While helping out a customer with Oracle Database TLS configuration, they realized that they didn't have a trust store for their database clients. I shared that there is an easy way of creating the client trust store all necessary store formats with openssl. Here's how to accomplish for Oracle wallet, Java JKS and PKCS trust store formats.
Note in all of the following examples, you will want to use your own password. For these examples, I've used Oracle123.
Get Cert Chain
The first thing to do is capture the cert-chain into a PEM file with openssl.
OpenSSL Method
The easiest way to do this is via the openssl command with:
timeout 5 openssl s_client -connect <db_host>:2484 -showcerts > ~/cert-chain.pem
Standalone Oracle Database Method
For a standalone Oracle database, you can use orapki to export the certificate.
Setup the environment variables with:
export ORACLE_BASE="/u01/app/oracle/19c"
export ORACLE_HOME="$ORACLE_BASE/dbhome_1"
export WALLET_ROOT="$ORACLE_BASE/wallet_root"
PATH=$ORACLE_HOME/bin:$PATH
Lookup the CN= value of the CA cert chain or if self signed, the certificate subject with:
orapki wallet display -nologo -wallet $WALLET_ROOT/rootca_wallet/tls -complete
Export the certificate using the CN= value of the previous command for <cnvalue> with:
orapki wallet export -wallet $WALLET_ROOT/rootca_wallet/tls -pwd Oracle123 -dn <cnvalue> -cert ~/cert-chain.pem
Exadata Method
For Oracle Exadata systems, you can lookup the current certificate CN value via orapki command with:
sudo su - grid -c "orapki wallet display -nologo -wallet /var/opt/oracle/dbaas_acfs/grid/tcps_wallets -complete"
Then, use the orapki command to export the certificate to a file using the CN= value of the certificate returned from the previous command as an input (<cnvalue>) to the the following command:
sudo su - grid -c "orapki wallet export -nologo -wallet /var/opt/oracle/dbaas_acfs/grid/tcps_wallets -dn CN=<cnvalue> -cert ~/cert-chain.crt"
Then, you can view the contents of the certificate file as the grid user with:
sudo cat ~grid/cert-chain.crt
Client Wallet
For Oracle database clients using the Oracle Call Interface (OCI) and JDBC-thick drivers, you will need an Oracle wallet containing the certificate chain. Here's how to create the client wallet with Oracle's orapki command:
mkdir clientwallet
cd clientwallet
orapki wallet create -wallet . -pwd Oracle123 -auto_login
orapki wallet add -wallet . -pwd Oracle123 -trusted_cert -cert ~/cert-chain.pem
Display the contents of the Oracle wallet with:
orapki wallet display -wallet . -complete
Java Key Store (JKS) Trust Store
For JDBC-thin clients they will need either a JKS or PKCS12 trust store. Here is how to create the JKS trust store from the certificate:
keytool -importcert -storepass Oracle123 -keystore clientstore.jks -alias root-ca-chain -file ~/cert-chain.pem -noprompt
Display the contents of the JKS trust store:
keytool -list -keystore clientstore.jks -storetype JKS -storepass Oracle123 -v
PKCS12 Trust Store
For JDBC-thin clients they will need either a JKS or PKCS12 trust store. Here is how to create the PKCS12 trust store from the certificate:
keytool -importcert -storepass Oracle123 -storetype PKCS12 -keystore clientstore.p12 -alias root-ca-chain -file ~/cert-chain.pem -noprompt
Display the contents of the PKCS12 trust store:
keytool -list -storetype PKCS12 -keystore clientstore.p12 -storepass Oracle123 -v
I hope this was helpful and informative.
Blessings!
No comments:
Post a Comment