1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

After deleting one of certificates, connection failed.

Discussion in 'Security, Backup and Recovery' started by 13478, Jul 8, 2016.

  1. 13478

    13478 Active Member

    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    80
    Location:
    Louisana
    Hello,
    History of action:

    1. We configured a one-way authentication (authenticated by client) connection to database by using TCPS. (certificate's CN=myteam)
    2. A few weeks later, adding another certificate (CN=hello.world.com)
    3. As requested, we want to remove certificate CN=myteam from wallet, after removing, when try to connect to database , get error:
    ORA-29024: Certificate validation failure


    Below is the way to configure a one way authentication
    --server side sqlnet.ora
    SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
    SSL_VERSION = 1.2
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION =
    (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY = E:\app\oracle\owm\wallets)
    )
    )


    SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384)




    --client side sqlnet.ora
    SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

    SSL_VERSION = 1.2

    SSL_CLIENT_AUTHENTICATION = TRUE

    WALLET_LOCATION =
    (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY = C:\app\oracle\wallet)
    )
    )


    SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384)

    ADR_BASE = C:\app\client\tom


    NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)




    ---below is the way to set up

    1) In server side, create server wallet and certificate, export the server certificate


    --create the initial wallet,
    orapki wallet create -wallet E:\app\oracle\owm\wallets -auto_login -pwd Welcome1


    --create a self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it

    orapki wallet add -wallet E:\app\oracle\owm\wallets -dn "CN=myteam" -keysize 512 -self_signed -validity 365 -pwd Welcome1

    --export the CA root certificate

    orapki wallet export -wallet E:\app\oracle\owm\wallets -dn "CN=myteam" -cert server_ca.cert


    2) go to client side

    orapki wallet create -wallet C:\app\oracle\wallet -auto_login -pwd Welcome2

    --FTP server's certificate to client machine's wallet,

    orapki wallet add -wallet C:\app\oracle\wallet -trusted_cert -cert server_ca.cert -pwd Welcome2

    --to check if server cert if loaded

    orapki wallet display -wallet "C:\app\oracle\wallet" -pwd Welcome2

    ---test connection, works


    (a few weeks later, we add a new certificate CN=hello.world.com as requested)

    server side

    --move old certificate to bk folder,

    --create a new self-signed certificate. This will generate both a user certificate and the CA root certificate that is signing it

    orapki wallet add -wallet E:\app\oracle\owm\wallets -dn "CN=hello.world.com" -keysize 512 -self_signed -validity 365 -pwd Welcome1

    --export the CA root certificate

    orapki wallet export -wallet E:\app\oracle\owm\wallets -dn "CN=hello.world.com" -cert server_ca.cert



    client side:

    --cp new server_ca.cert to client wallet

    orapki wallet add -wallet C:\app\oracle\wallet -trusted_cert -cert server_ca.cert -pwd Welcome2

    cc:if "PKI-04003: The trusted certificate is already present in the wallet.", you need to remove first

    orapki wallet remove -trusted_cert_all -wallet "C:\app\oracle\wallet" -pwd Welcome2



    --add again
    orapki wallet add -wallet C:\app\oracle\wallet -trusted_cert -cert server_ca.cert -pwd Welcome2


    --to check if server cert if loaded

    orapki wallet display -wallet "C:\app\oracle\wallet" -pwd Welcome2

    Requested Certificates:

    User Certificates:

    Trusted Certificates:

    Subject: CN=hello.world.com
    Subject: CN=myteam

    --test connection from client side, works


    OK, now we want to remove CN=myteam from wallet.

    --now, this is my two certificates in my laptop (client) side wallet

    C:\Users\tom>orapki wallet display -wallet "C:\app\oracle\wallet" -pwd Welcome2
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:
    User Certificates:
    Trusted Certificates:
    Subject: CN=hello.world.com
    Subject: CN=myteam



    ---I want to remove CN=myteam

    C:\Users\tom>orapki wallet remove -dn CN=myteam -trusted_cert -wallet "C:\app\oracle\wallet" -pwd Welcome2





    --check
    C:\Users\tom>orapki wallet display -wallet "C:\app\oracle\wallet" -pwd Welcome2
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:
    User Certificates:
    Trusted Certificates:
    Subject: CN=hello.world.com




    --go to server side

    --check

    orapki wallet display -wallet "E:\app\oracle\owm\wallets" -pwd Welcome1

    E:\app\oracle\product\12.1.0\dbhome_1\ldap\admin>orapki wallet display -wallet "E:\app\oracle\owm\wallets" -pwd Welcome1
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:
    User Certificates:
    Subject: CN=myteam
    Subject: CN=hello.world.com
    Trusted Certificates:
    Subject: CN=myteam
    Subject: CN=hello.world.com



    --remove CN=myteam
    ---remove user certificate first
    E:\app\oracle\product\12.1.0\dbhome_1\ldap\admin>orapki wallet remove -dn CN=myteam -user_cert -wallet "E:\app\oracle\owm\wallets" -pwd Welcome1
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.


    --then remove trust certificate

    E:\app\oracle\product\12.1.0\dbhome_1\ldap\admin>orapki wallet remove -dn CN=myteam -trusted_cert -wallet "E:\app\oracle\owm\wallets" -pwd Welcome1
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.



    --check

    E:\app\oracle\product\12.1.0\dbhome_1\ldap\admin>orapki wallet display -wallet "E:\app\oracle\owm\wallets" -pwd Welcome1
    Oracle PKI Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:
    Subject: CN=myteam
    User Certificates:
    Subject: CN=hello.world.com
    Trusted Certificates:
    Subject: CN=hello.world.com



    --test connection from client side,

    C:\Users\tom>sqlplus scott/tiger@TLS74_TLS

    SQL*Plus: Release 12.1.0.2.0 Production on Tue Jul 5 15:09:33 2016

    Copyright (c) 1982, 2014, Oracle. All rights reserved.

    ERROR:
    ORA-29024: Certificate validation failure


    Could you let me know the problem I have, how to trouble-shoot this?

    Thank you very much.