Home » RDBMS Server » Security » Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition (Oracle Database Standard Edition 11.2.0.2)
Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition [message #683952] Mon, 08 March 2021 05:11 Go to next message
fuksas2000@yahoo.it
Messages: 3
Registered: March 2021
Junior Member
In my enviroment Oracle Database Standard Edition 11.2.0.2 installed on Windows Server 2008R2 64 bit, i cannot set ssl for encryption only.

I've added in listener.ora:
LISTENER = (ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)))
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE

and in sqlnet.ora:
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path)))
SSL_CLIENT_AUTHENTICATION=FALSE

I reboot listner and i try to connect using jdbc string in sqldeveloper:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.27.2.63)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=T3CONFS3)))
but i receive following error:
Status : Failure -Test failed: IO Error: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 2 ms., Authentication lapse 0 ms.

On listener log.xml i have:

<msg time='2021-03-08T11:26:48.000+00:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='S3'
host_addr='fe80::39b0:60e4:ff3d:e26d%26'>
<txt>TNS-12560: TNS:protocol adapter error
TNS-00540: SSL protocol adapter failure

Can someone help me?
Thanks
Re: Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition [message #683953 is a reply to message #683952] Mon, 08 March 2021 10:20 Go to previous messageGo to next message
John Watson
Messages: 8595
Registered: January 2010
Location: Global Village
Senior Member
Welcome to the forum.
Please read the OraFAQ Forum Guide and How to use [code] tags and make your code easier to read.

Your directory path looks like something one would use on Unix, rather than Windows. Is it correct?

Can you post the output of
lsnrctl status
be sure to enclose it within [/code] and [code] tags

[Updated on: Mon, 08 March 2021 10:21]

Report message to a moderator

Re: Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition [message #683957 is a reply to message #683953] Tue, 09 March 2021 01:22 Go to previous messageGo to next message
fuksas2000@yahoo.it
Messages: 3
Registered: March 2021
Junior Member
Sorry,
my enviroment is Windows and my listner.ora and sqlnet.ora are:


[i]# listener.ora Network Configuration File: C:\app\Administrator\product\11.2.0\dbhome_1\NETWORK\ADMIN\listener.ora
# Generated by Oracle configuration tools.

[i]SID_LIST_LISTENER =[/i]
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = C:\app\Administrator\product\11.2.0\dbhome_1)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:C:\app\Administrator\product\11.2.0\dbhome_1\bin\oraclr11.dll")
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\app\Administrator\product\11.2.0\dbhome_1\BIN\owm\wallets\Administrator)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 172.27.2.64)(PORT = 1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 172.27.2.64)(PORT = 2484))
    )
  )

ADR_BASE_LISTENER = C:\app\Administrator[/i]


# sqlnet.ora Network Configuration File: C:\app\Administrator\product\11.2.0\dbhome_1\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

SSL_VERSION = 0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\app\Administrator\product\11.2.0\dbhome_1\BIN\owm\wallets\Administrator)
    )
  )

SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)

ADR_BASE = C:\app\Administrator\product\11.2.0\dbhome_1\log

the output of lsnrctl status is:


C:\Users\Administrator>lsnrctl status

LSNRCTL for 64-bit Windows: Version 11.2.0.2.0 - Production on 09-MAR-2021 08:02:21

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for 64-bit Windows: Version 11.2.0.2.0 - Production
Start Date                08-MAR-2021 16:43:11
Uptime                    0 days 15 hr. 19 min. 12 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   C:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File         C:\app\Administrator\diag\tnslsnr\Sito4\listener\alert\log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.27.2.64)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.27.2.64)(PORT=2484)))
Services Summary...
Service "CLRExtProc" has 1 instance(s).
  Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "T3CONFS4XDB" has 1 instance(s).
  Instance "t3confs4", status READY, has 1 handler(s) for this service...
Service "t3confs4" has 1 instance(s).
  Instance "t3confs4", status READY, has 1 handler(s) for this service...
The command completed successfully

C:\Users\Administrator>

I've create a wallet only on server and generate a sso certificate only on server.
Then i try to connect from client with my java app using the string:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=172.27.2.64)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=T3CONFS4)))
and i have following error:


trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1615277692 bytes = { 119, 53, 142, 57, 164, 164, 91, 168, 176, 6, 181, 229, 9, 226, 213, 174, 52, 44, 90, 134, 17, 185, 12, 212, 187, 122, 169, 155 }
Session ID:  {}
Cipher Suites: [SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 54
0000: 01 00 00 32 03 01 60 47   2E 7C 77 35 8E 39 A4 A4  ...2..`G..w5.9..
0010: 5B A8 B0 06 B5 E5 09 E2   D5 AE 34 2C 5A 86 11 B9  [.........4,Z...
0020: 0C D4 BB 7A A9 9B 00 00   04 00 1B 00 1A 01 00 00  ...z............
0030: 05 FF 01 00 01 00                                  ......
AWT-EventQueue-0, WRITE: TLSv1 Handshake, length = 54
[Raw write]: length = 59
0000: 16 03 01 00 36 01 00 00   32 03 01 60 47 2E 7C 77  ....6...2..`G..w
0010: 35 8E 39 A4 A4 5B A8 B0   06 B5 E5 09 E2 D5 AE 34  5.9..[.........4
0020: 2C 5A 86 11 B9 0C D4 BB   7A A9 9B 00 00 04 00 1B  ,Z......z.......
0030: 00 1A 01 00 00 05 FF 01   00 01 00                 ...........
AWT-EventQueue-0, received EOFException: error
AWT-EventQueue-0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
AWT-EventQueue-0, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
AWT-EventQueue-0, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28                               ......(
AWT-EventQueue-0, called closeSocket()
AWT-EventQueue-0, called close()
AWT-EventQueue-0, called closeInternal(true)

listener trace give me error:

TNS-12560: TNS:protocol adapter error
 TNS-00540: SSL protocol adapter failure
Can you help me?
Database 11.2.0.2 Standard Edition have support for ssl??

Thanks


  • Attachment: listener.log
    (Size: 2.14KB, Downloaded 357 times)

[Updated on: Tue, 09 March 2021 01:25]

Report message to a moderator

Re: Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition [message #683958 is a reply to message #683957] Tue, 09 March 2021 03:20 Go to previous messageGo to next message
John Watson
Messages: 8595
Registered: January 2010
Location: Global Village
Senior Member
You could start by simplifying everything. Remove all the SSL_% parameters, and use SQL*Plus (not Java). If that works, great! If it doesn't you should get much better error messages, and can then enable SQL*Net tracing for both client and server.

As for whether SSL works with SE2, if I remember correctly (I could be wrong) it was only ever a licensing thing: any sort of encryption required EE licences until 12.x, when that restriction was removed for all editions and releases.
Re: Enable SSL Connection on Oracle Database 11.2.0.2 Standard Edition [message #683961 is a reply to message #683958] Wed, 10 March 2021 02:42 Go to previous message
fuksas2000@yahoo.it
Messages: 3
Registered: March 2021
Junior Member
thanks for your answer.
but i don't understand if i need to create a wallet and sso certificate on server and client or i need a certificate only on server.
Have someone a step by step guide to connect java application to a db oracle using ssl and jdbc thin client?
Thanks

[Updated on: Wed, 10 March 2021 02:45]

Report message to a moderator

Previous Topic: wrong path for waltet TDE
Next Topic: one of the HSM server down - hardware failure
Goto Forum:
  


Current Time: Fri Sep 24 03:42:49 CDT 2021