Oracle SSL 身份验证钱包不再工作
Oracle SSL authentication wallet no longer working
我正在 运行 测试使用 SSL Oracle wallet 连接到本地安装的 Oracle 数据库。
大约两周前,我能够创建钱包并成功使用它们进行身份验证。但这似乎不再有效。这是我创建钱包的方式。
创建服务器钱包并导出证书:
orapki wallet create -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -cert C:/app/TestWallet/MyHostName-certificate.crt
创建客户端钱包并导出证书:
orapki wallet create -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -cert C:/app/TestWallet/DBUserName-certificate.crt
交换证书:
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/MyHostName-certificate.crt
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/DBUserName-certificate.crt
钱包展示(服务器):
orapki wallet display -wallet "C:/app/TestWallet/Server" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=MyHostName.Domain.com
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
钱包展示(客户端):
orapki wallet display -wallet "C:/app/TestWallet/Client" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=DBUserName
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
服务器sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
客户端sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Client)
)
)
我正在使用 OCCI Instant Client 进行测试。
Environment *env = Environment::createEnvironment();
Connection *conn = env->createConnection(m_username.c_str(), m_password.c_str(), m_dbConnectionString.c_str());
// Note: username and password is not supplied to above function.
以上代码抛出如下异常:
ORA-29024: Certificate validation failure
两周前我可以创建钱包并正常连接,但这似乎不再有效。
如果我在 sqlnet.ora 中将钱包路径设置为使用 2 周前的旧钱包路径,我就可以正常连接。
我确定钱包路径是正确的。 LSNRCTL也确认了钱包路径是对的:
LSNRCTL> status
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=MyHostName.Domain.com)(PORT=5500))(Security=(my_wallet_directory=C:\app\TestWallet\Server))
我可能错过了什么?如何使钱包 SSL 认证生效?
编辑:
如果在 sqlnet.ora 文件中,我将钱包更改为使用 2 周前创建的旧钱包的路径。它仍在工作。只有新创建的钱包才会出现此问题。
好的,看来我只是错过了服务器 listener.ora 中的一项设置
这次我在与之前测试不同的位置创建钱包。
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
按照以下方式更改此内容:
LSNRCTL> stop
LSNRCTL> start
等待一段时间更新。现在起来 运行.
我正在 运行 测试使用 SSL Oracle wallet 连接到本地安装的 Oracle 数据库。
大约两周前,我能够创建钱包并成功使用它们进行身份验证。但这似乎不再有效。这是我创建钱包的方式。
创建服务器钱包并导出证书:
orapki wallet create -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -dn "CN=MyHostName.Domain.com" -cert C:/app/TestWallet/MyHostName-certificate.crt
创建客户端钱包并导出证书:
orapki wallet create -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -dn "CN=DBUserName" -cert C:/app/TestWallet/DBUserName-certificate.crt
交换证书:
orapki wallet add -wallet "C:/app/TestWallet/Client" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/MyHostName-certificate.crt
orapki wallet add -wallet "C:/app/TestWallet/Server" -pwd Welcome1 -trusted_cert -cert C:/app/TestWallet/DBUserName-certificate.crt
钱包展示(服务器):
orapki wallet display -wallet "C:/app/TestWallet/Server" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=MyHostName.Domain.com
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
钱包展示(客户端):
orapki wallet display -wallet "C:/app/TestWallet/Client" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=DBUserName
Trusted Certificates:
Subject: CN=DBUserName
Subject: CN=MyHostName.Domain.com
服务器sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
客户端sqlnet.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Client)
)
)
我正在使用 OCCI Instant Client 进行测试。
Environment *env = Environment::createEnvironment();
Connection *conn = env->createConnection(m_username.c_str(), m_password.c_str(), m_dbConnectionString.c_str());
// Note: username and password is not supplied to above function.
以上代码抛出如下异常:
ORA-29024: Certificate validation failure
两周前我可以创建钱包并正常连接,但这似乎不再有效。
如果我在 sqlnet.ora 中将钱包路径设置为使用 2 周前的旧钱包路径,我就可以正常连接。
我确定钱包路径是正确的。 LSNRCTL也确认了钱包路径是对的:
LSNRCTL> status
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=MyHostName.Domain.com)(PORT=5500))(Security=(my_wallet_directory=C:\app\TestWallet\Server))
我可能错过了什么?如何使钱包 SSL 认证生效?
编辑:
如果在 sqlnet.ora 文件中,我将钱包更改为使用 2 周前创建的旧钱包的路径。它仍在工作。只有新创建的钱包才会出现此问题。
好的,看来我只是错过了服务器 listener.ora 中的一项设置
这次我在与之前测试不同的位置创建钱包。
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\app\TestWallet\Server)
)
)
按照以下方式更改此内容:
LSNRCTL> stop
LSNRCTL> start
等待一段时间更新。现在起来 运行.