Thursday, February 16, 2006

Security, yup! No really!

I hardly dare to commence again....
Started with checking the configuration and testing the stuff that used to work. You don't know, nowadays, with these gremlins.
And sure enough:

D:\>tnsping o1003
TNS Ping Utility for 32-bit Windows: Version 10.1.0.4.0 - Production on 16-FEB-2006 15:36:29
Copyright (c) 1997, 2003, Oracle. All rights reserved.

Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.1.199)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = o10gR1))
( SECURITY = (SSL_SERVER_CERT_DN = cn=o10gR1,cn=OracleContext,dc=cs,dc=nl)))
TNS-12560: TNS:protocol adapter error

So, what is wrong here? That used to work!
Same here; this test worked, too!

D:\>sqlplus system@o10ssl
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 15:35:44 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter password:
ERROR:
ORA-28759: failure to open file

Okay - I know that one: the wallet is not set for autologin. Fired up the wallet manager, and changed that; the error is now more what I expected:


ORA-29003: SSL transport detected mismatched server certificate.

Okay - I know that one, too: change SSL_SERVER_DN_MATCH in SQLNET.ORA from YES to NO, and you're done! And in fact, I already hinted that would be a problem.
So, I am going to continue this, without the server authentication (which you can see, works! or rather, fails, and thus proves to work).
Let's create a demouser on the server:

[oracle10@csdb01 admin]$ sqlplus system/manager
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 16:43:10 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL> create user certdemo identified externally as 'CN=frankbo, O=CarrotSoft, C=NL';
User created.

SQL> grant create session to certdemo;
Grant succeeded.

SQL>


Okay, let's see if I can login from my (Windows) client:

D:\>sqlplus /nolog
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Feb 16 15:56:39 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.

SQL> connect / @o1003
ERROR:
ORA-01017: invalid username/password; logon denied

Hmmmm. This seems to be some weird mismatch between globally and externally defined users; the used syntax seems to be OK for 10g Release 2. Thanks to Fabrizio, who hinted that here.

SO, let's revert on the server:

SQL> drop user certdemo cascade;
User dropped.

SQL> create user certdemo identified globally as 'CN=frankbo, O=CarrotSoft, C=NL';
User created.

SQL> grant create session to certdemo;
Grant succeeded.


And try the client again:

SQL> connect /@o1003
Connected.
SQL> show user
USER is "CERTDEMO"
SQL>


So, finally, I'm able to say: finally!

No comments: