Monday, January 09, 2017
Setting up Transport Layer Security/Secure Sockets Layer for Managed ODP.NET
[I was chatting with ODP.NET product manager, Alex Keh, and he let me know about some known issues that developers currently face when using managed ODP.NET with Transport Layer Security/Secure Sockets Layer (TLS/SSL) wallets. I asked him for more details and he wrote up the step by step walkthrough you see below. If you have questions about the steps provided below, please post to the ODP.NET OTN forum for assistance. -CS]
Setting up managed ODP.NET Transport Layer Security/Secure Sockets Layer (TLS/SSL) wallets correctly can be tricky for those that don't do it on a regular basis. Microsoft Windows now restricts wallets from using the MD5 algorithm. Oracle wallets may have been generated with this algorithm as that was the default option in Oracle Public Key Infrastructure (orapki) utility 12.1 and earlier.
When you setup TLS/SSL and encounter an "ORA-0052: Failure during SSL handshake" error combined with a 0x80004005 error code and first inner exception "A SSPI-call failed" and second inner exception "A token sent to the function is invalid", then it is very likely that Microsoft Security Support Provider Interface (SSPI) rejected your Oracle Wallet, such as when MD5 is used. This is a failure on the handshake. You can resolve this error by using the SHA-2 algorithm instead. We'll describe how shortly.
If the second inner exception instead indicates "The credentials supplied to the package were not recognized", it is possible the user certificate was generated without a certificate authority (CA). You can resolve this error by using orapki to generate a CA/root certificate and then regenerating your user wallet/certificate to point to this new CA/root certificate. More info on how to do this is below.
Orapki refers to orapki.exe. This utility is part of full Oracle client (admininstrator) installations. It is not included with Oracle Instant Client. The utility is only needed to setup up the wallet; it is not necessary to deploy it with the wallet.
The steps below will regenerate your Oracle Wallet using orapki. Any orapki version can be used to generate the wallet with these instructions.
1. Create root wallet, for example, a CA wallet.
orapki wallet create -wallet ./root -pwd yourpassword
2. Add a self-signed certificate (CA certificate) to the root wallet.
orapki wallet add -wallet ./root -dn 'CN=yourroot' -keysize 1024 -self_signed -validity 3650 -pwd yourpassword -sign_alg sha512
3. Export the self-signed certificate from the wallet.
orapki wallet export -wallet ./root -dn 'CN=yourroot' -cert ./root/b64certificate.txt -pwd yourpassword
4. Create a user wallet, for example, a customer wallet.
orapki wallet create -wallet ./user -pwd yourpassword -auto_login
5. Add a certificate request.
orapki wallet add -wallet ./user -dn 'CN=clientshostname' -keysize 1024 -pwd yourpassword -sign_alg sha512
6. Export the certificate request.
orapki wallet export -wallet ./user -dn 'CN=clientshostname' -request ./user/creq.txt -pwd yourpassword
7. Create a certificate issued by a CA.
orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650 -pwd yourpassword -sign_alg sha512
8. Add a trusted certificate (CA certificate) to the wallet. This example assumes the same CA for both the client and server wallets.
orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -pwd yourpassword
9. Add a user certificate.
orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -pwd yourpassword -sign_alg sha512
10. Display contents of user wallet.
orapki wallet display -wallet ./user -pwd yourpassword
11. Create a server wallet.
orapki wallet create -wallet ./server -pwd yourpassword -auto_login
12. Add a server certificate request.
orapki wallet add -wallet ./server -dn 'CN=servershostname' -keysize 1024 -pwd yourpassword -sign_alg sha512
13. Export the certificate request.
orapki wallet export -wallet ./server -dn 'CN=servershostname' -request ./server/creq.txt -pwd yourpassword
14. Create a server certificate issued by a CA.
orapki cert create -wallet ./root -request ./server/creq.txt -cert ./server/cert.txt -validity 3650 -pwd yourpassword -sign_alg sha512
15. Add a trusted certificate (CA certificate) to the server wallet. This example assumes the same CA for both the client and server wallets.
orapki wallet add -wallet ./server -trusted_cert -cert ./root/b64certificate.txt -pwd yourpassword
16. Add a user_cert certificate for the server wallet.
orapki wallet add -wallet ./server -user_cert -cert ./server/cert.txt -pwd yourpassword -sign_alg sha512
17. Display contents of server wallet.
orapki wallet display -wallet ./server -pwd yourpassword