Embed Size (px)
Citation preview
By Geetanjali Mehra
About Me
• Over 7 years of IT Industry Experience
• Currently working with Paytm as Senior Database Administrator
• 9i/10g/11g Oracle Certified Administrator Professional
• Oracle 11g Security Certified Implementation Specialist
• Blog: http://oracle.linuxmantra.com
• @geetanjalidba
• E-mail: [email protected]
Agenda
• What is SSL/TLS and its importance
• What do you require to integrate SSL with Oracle Database 11g
• Steps to configure SSL with Oracle Database 11g
• Using SSL in Oracle
What is SSL?
• SSL/TLS , a protocol , used for securing network connections.
• Uses PKI to provide authentication, encryption, and data integrity.
SSL Handshake
• The server sends its certificate to the client. This step verifies the identity of the server.
• The client generates a session key and sends this key to the second party using public key cryptography
• All subsequent communications between the client and the server is encrypted and decrypted by using this session key.
Why to integrate Oracle with SSL
• Only the server authenticates itself to the client
• Both client and server authenticate themselves to each other
• Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself
What is required?
• Oracle Advanced Security on the client.
• Oracle Advanced Security on the Server.
• To configure SSL, use Oracle Network Manager
Steps to configure SSL
1. Configure SSL on the Server.
2. Configure SSL on the client.
3. Using SSL
Step 1: Configure SSL on the Server
• Wallet creation on the server.
• Create certificate request
• Send certificate request to the CA
• Import certificate to the wallet.
• Use netmgr to specify the location of wallet and configuring SSL.
• Configure various network-related files.
Step 2: Configure SSL on the Client
• Wallet creation on the client
• Create certificate request
• Send certificate request to the CA.
• Import certificate to the wallet.
• Use netmgr to specify the location of wallet and configuring SSL.
• Configure various network-related files.
Step 3: Using SSL
1. Creation of user to be authenticated using SSL certificate
2. Logon to the database using newly created user.
Demonstration
• Same machine will be used for client as well as for server.
• Database name is db1.oracle.local running on RHEL 5.4.
• Machine name is host1.oracle.local.
• Database version 11.2.0.1.0.
• Tools used: orapki
• client side configuration files : $ORACLE_HOME/network/user
• server side configuration files: $ORACLE_HOME/network/admin
Demonstration
• Create necessary directories: for any wallet mkdir $ORACLE_HOME/owm/wallets for wallet with self-signed root certificate mkdir $ORACLE_HOME/owm/wallets/root for database wallet mkdir $ORACLE_HOME/owm/wallets/db for user wallet mkdir $ORACLE_HOME/owm/wallets/user
Demonstration
• Create wallet that will contain a root certificate (self-signed ) to sign database and users certificates $ orapki wallet create -wallet $ORACLE_HOME/owm/wallets/root Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter password: Add self-signed certificate orapki wallet add -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -keysize 2048 -self_signed -validity 365 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Export root certificate orapki wallet export -wallet $ORACLE_HOME/owm/wallets/root -dn 'CN=root' -cert $ORACLE_HOME/owm/wallets/root/root.cer Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
Demonstration
• Create database wallet
Create auto-login (and password) database wallet orapki wallet create -wallet $ORACLE_HOME/owm/wallets/db -auto_login Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter password: Import root certificate into database wallet orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -trusted_cert -cert $ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Create certificate request for database orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -dn 'CN=orcl,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1
Demonstration
Create database wallet continued: Export certificate request for signing orapki wallet export -wallet $ORACLE_HOME/owm/wallets/db -dn 'CN=orcl,DC=oracle,DC=local' -request $ORACLE_HOME/owm/wallets/db/dbcert.req Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved Sign request with root private key orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request $ORACLE_HOME/owm/wallets/db/dbcert.req -cert $ORACLE_HOME/owm/wallets/db/dbcert.cer -validity 365 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
• cat $ORACLE_HOME/owm/wallets/db/dbcert.cer -----BEGIN CERTIFICATE----- MIICPDCCASQCAQAwDQYJKoZIhvcNAQEEBQAwDzENMAsGA1UEAxMEcm9vdDAeFw0xNTAyMTIwNjQy NDZaFw0xNjAyMTIwNjQyNDZaMD0xFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEWMBQGCgmSJomT8ixk ARkWBm9yYWNsZTEMMAoGA1UEAxMDZGIxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo1jwB lBPHsdSXFJPeUEzpyiPXPlA+OUwA3nS3HzFrx/Iu0c8ZYXmAymfZlxtTAmsfRmWqlqHEZfqO16GY rpFEnr8C5hAI++CjHmxS1d1JWB0OiWzKKCEt0jvT/XAL8+wgwX/SS9ysa9cxy8wpV/U8xLZpVSII XwydCY3qvZeVawIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQBSceM9GbjElG/BCencL2s4dNtwZh/n 6XizvrOpCtTmMhr44Tx51Qc10DXeQcWysMXWvtB2EsCBQjbG/lPLLthr0IpwGRRRUtrKcMUd38yI 5Ns41EjAmXmPhXA0eXKT9Ykw4jgydOg8HVHR55PWZh8sPSMHGWbUQzpgQkYC3895A9ksn3jCD6Jt qv5+LdzUTMHdhzZ0jzvPklz83lNlggXQEKQ3+1V5ePuBihpeJhLV7rQF3MMdj4nP/M1Jx1hOENFn lkpAgszbLZmWTZptnSZ8DhOV+OfOmqCXtqH1iL4awAjf6FysjXr0zTdp7UBC18fWPoHtjxCX/YPQ erbtWEhG
-----END CERTIFICATE- cat $ORACLE_HOME/owm/wallets/db/dbcert.req -----BEGIN NEW CERTIFICATE REQUEST----- MIIBfDCB5gIBADA9MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZvcmFj bGUxDDAKBgNVBAMTA2RiMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqNY8AZQTx7HUlxST 3lBM6coj1z5QPjlMAN50tx8xa8fyLtHPGWF5gMpn2ZcbUwJrH0ZlqpahxGX6jtehmK6RRJ6/AuYQ CPvgox5sUtXdSVgdDolsyighLdI70/1wC/PsIMF/0kvcrGvXMcvMKVf1PMS2aVUiCF8MnQmN6r2X lWsCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBACnIa6jIYfO3QLDBAGTJzKAxiNp8PUS/LgznDqq1 ceJ3tYKszHJoouKaY2cz8fOT8opizYk4yTtxVkg3mPS0L5SwwXUQIarnELDBjku1m68wg7VJBAuy I6UZkezbU0Hvhqm93YFXrcQS/VJnt+tZILzFyX9BMU2IhGxSfWlVaEek -----END NEW CERTIFICATE REQUEST-----
Demonstration
Create database wallet continued:
• Import database certificate into database wallet
orapki wallet add -wallet $ORACLE_HOME/owm/wallets/db -user_cert -cert $ORACLE_HOME/owm/wallets/db/dbcert.cer -pwd Welcome1
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
• Create user wallet (have to do for each user)
Create auto-login (and password) user wallet orapki wallet create -wallet $ORACLE_HOME/owm/wallets/user -auto_login Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter password: Import root certificate into user wallet orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -trusted_cert -cert $ORACLE_HOME/owm/wallets/root/root.cer -pwd Welcome1 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Create certificate request for user orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -dn 'CN=ssluser,DC=oracle,DC=local' -keysize 1024 -pwd Welcome1 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Demonstration
Export certificate request for signing orapki wallet export -wallet $ORACLE_HOME/owm/wallets/user -dn 'CN=ssluser,DC=oracle,DC=local' -request $ORACLE_HOME/owm/wallets/user/usercert.req Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Sign request with root private key orapki cert create -wallet $ORACLE_HOME/owm/wallets/root -request $ORACLE_HOME/owm/wallets/user/usercert.req -cert $ORACLE_HOME/owm/wallets/user/usercert.cer -validity 365 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Import user certificate into user wallet orapki wallet add -wallet $ORACLE_HOME/owm/wallets/user -user_cert -cert $ORACLE_HOME/owm/wallets/user/usercert.cer -pwd Welcome1 Oracle PKI Tool : Version 11.2.0.1.0 - Production Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved
Demonstration
• Configure netmgr for server side
Demonstration
• Sqlnet.ora file:
SSL_VERSION = 3.0 SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/11.2.0/db_1/owm/wallets/db) ) ) ADR_BASE = /u01/app/oracle
• Listener.ora
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL.ORACLE.LOCAL) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1) (SID_NAME = orcl) ) ) SSL_CLIENT_AUTHENTICATION = true WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/11.2.0/db_1/owm/wallets/db) ) ) LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = host1.oracle.local)(PORT = 2484)) ) ADR_BASE_LISTENER = /u01/app/oracle
• Configure netmgr for client side
• Sqlnet.ora
SSL_VERSION = 3.0 SSL_CLIENT_AUTHENTICATION =TRUE SSL_SERVER_DN_MATCH = YES WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/11.2.0/db_1/owm/wallets/user) ) ) ADR_BASE = /u01/app/oracle
• Tnsnames.ora
ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = host1.oracle.local)(PORT = 2484)) ) (CONNECT_DATA = (SERVICE_NAME = ORCL.oracle.local) ) )
• Restart the listener
$lsnrctl stop
$lsnrctl start
• Create a database user
SQL>create user ssluser identified externally as ‘cn=ssluser,dc=oracle,dc=local’;
SQL> grant create session to ssluser;
• Logon into database
$sqlplus /@orcl SQL*Plus: Release 11.2.0.1.0 Production on Tue Apr 23 23:14:15 2013 Copyright (c) 1982, 2009, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – Production With the Partitioning, OLAP, Data Mining and Real Application Testing options
Questions?
Thanks for listening
