Thursday, November 7, 2024

One-way TLS ODB Client/Server With CA-signed Certificates In OS Truststore

In recent months, I've helped many customers understand there options for centralizing Oracle Database authentication.  One of those options requires Transport Layer Security (TLS) connection between the database client and database server in order to securely pass an access token to the database server.  When customers want to evaluate this solution, one of their challenges is how to setup TLS between the database and server for a proof of concept or internal validation.  There are three approaches that customers can take for setting up TLS between client and server:

1. Self-signed private certs with wallets - For demonstrations and proofs of concept
2. Self-signed private certs with host trust store - Next step toward production
3. Publicly signed certs - For production

The focus of this blog post is on the third of the three.

Here's the streamlined workflow that I use for setting up one-way TLS between Oracle Database client and server where the client wallet is distributed to Oracle Database clients. This comes from the Oracle Database security guide at https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/configuring-transport-layer-security-encryption.html#GUID-03F216A2-76E0-47C9-9751-6F2D39BD75A1

As a side note, if you are not familiar with the WALLET_ROOT database parameter, please familiarize yourself with it at https://docs.oracle.com/en/database/oracle/oracle-database/23/refrn/WALLET_ROOT.html because it plays a large role in several security configuration options of the Oracle database including configuring TLS.

When specifying the SSL_CIPHER_SUITES in the database listener.ora and client tnsnames.ora, you will want to select the strongest cipher suites from the desired SSL_Version (1.3 or 1.2) that you want to support that all of the database clients support.  In this example, we will use version 1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

The full list of supported SSL_VERSION and SSL_CIPHER_SUITES values per database version are available here:



Step 1: Generate, sign and load database server certificate by public certificate authority

1.1 Setup the database server environment variables and make wallet directory

ssh opc@hrdb.example.com
export ORACLE_BASE="/u01/app/oracle/19c"
export ORACLE_HOME="$ORACLE_BASE/dbhome_1"
export WALLET_ROOT="$ORACLE_BASE/wallet_root"
PATH=$ORACLE_HOME/bin:$PATH
mkdir -p $WALLET_ROOT/tls

1.2 Create autologin wallet 

orapki wallet create -wallet $WALLET_ROOT/tls -pwd Oracle123 -auto_login


1.3 Download and load the trusted root certificate chain (sf_bundle-g2-g1.crt) from the certificate authority and load into the wallet 

orapki wallet add -wallet $WALLET_ROOT/tls -pwd Oracle123 -trusted_cert -cert $WALLET_ROOT/sf_bundle-g2-g1.crt


1.4 Create a private key for the database server using the fully qualified hostname for the distinguished name (DN). 

orapki wallet add -wallet $WALLET_ROOT/tls -pwd Oracle123 -keysize 2048 -dn CN=hrdb.example.com


1.5 Export a certificate request to be signed by the certificate authority 

orapki wallet export -wallet $WALLET_ROOT/tls -pwd Oracle123 -dn CN=hrdb.dbauthdemo.com -request hrdb.csr


1.6 Sign the certificate through the certificate authority and download the signed certificate


1.7 Load the signed certificate (31e303219bbcf898.crt) into the wallet

orapki wallet add -wallet $WALLET_ROOT/tls -pwd Oracle123 -user_cert -cert 31e303219bbcf898.crt


1.8 Show the contents of the wallet

orapki wallet display -complete  -wallet $WALLET_ROOT/tls -pwd Oracle123


Step 2: Create client wallet for 19c database clients that don't support WALLET_LOCATION=SYSTEM

2.1 Create client wallet
The purpose of the client wallet is to create a wallet that has the signing certificate authority's certificate (or certificate chain).

mkdir -p $WALLET_ROOT/client_wallet/tls
orapki wallet create -wallet $WALLET_ROOT/client_wallet/tls -pwd Oracle123 -auto_login
orapki wallet add -wallet $WALLET_ROOT/client_wallet/tls -pwd Oracle123 -trusted_cert -cert $WALLET_ROOT/sf_bundle-g2-g1.crt


2.1 Copy client wallet to 19c database client hosts

rsync -Have ssh $WALLET_ROOT/client_wallet/tls/. opc@clientdb:/u01/app/oracle/tls 



Step 3: Configure 19c database server

3.1 Setup the database server environment variables on the hrdb host.

export ORACLE_BASE="/u01/app/oracle/19c"
export ORACLE_HOME="$ORACLE_BASE/dbhome_1"
export ORACLE_SID="hrdb"
export TNS_ADMIN="$ORACLE_HOME/network/admin"

PATH=$ORACLE_HOME/bin:$PATH


3.2 Configure sqlnet.ora

cat $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SSL_CIPHER_SUITES = (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)


3.3 Configure listener.ora

cat $ORACLE_HOME/network/admin/listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = hrdb.example.com)(PORT = 2484))
      (SECURITY=(WALLET_LOCATION=/u01/app/oracle/19c/wallet_root/tls))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle/19c

3.4 Set the wallet_root parameter and restart the database and listener

sqlplus / as sysdba
SQL> alter system set wallet_root='/u01/app/oracle/19c/wallet_root' scope=spfile;
SQL> shutdown immediate;
SQL> quit;
lsnrctl stop
lsnrctl stop
sqlplus / as sysdba
SQL> startup;
SQL> 
alter pluggable database all open;
SQL> alter system register;
SQL> quit;

3.5 Configure host firewall of database server to allow inboud (a.k.a. ingress) connections to non-secure port (1521) and secure port (2848)

sudo firewall-cmd --permanent --zone=public --add-port=1521/tcp
sudo firewall-cmd --permanent --zone=public --add-port=2484/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all


Step 4: Configure 19c database client

Instructions for downloading 19c database client at https://www.braddiggs.com/2024/11/setup-production-oracle-19c-database.html

4.1 Setup the database client environment variables

export ORACLE_BASE="/u01/app/oracle/19c"
export ORACLE_HOME="$ORACLE_BASE/client"
export LD_LIBRARY_PATH="$ORACLE_HOME/lib"
PATH=$ORACLE_HOME/bin:$PATH


4.2 Extract the 19c database client

mkdir -p $ORACLE_HOME
cd 
$ORACLE_HOME
unzip -qo /u01/bits/
V982065-01.zip


4.3 Add database configurations to tnsnames.ora setting the WALLET_LOCATION to SYSTEM to use the operating system trust store, which includes all major public certificate authorities.  Note that the HOST value should be the fully qualified hostname of the database server.

cat $ORACLE_HOME/network/admin/tnsnames.ora
HRDB =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = hrdb)
    )
  )

HRDB_SSL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = hrdb.example.com)(PORT = 2484))
    (SECURITY=(WALLET_LOCATION=SYSTEM))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = hrdb)
    )
  )

pdb1 =
  (DESCRIPTION=
    (ADDRESS=(PROTOCOL=TCP)(HOST=hrdb.example.com)(PORT=1521))
    (CONNECT_DATA=
      (SERVER = DEDICATED)
      (SERVICE_NAME=pdb1)
    )
  )

pdb1_ssl =
  (DESCRIPTION=
    (ADDRESS=(PROTOCOL=TCPS)(HOST=hrdb.example.com)(PORT=2484))
    (SECURITY=(WALLET_LOCATION=SYSTEM))
    (CONNECT_DATA=
      (SERVER=dedicated)
      (SERVICE_NAME=pdb1)
    )
  )


4.4 Configure sqlnet.ora

cat $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION=
  (SOURCE=  
    (METHOD=file)    
    (METHOD_DATA=    
      (DIRECTORY=/u01/app/oracle/tls)
    )
  )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SSL_CIPHER_SUITES=(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)


Step 5: Test 19c client connections to the database

5.1 Setup the database client environment variables

export ORACLE_BASE="/u01/app/oracle/19c"
export ORACLE_HOME="$ORACLE_BASE/client"
export LD_LIBRARY_PATH="$ORACLE_HOME/lib"
PATH=$ORACLE_HOME/bin:$PATH


5.2 Test to the container database (CDB) hrdb_ssl

sqlplus system/Oracle123@hrdb_ssl


5.3 Test to the pluggable database (PDB) pdb1_ssl

sqlplus system/Oracle123@pdb1_ssl


Step 6: Configure 23ai database client

Instructions for downloading 23ai database client at https://www.braddiggs.com/2024/11/setup-production-oracle-23ai-database.html

6.1 Setup the database client environment variables

export ORACLE_BASE="/u01/app/oracle/23ai"
export ORACLE_HOME="$ORACLE_BASE/client"
export LD_LIBRARY_PATH="$ORACLE_HOME/lib"
PATH=$ORACLE_HOME/bin:$PATH


6.2 Extract the 23ai database client

mkdir -p $ORACLE_HOME
cd 
$ORACLE_HOME
unzip -qo /u01/bits/
V1044258-01.zip


6.3 Add database configurations to tnsnames.ora setting the WALLET_LOCATION to SYSTEM

cat $ORACLE_HOME/network/admin/tnsnames.ora
HRDB =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = hrdb.example.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = hrdb)
    )
  )

HRDB_SSL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = hrdb.example.com)(PORT = 2484))
    (SECURITY=(WALLET_LOCATION=SYSTEM))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = hrdb)
    )
  )

pdb1 =
  (DESCRIPTION=
    (ADDRESS=(PROTOCOL=TCP)(HOST=hrdb.example.com)(PORT=1521))
    (CONNECT_DATA=
      (SERVER = DEDICATED)
      (SERVICE_NAME=pdb1)
    )
  )

pdb1_ssl =
  (DESCRIPTION=
    (ADDRESS=(PROTOCOL=TCPS)(HOST=hrdb.example.com)(PORT=2484))
    (SECURITY=(WALLET_LOCATION=SYSTEM))
    (CONNECT_DATA=
      (SERVER=dedicated)
      (SERVICE_NAME=pdb1)
    )
  )


6.4 Configure sqlnet.ora

cat $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SSL_CIPHER_SUITES = (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)


Step 7: Test 23ai client connections to the database

Instructions for downloading 23ai database client at https://www.braddiggs.com/2024/11/setup-production-oracle-23ai-database.html

7.1 Setup the database client environment variables

export ORACLE_BASE="/u01/app/oracle/23ai"
export ORACLE_HOME="$ORACLE_BASE/client"
export LD_LIBRARY_PATH="$ORACLE_HOME/lib"
PATH=$ORACLE_HOME/bin:$PATH


7.2 Test to the container database (CDB) hrdb_ssl

sqlplus system/Oracle123@hrdb_ssl


7.3 Test to the pluggable database (PDB) pdb1_ssl

sqlplus system/Oracle123@pdb1_ssl


For troubleshooting, see my blog post on Troubleshooting Oracle One-way TLS Connection Errors.





No comments: