    lkpAgszbLZmWTZptnSZ8DhOV+OfOmqCXtqH1iL4awAjf6FysjXr0zTdp7UBC18fWPoHtjxCX/YPQ
    erbtWEhG

    -----END CERTIFICATE-
    cat $ORACLE_HOME/owm/wallets/db/dbcert.req
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIBfDCB5gIBADA9MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZvcmFj
    bGUxDDAKBgNVBAMTA2RiMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqNY8AZQTx7HUlxST
    3lBM6coj1z5QPjlMAN50tx8xa8fyLtHPGWF5gMpn2ZcbUwJrH0ZlqpahxGX6jtehmK6RRJ6/AuYQ
    CPvgox5sUtXdSVgdDolsyighLdI70/1wC/PsIMF/0kvcrGvXMcvMKVf1PMS2aVUiCF8MnQmN6r2X
    lWsCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBACnIa6jIYfO3QLDBAGTJzKAxiNp8PUS/LgznDqq1
    ceJ3tYKszHJoouKaY2cz8fOT8opizYk4yTtxVkg3mPS0L5SwwXUQIarnELDBjku1m68wg7VJBAuy
    I6UZkezbU0Hvhqm93YFXrcQS/VJnt+tZILzFyX9BMU2IhGxSfWlVaEek
    -----END NEW CERTIFICATE REQUEST-----
    Demonstration

    Create database wallet continued:

    • Import database certificate into database wallet


    orapki wallet add -wallet
    $ORACLE_HOME/owm/wallets/db -user_cert -cert
    $ORACLE_HOME/owm/wallets/db/dbcert.cer -pwd
    Welcome1
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates.
    All rights reserved.
    • Create user wallet (have to do for each user)
    Create auto-login (and password) user wallet
    orapki wallet create -wallet $ORACLE_HOME/owm/wallets/user -auto_login
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter password:

    Import root certificate into user wallet


    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -trusted_cert -cert
    $ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Create certificate request for user


    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -dn
    'CN=ssluser,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
    Demonstration
    Export certificate request for signing
    orapki wallet export -wallet $ORACLE_HOME/owm/wallets/user -dn
    'CN=ssluser,DC=oracle,DC=local' -request
    $ORACLE_HOME/owm/wallets/user/usercert.req
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
    Sign request with root private key
    orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request
    $ORACLE_HOME/owm/wallets/user/usercert.req -cert
    $ORACLE_HOME/owm/wallets/user/usercert.cer -validity 365
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

    Enter wallet password:


    Import user certificate into user wallet
    orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -user_cert -cert
    $ORACLE_HOME/owm/wallets/user/usercert.cer -pwd Welcome1
    Oracle PKI Tool : Version 11.2.0.1.0 - Production
    Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved
    Demonstration

    • Configure netmgr for server side


    Demonstration

    • Sqlnet.ora file:
    SSL_VERSION = 3.0
    SSL_CLIENT_AUTHENTICATION = TRUE
    WALLET_LOCATION =
    (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY =
    /u01/app/oracle/product/11.2.0/db_1/owm/wallets/db)
    )
    )
    ADR_BASE = /u01/app/oracle
    • Listener.ora
    SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
    (GLOBAL_DBNAME = ORCL.ORACLE.LOCAL)
    (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1)
    (SID_NAME = orcl)
    )
    )
    SSL_CLIENT_AUTHENTICATION = true
    WALLET_LOCATION =
    (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY = /u01/app/oracle/product/11.2.0/db_1/owm/wallets/db)
    )
    )
    LISTENER =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = host1.oracle.local)(PORT = 2484))
    )
    ADR_BASE_LISTENER = /u01/app/oracle
    • Configure netmgr for client side
    • Sqlnet.ora

    SSL_VERSION = 3.0
    SSL_CLIENT_AUTHENTICATION =TRUE
    SSL_SERVER_DN_MATCH = YES
    WALLET_LOCATION =
    (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY =
    /u01/app/oracle/product/11.2.0/db_1/owm/wallets/user)
    )
    )
    ADR_BASE = /u01/app/oracle
    • Tnsnames.ora
    ORCL =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCPS)(HOST =
    host1.oracle.local)(PORT = 2484))
    )
    (CONNECT_DATA =
    (SERVICE_NAME = ORCL.oracle.local)
    )
    )
    • Restart the listener
    $lsnrctl stop
    $lsnrctl start

    • Create a database user


    SQL>create user ssluser identified externally as
    ‘cn=ssluser,dc=oracle,dc=local’;

    SQL> grant create session to ssluser;


    • Logon into database

    $sqlplus /@orcl
    SQL*Plus: Release 11.2.0.1.0 Production on Tue Apr 23 23:14:15 2013
    Copyright (c) 1982, 2009, Oracle. All rights reserved.
    Connected to:
    Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – Production
    With the Partitioning, OLAP, Data Mining and Real Application Testing
    options
    Questions?

    Thanks for listening

    Вам также может понравиться