Configuring the Oracle database server

Use Oracle tools, such as the Oracle Wallet Manager and the orapki command, to configure both the truststore and the keystore on the Oracle database server.

About this task

For test purposes, you can use the following commands to set up a self-signed certificate authority, truststore, and keystore:

cd c:\temp
mkdir authority
mkdir server
mkdir client

Self-signed certificate authority

orapki wallet create -wallet ./authority -pwd=ThePwd12

orapki wallet add -wallet ./authority -dn "CN=authority, C=US" -keysize 2048 
-self_signed -validity 3650 -pwd=ThePwd12

orapki wallet export -wallet ./authority -dn "CN=authority, C=US" -cert 
./authority/CA.cer -pwd=ThePwd12

Use the CA.cer file in the authority directory as the trusted certificate when you issue the keytool command to import a CA certificate into the Dispatcher truststore.

Stores for Server Authentication

orapki wallet create -wallet ./server -auto_login -pwd=ThePwd12

orapki wallet add -wallet ./server -dn "CN=server, C=US" -keysize 2048 
-pwd=ThePwd12

orapki wallet export -wallet ./server -dn "CN=server, C=US" -request 
./server/creq.cer -pwd=ThePwd12

orapki cert create -wallet ./authority -request ./server/creq.cer -cert 
./server/signed.cer -validity 3650 -pwd=ThePwd12

orapki wallet add -wallet ./server -trusted_cert -cert ./authority/CA.cer 
-pwd=ThePwd12

orapki wallet add -wallet ./server -user_cert -cert ./server/signed.cer 
-pwd=ThePwd12

Stores for Client Authentication

orapki wallet create -wallet ./client -auto_login -pwd=ThePwd12

orapki wallet add -wallet ./client -dn "CN=client, C=US" -keysize 2048 
-pwd=ThePwd12

orapki wallet export -wallet ./client -dn "CN=client, C=US" -request 
./client/creq.cer -pwd=ThePwd12

orapki cert create -wallet ./authority -request ./client/creq.cer -cert 
./client/signed.cer -validity 3650 -pwd=ThePwd12

orapki wallet add -wallet ./client -trusted_cert -cert ./authority/CA.cer 
-pwd=ThePwd12

orapki wallet add -wallet ./client -user_cert -cert ./client/signed.cer 
-pwd=ThePwd12

Oracle Network Configuration

Configure the following two files on the Oracle database server to enable SSL:

listener.ora
sqlnet.ora

These files are in the network\admin directory of the Oracle home directory. You can use Oracle Net Manager or a text editor to edit these files.

listener.ora:

SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = myDir)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = myHost)(PORT = nonSSLPort))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = myHost)(PORT = sslPort))
    )
  )

sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES= (TCPS, NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES)

SSL_VERSION = 3.0
SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = myDir)
    )
  )

where:

myDir: The directory location of the truststore on the Oracle Database Server. For example C:\temp\server.
myHost: The server host name.
nonSSLPort: The non-SSL communication port (TCP protocol). For example, 1521.
sslPort: The SSL communication port (TCPS protocol). For example, 2484.