I use Oracle 18C pl sql script.
I would like to make https requests.
So, i begin with http requests and it works. But, with https requests, i have an error : "Certificate validation failure".
I will explain below how I proceed in order to reach "https://www.ibm.com" for example.
I create a wallet using this powershell script :
Get-ChildItem -Path Z:\Documents\dev\plsql_http_request\wallets -Include *.* -File -Recurse | foreach { $_.Delete()}
orapki wallet create -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -auto_login
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-1-root.pem'
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-2-intermediate.pem'
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-3-user.pem'
orapki wallet display -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000
Certificates are in PEM base64 format.
I have this output from this command orapki wallet display -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 :
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=www.ibm.com,O=International Business Machines Corporation,L=Armonk,ST=NEW YORK,C=US
Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
Then, I modify rights of the wallet file : file permissions
Then, i execute this pl/sql script :
set serveroutput on size 30000;
declare
v_req utl_http.req;
v_res utl_http.resp;
v_buffer varchar2(4000);
begin
UTL_HTTP.set_detailed_excp_support ( TRUE );
utl_http.set_wallet('file:Z:\Documents\dev\plsql_http_request\wallets\','iciC29000');
v_req := utl_http.begin_request('https://www.ibm.com');
v_res := utl_http.get_response(v_req);
utl_http.read_text(v_res, v_buffer, NULL);
utl_http.end_response(v_res);
dbms_output.put_line(v_res.status_code);
dbms_output.put_line(v_res.reason_phrase);
dbms_output.put_line(v_buffer);
end;
And now, i'm stucked with these errors :
Error report -
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at line 15
29024. 00000 - "Certificate validation failure"
*Cause: The certificate sent by the other side could not be validated. This may occur if
the certificate has expired, has been revoked, or is invalid for another reason.
*Action: Check the certificate to determine whether it is valid. Obtain a new certificate,
alert the sender that the certificate has failed, or resend.
Thanks a lot for your help.
Related
I have been struggling with this for quite a while now, and I can't get it to work.
Here is the setup:
I have a nginx webserver serving a django app at mywebapp.k8s.dal1.mycompany.io
It has the SPNEGO plugin compiled in and I have the following endpoint in my config:
location /ad-login {
uwsgi_pass django;
include /usr/lib/mycompany/lib/wsgi/uwsgi_params;
auth_gss on;
auth_gss_realm BURNERDEV1.DAL1.MYCOMPANY.IO;
auth_gss_service_name HTTP/mywebapp.k8s.dal1.mycompany.io;
auth_gss_allow_basic_fallback off;
}
My AD Domain controller is at burnerdev1.dal1.mycompany.io and I have the following users configured:
rep_movsd
portal
I run the following commands on the DC server in an Admin prompt:
ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
C:\Users\myself\Documents\keytab>ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Targeting domain controller: dal1devdc1.burnerdev1.dal1.mycompany.io
Using legacy password setting method
Failed to set property 'servicePrincipalName' to 'HTTP/mywebapp.k8s.dal1.mycompany.io' on Dn 'CN=portal,CN=Users,DC=burnerdev1,DC=dal1,
DC=mycompany,DC=io': 0x13.
WARNING: Unable to set SPN mapping data.
If portal already has an SPN mapping installed for HTTP/mywebapp.k8s.dal1.mycompany.io, this is no cause for concern.
Building salt with principalname HTTP/mywebapp.k8s.dal1.mycompany.io and domain BURNERDEV1.DAL1.MYCOMPANY.IO (encryption type 18)...
Hashing password with salt "BURNERDEV1.DAL1.MYCOMPANY.IOHTTPmywebapp.k8s.dal1.mycompany.io".
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 110 HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) k
eylength 32 (0x632d9ca3356374e9de490ec2f7718f9fb652b20da40bd212a808db4c46a72bc5)
C:\Users\myself\Documents\keytab>setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Checking domain DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
Registering ServicePrincipalNames for CN=portal,CN=Users,DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Updated object
C:\Users\myself\Documents\keytab>
Now in the "Active Directory Users and Computers" section, I rightclicked the user and selected "Properties"
Then on the "Delegation" tab I set "Trust this user for delegation to any service (Kerberos only)"
Next I copy the krb5.keytab file to my webserver and restart the nginx container
On the Windows workstation which is part of the domain, I log on as rep_movsd - when I run klist:
C:\Users\rep_movsd>klist
Current LogonId is 0:0x208d7
Cached Tickets: (2)
#0> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: krbtgt/BURNERDEV1.DAL1.MYCOMPANY.IO # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/16/2020 2:05:51 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: HTTP/mywebapp.k8s.dal1.mycompany.io # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/16/2020 2:06:01 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
I setup Firefox to do SPENGO authentication
Then I hit mywebapp.k8s.dal1.mycompany.io/ad-login and I get a 403 Forbidden error
The nginx server debug log shows:
[debug] 16#16: *195 Client sent a reasonable Negotiate header
[debug] 16#16: *195 GSSAPI authorizing
[debug] 16#16: *195 Use keytab /etc/krb5.keytab
[debug] 16#16: *195 Using service principal: HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 my_gss_name HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 gss_accept_sec_context() failed: Cannot decrypt ticket for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO using keytab key for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO:
[debug] 16#16: *195 GSSAPI failed
[debug] 16#16: *195 http finalize request: 403, "/ad-login?" a:1, c:1
[debug] 16#16: *195 http special response: 403, "/ad-login?"
[debug] 16#16: *195 http set discard body
[debug] 16#16: *195 charset: "" > "utf-8"
[debug] 16#16: *195 HTTP/1.1 403 Forbidden
BTW while messing around earlier - I found that if I had set a fixed password for the "portal" user with ktpass and logged in as that account on the workstation, the login would succeed.
I was under the mistaken impression that I'd need to create a new keytab for every user and combine all of them.
Any help is greatly appreciated - I read so many conflicting docs its only confused me further and I've been losing sleep over this.
Thanks in advance!
I've read your problem statement carefully, and I think if you follow the steps I wrote below the issue will be solved.
On the DC server where you are creating the keytab, (1) UAC must be temporarily disabled. (2) The user creating the keytab must be a member of the Domain Admins group.
Ensure the SPN is not a duplicate, then remove the SPN from the Active Directory user account portal. This must be done before creating a new keytab using the same SPN against the same account. The below command is a one-liner, word-wrapping makes it look like two lines.
setspn -d HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Re-create the keytab again exactly as you did before.
You do not need to run the command setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal because SPN was already set on the Active Directory user account by the ktpass command in step 3.
Replace the old keytab with the new keytab.
Restart the nginx webserver service.
Clear browser cache AND clear Kerberos case (klist purge).
Try it again.
You must do all these steps including the final step 7. Do not skip any.
You service account is named portal. A hash of this password is stored in both Active Directory and the keytab. Same hash is in both locations. The keytab on the nginix server is utilized to decrypt the inbound Kerberos service tickets to determine who the user is attempting to access the web app. More specifically, the GSS authentication does all the work, it uses the keytab to un-scramble the encrypted service tickets. The user rep_movsd does not have the service account credentials. It is part of the Active Directory domain, and when accessing the nginix web server, it gets it's own Kerberos service ticket and its identity is proven to the web server by simply being in possession of a service ticket that is decrypted by the keytab. If it wasn't part of the BURNERDEV1.DAL1.MYCOMPANY.IO domain, or had an expired password, or was a disabled account, it would not be able to get a service ticket and thus not prove its identity and fail authentication.
If you have time, please see my TechNet Wiki article on keytab creation and the logic behind it to help you better understand this complex subject.
I migrated API manager to 2.1.0 version and i receive the following error.I used the same certificate which i used for identity server and its supposed to work.How can I find out what is causing this issue?Which file can i check?
[2018-05-08 04:46:50,601] WARN - FileSystemPreferences Could not lock System prefs. Unix error code 1.
[2018-05-08 04:46:50,601] WARN - FileSystemPreferences Couldn't flush system prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.
[2018-05-08 04:47:04,287] INFO - PermissionUpdater Permission cache updated for tenant -1234
[2018-05-08 04:47:09,272] ERROR - BinaryDataReceiver Error while reading from the socket.
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
I am using custom jks called mycert.jks... I am replacing the wso2carbon.jks with mycert.jks in all the places where keystore name is used... May be there is some place which i shouldnt change or i should change?
Received fatal alert: certificate_unknown This should be be due to API Manager server couldn't verify the received certificate. (while calling the Identity Server maybe). If the received certificate is not CA signed, APIM server is unable to verify it without having their certificate in the client-truststore already.
As mentioned, you've replaced wso2carbon.jks with mycert.jks. Please make sure you've done the following as well.
Extract/import the public certificate from the new private key and add/export it in to the API Manager server's client-truststore.jks. keytool -export -alias certalias -keystore newkeystore.jks -file <public key name>.pem keytool -import -alias certalias -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon
You have to set the same password for key store and key it self.
If the problem still persists add the SSL debug logs following this. These logs will expose more information on where and what exactly the issue is.
I am trying to use plink(Putty link) to connect to test servers using a batch file so as to avoid any user prompts and executing shell scripts. But it is pausing by showing a user interactive prompt after logging in with username and password provided which I don't want.
Please provide any suggestion for why this is happening or if I need to change any settings in the configuration to make this work.
Below is the log for the same. I am expecting it to execute a shell script after this step before which it gets stopped and plink puts me in an interactive shell
D:\>plink -v -ssh xxx#xxx.xxx.xxx.xx.com –pw XXXXX
Looking up host "xxx#xxx.xxx.xxx.xx.com"
Connecting to xxx.xx.xxx.xx port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 1024 a5:c3:96:57:53:7c:72:06:8d:86:09:76:27:3e:18:8d
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "xxx".
Attempting keyboard-interactive authentication
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
Last login: Wed Mar 5 09:56:41 2014 from 10.34.39.22
←[?1034hxxxxavu2:←]2;xxx#xxxxavu2~ >
When using SSH, upon first connection you are required to verify a service host key in order to make a connection.
Through plink, the command line will generate a prompt, asking the user to "accept service host key? (y/n)".
Step 1: Fix the "Keyboard Interactive Authentication prompts from server"
Follow the URL instruction and Deselect the "Attempt keyboard Interactive auth (SSH-2) in your putty.
https://support.linuxacademy.com/hc/en-us/articles/360027730172-How-Can-I-Copy-and-Paste-into-Putty-on-Windows
Step 2: Below is the commands will fix the "verify a service host key" for every Linux server first SSH connection using plink.
echo yes| C:\PuTTY\plink.exe user-name#10.148.147.41 -pw *************** date
Step 3: Now you can immediately ran your next scripts like "server uptime checks" or "monitoring agent restart" using plink with -batch option (disable all interactive prompts)
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\uptime_linux.sh
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\monitoring-agent-check_linux.sh
Above mentioned information's 100% will help you to automate the linux tasks using plink utility.
It's giving you an interactive shell because you are not actually giving it a command to execute after connecting. Enclose your command in quotes, eg:
D:\>plink -v user#xxx.xxx.xxx.xxx -pw XXXXX "df -h"
Hi I am trying to load web page in webView pannel in JAVAFX.
I am able to load the web page whose certification is valid like google,yahoo. But unable to load invalid certification Sites.
Please suggest how can I add certification to my Web Site.
Thanks.
This is because the certificate cannot be found in default java certificates store.
Try to create java truststore with the root certificate from the "invalid certification sites". Command similar to this:
keytool -importcert -trustcacerts -alias somealias -file certificate.crt -deststorepass somePassword -destkeystore truststore.jks
Then start your java program with VM options:
-Djavax.net.ssl.trustStore="pathto\truststore.jks" -Djavax.net.ssl.trustStorePassword="somePassword" -Djavax.net.debug=all
Additional option -Djavax.net.debug=all allows you to debug the ssl handshake and see potential errors with certificates.
Welcome.
There is centos 5.5, oracle 11g release 1, Oracle Application Server 10g Release 3 (10.1.3.2.0) for Linux x86.
creating a wallet by owm and openssl ... finally getting ready to use wallet.
more interested with what settings to change in the configuration OHS to make it work?
changing the way in ssl.conf in place of default set the path to the next folder, where lies the wallet
start opmnctl - does not work in the logs I see error
[Thu Dec 09 16:22:45 2010] [error] Server virt11gr1: 443: can't open an encrypted
wallet file: / opt/app/oracle/product/11.1.0/ohs/ohs/conf/ssl.wlt/mywallet when opm
n is usingPlease enable it as SSO wallet
in opmn.xml also found a string of wallet prescribe the path there - will not start ... (
guys, tell me where I am wrong?
If we use through ORAPKI, then :
# Create root wallet (for example, CA wallet)
./orapki wallet create -wallet ./root -auto_login_only
# Add a self-signed certificate (CA certificate) to the root wallet
./orapki wallet add -wallet ./root -dn 'CN=your-host.com,C=IN' -keysize 1024 -self_signed -validity 3650 -auto_login_only
# Export self-signed certificate from the wallet
./orapki wallet export -wallet ./root -dn 'CN=your-host.com,C=IN' -cert ./root/b64certificate.txt
# Create a user wallet (for example, a customer wallet)
./orapki wallet create -wallet ./user -auto_login_only
# Add a certificate request
./orapki wallet add -wallet ./user -dn 'CN=your-host.com,C=IN' -keysize 1024 -auto_login_only
# Export the certificate request
./orapki wallet export -wallet ./user -dn 'CN=your-host.com,C=IN' -request ./user/creq.txt
# Create a certificate (issued by CA)
./orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650
# Add a trusted certificate (CA certificate) to the wallet
./orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -auto_login_only
# Add a user certificate
./orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -auto_login_only
# Display contents of wallet
./orapki wallet display -wallet ./root
open your wallet via OWM and set the checkbox Auto Login