Using OAS SSL network encryption for securing data in motion

Using OAS SSL network encryption for securing data in motion

In Oracle you also have the possibility to use SSL based encrypted transmission between clients and servers. In this recipe we will introduce Oracle wallets. As its name suggests, an Oracle wallet is a container that can hold certificates, keys, and passwords. These are used primarily for network security operations and in implementing transparent data encryption, a subject that we will cover in Chapter 3, Securing Data at Rest.

Getting ready

In this recipe we will use nodeorcl1 and nodeorcl5.

How to do it...

In this recipe we will introduce Oracle wallets created and managed with the orapki utility.

  1. As the user root the create directories for wallets and assign oracle as the owner on the nodeorcl1 and nodeorcl5 hosts:

    [root@nodeorcl1 ~]# mkdir -p /security/wallets/ssl
[root@nodeorcl1 ~]# chown -R oracle:oinstall /security/wallets/ssl

[root@nodeorcl5 ~]# mkdir -p /security/wallets/ssl
[root@nodeorcl5 ~]# chown oraclient:oinstall /security/wallets/ssl

  2. Connected as the oracle user, create an auto-login wallet in the /security/wallets/ssl directory on nodeorcl1 and nodeorcl5 as follows:

    [oracle@nodeorcl1 ssl]$ orapki wallet create -wallet /security/wallets/ssl -pwd rio71^klPO -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oracle@nodeorcl1 ssl]$ 
 
[oraclient@nodeorcl5 ~]$ orapki wallet create -wallet /security/wallets/ssl -pwd Tio70/1?klPO -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oraclient@nodeorcl5 ~]$

  3. Generate a certificate and self-sign the wallet on nodeorcl1 as follows :

    [oracle@nodeorcl1 ~]$ 
[oracle@nodeorcl1 ssl]$ orapki wallet add -wallet /security/wallets/ssl -dn "CN=PacktPub_S" -keysize 2048 -self_signed -validity 1300 -pwd rio71^klPO
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oracle@nodeorcl1 ssl]$

  4. Next, generate a certificate and self-sign the wallet on nodeorcl5 as follows:

    [oraclient@nodeorcl5 ~]$ orapki wallet add -wallet /security/wallets/ssl -dn "CN=PacktPub_C" -keysize 2048 -self_signed -validity 1300 -pwd Tio70/1?klPO
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oraclient@nodeorcl5 ~]$

  5. Next, export the self-signed certificate on nodeorcl1 to nodeorcl1_server_ca.cert file as follows:

     [oracle@nodeorcl1 ssl]$ orapki wallet export -wallet /security/wallets/ssl -dn "CN=PacktPub_S" -cert /security/wallets/ssl/nodeorcl1_server_ca.cert 
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

  6. Export the self-signed certificate on nodeorcl5 to nodeorcl5_client_ca.cert as follows:

    [oraclient@nodeorcl5 ~]$  orapki wallet export -wallet /security/wallets/ssl -dn "CN=PacktPub_C" -cert /security/wallets/ssl/nodeorcl5_client_ca.cert
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

  7. Copy the certificate file nodeorcl1_server_ca.cert to nodeorcl5 in the same directory:

    [oracle@nodeorcl1 ssl]$ scp nodeorcl1_server_ca.cert oraclient@nodeorcl5:/security/wallets/ssl
oraclient@nodeorcl5's password: 
nodeorcl1_server_ca.cert                                                           100%  965     0.9KB/s   00:00    
[oracle@nodeorcl1 ssl]$

  8. Copy the certificate file nodeorcl5_client_ca.cert to nodeorcl1 in the same directory:

    [oraclient@nodeorcl5 ~]$ scp /security/wallets/ssl/nodeorcl5_client_ca.cert oracle@nodeorcl1:/security/wallets/ssl
oracle@nodeorcl1's password:
nodeorcl5_client_ca.cert                                                                                                                                                                                   100%  965     0.9KB/s   00:00
[oraclient@nodeorcl5 ~]$

  9. Next, import the client root certificate into the server wallet as follows:

    [oracle@nodeorcl1 ssl]$ orapki wallet add -wallet /security/wallets/ssl  -trusted_cert -cert /security/wallets/ssl/nodeorcl5_client_ca.cert -pwd rio71^klPO
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oracle@nodeorcl1 ssl]$

  10. Next, we want to check if the client root certificate was imported into the server wallet. Display the server wallet's proprieties as follows:

    [oracle@nodeorcl1 ssl]$ orapki wallet display -wallet /security/wallets/ssl
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=PacktPub_S
Trusted Certificates: 
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        CN=PacktPub_C
Subject:        CN=PacktPub_S
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
[oracle@nodeorcl1 ssl]$

  11. Similarly import the server root certificate into the client wallet as follows:

    [oraclient@nodeorcl5 ~]$ orapki wallet add -wallet /security/wallets/ssl  -trusted_cert -cert /security/wallets/ssl/nodeorcl1_server_ca.cert -pwd Tio70/1?klPO
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

[oraclient@nodeorcl5 ~]$

  12. Check if the server root certificate was imported into the client wallet. Display the client wallet's proprieties as follows: 

    [oraclient@nodeorcl5 ~]$ orapki wallet display -wallet /security/wallets/ssl
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=PacktPub_C
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        CN=PacktPub_C
Subject:        CN=PacktPub_S
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
[oraclient@nodeorcl5 ~]$

  13. On the server side, configure the listener to accept SSL connections as follows:

    LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = nodeorcl1)(PORT = 1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = nodeorcl1)(PORT = 28900))
    )
  )

  14. Bounce the listener:

    [oracle@nodeorcl1 ~]$ lsnrctl stop; lsnrctl start
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 14-AUG-2012 19:36:19

  15. To specify the wallet location, add the following lines in $ORACLE_HOME/network/admin/sqlnet.ora on the server and on the client:

    WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /security/wallets/ssl)
    )
  )

  16. Next, configure the cipher suites, and add the following line in the $ORACLE_HOME/network/admin/sqlnet.ora server and on the client:

    SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

  17. On the client, create a network service HACKDB_SSL as follows:

    HACKDB_SSL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = nodeorcl1)(PORT = 28900))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = HACKDB)
    )
  )

  18. If you have network encryption configuration between client and server, turn it off by setting the SQLNET.ENCRYPTION_SERVER in sqlnet.ora on the server side to rejected. Otherwise you will get the ORA-12696: Double Encryption Turned On, login disallowed message.

    SQLNET.ENCRYPTION_SERVER = rejected

  19. Finally, test the connection:

    [oraclient@nodeorcl5 ~]$ sqlplus system@HACKDB_SSL

SQL*Plus: Release 11.2.0.3.0 Production on Sun Aug 19 16:51:42 2012

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

How it works...

Self-signed certificates fit well inside an organization. If you want to expose SSL outside on the internet than you must use signed certificates by a CA authority.

SSL uses a primary public key exchange based on the handshake mechanism. Briefly the steps performed during handshake are as follows:

  • The client and the server negotiate which cipher suite to use.

  • The server sends its certificate, and the client verifies its authenticity (signed by a Certificate Authority or self signed). If client authentication is required then the client sends its own certificate, and the server will verify its authenticity.

  • The client and the server will exchange keys using a public key, and each will generate a session key that will be used subsequently for data encryption using the cipher suite negotiated at the first step.

There's more...

Use SSL when other network encryption is not possible. SSL is considerably slower than OAS encryption using symmetric keys and IPSEC covered in the next recipe.