Configuring Secure Socket Layer (SSL) Encryption

SSL communication is configured in Oracle by creating two wallets (client and server) that will store certificates, and by modifying the sqlnet.ora, tnsnames.ora and listener.ora configuration files.

The wallets can be created using the orapki utility, or using the Oracle Wallet Manager GUI tool (as indicated in this section).

  1. Start the Oracle Wallet Manager.

  2. Create a new wallet with the Standard wallet type.

  3. Click Yes to create a new certificate request.

  4. Set the Common Name to match the Fully Qualified Domain Name (FQDN).

  5. Right-click on the certificate and choose Export Certificate Request… then issue a Web Server certificate with this request.

  6. Install the .p7b file generated, which contains the root certificate and the SQL server certificate. The certificate issued is:

  7. Select the Wallet.

  8. Check the Auto Login option and save the wallet in the <Oracle Home>\ServerWallet folder.

  9. Start the Net Manager.

  10. Configure the SSL Encryption to use the new wallet and save the network configuration.

    The sqlnet.ora configuration is:

    Copy 
    SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
    SSL_VERSION = 0
    #TRACE_LEVEL_CLIENT = SUPPORT
    SSL_CLIENT_AUTHENTICATION = FALSE
    SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, AES128, 3DES168)
    WALLET_LOCATION =
          (SOURCE =
            (METHOD = FILE)
            (METHOD_DATA =
              (DIRECTORY = C:\app\Administrator\virtual\product\12.2.0\dbhome_1\ServerWallet)
            )
          )
    SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
    ADR_BASE = C:\app\Administrator\virtual\product\12.2.0\dbhome_1\log

  11. Update the tnsnames.ora file and add a new SID CMSDBSSL using TCPS protocol and the port 2484:

    Copy 
    CMSDB =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = CMS50F)(PORT = 1521))
        )
        (CONNECT_DATA =
          (SERVICE_NAME = CMSDB)
        )
      )
     
    CMSDBSSL =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = CMS50F)(PORT = 2484))
        )
        (CONNECT_DATA =
          (SERVICE_NAME = CMSDB)
        )
      )
     
    LISTENER_CMSDB =
      (ADDRESS = (PROTOCOL = TCP)(HOST = CMS50F)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = CMS50F)(PORT = 2484))

  12. Update the listener.ora file and add the new wallet and the new listening port:

    Copy 
    SID_LIST_LISTENER =
      (SID_LIST =
        (SID_DESC =
          (GLOBAL_DBNAME = CMSDB)
          (SID_NAME = CMSDB)
        )
      )
     
    SSL_CLIENT_AUTHENTICATION = FALSE
     
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = C:\app\Administrator\virtual\product\12.2.0\dbhome_1\ServerWallet)
        )
      )
     
    LISTENER =
      (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = CMS50F)(PORT = 1521))
        )
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = CMS50F)(PORT = 2484))
        )
      )
     
    ADR_BASE_LISTENER = C:\app\Administrator\virtual\product\12.2.0\dbhome_1\log
     
    #TRACE_LEVEL_LISTENER = ADMIN

  1. Update the Firewall and open the new port 2484.

  2. Stop/Start the listener service.

On the ActivID CMS machine, execute the same steps performed for the database server but issue a SSL certificate for client authentication (use, for example, the "CMS Logon for Smartcard Admin" template on CMS 2012 CA).

  1. Save the Wallet in the <Oracle Home>\ClientWallet folder.

  2. Start Net Manager and configure the SSL Configuration to use this wallet.

    The sqlnet.ora on the client is:

    Copy 
    SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
        SSL_VERSION = 0
        #TRACE_LEVEL_CLIENT = ADMIN
        #TRACE_LEVEL_SERVER = ADMIN
        NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
        SSL_CLIENT_AUTHENTICATION = FALSE
     
        WALLET_LOCATION =
          (SOURCE =
            (METHOD = FILE)
            (METHOD_DATA =
              (DIRECTORY = C:\app\client\Administrator\product\12.2.0\client_64\ClientWallet)
            )
          )
     
        SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
     
        ADR_BASE = C:\app\client\Administrator\product\12.2.0\client_64\log

  3. Update the tnsnames.ora file and add a new SID CMSDBSSL using TCPS protocol and the port 2484 (the host name is the database host name):

Copy 
    CMSDB =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = cms50F)(PORT = 1521))
        )
        (CONNECT_DATA =
          (SERVICE_NAME = cmsdb)
        )
      )
 
    CMSDBSSL =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = cms50F)(PORT = 2484))
        )
        (CONNECT_DATA =
          (SERVICE_NAME = cmsdb)
        )
      )
Note: There is no need to update the listener.ora file.