SSL and Oracle HTTP server (OHS) - oracle11g

Welcome.
There is centos 5.5, oracle 11g release 1, Oracle Application Server 10g Release 3 (10.1.3.2.0) for Linux x86.
creating a wallet by owm and openssl ... finally getting ready to use wallet.
more interested with what settings to change in the configuration OHS to make it work?
changing the way in ssl.conf in place of default set the path to the next folder, where lies the wallet
start opmnctl - does not work in the logs I see error
[Thu Dec 09 16:22:45 2010] [error] Server virt11gr1: 443: can't open an encrypted
wallet file: / opt/app/oracle/product/11.1.0/ohs/ohs/conf/ssl.wlt/mywallet when opm
n is usingPlease enable it as SSO wallet
in opmn.xml also found a string of wallet prescribe the path there - will not start ... (
guys, tell me where I am wrong?

If we use through ORAPKI, then :
# Create root wallet (for example, CA wallet)
./orapki wallet create -wallet ./root -auto_login_only
# Add a self-signed certificate (CA certificate) to the root wallet
./orapki wallet add -wallet ./root -dn 'CN=your-host.com,C=IN' -keysize 1024 -self_signed -validity 3650 -auto_login_only
# Export self-signed certificate from the wallet
./orapki wallet export -wallet ./root -dn 'CN=your-host.com,C=IN' -cert ./root/b64certificate.txt
# Create a user wallet (for example, a customer wallet)
./orapki wallet create -wallet ./user -auto_login_only
# Add a certificate request
./orapki wallet add -wallet ./user -dn 'CN=your-host.com,C=IN' -keysize 1024 -auto_login_only
# Export the certificate request
./orapki wallet export -wallet ./user -dn 'CN=your-host.com,C=IN' -request ./user/creq.txt
# Create a certificate (issued by CA)
./orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650
# Add a trusted certificate (CA certificate) to the wallet
./orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -auto_login_only
# Add a user certificate
./orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -auto_login_only
# Display contents of wallet
./orapki wallet display -wallet ./root

open your wallet via OWM and set the checkbox Auto Login

Related

https request in Oracle 18c : "ORA-29024: Certificate validation failure"

I use Oracle 18C pl sql script.
I would like to make https requests.
So, i begin with http requests and it works. But, with https requests, i have an error : "Certificate validation failure".
I will explain below how I proceed in order to reach "https://www.ibm.com" for example.
I create a wallet using this powershell script :
Get-ChildItem -Path Z:\Documents\dev\plsql_http_request\wallets -Include *.* -File -Recurse | foreach { $_.Delete()}
orapki wallet create -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -auto_login
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-1-root.pem'
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-2-intermediate.pem'
orapki wallet add -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 -trusted_cert -cert 'Z:\Documents\dev\plsql_http_request\certificates\ibm-3-user.pem'
orapki wallet display -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000
Certificates are in PEM base64 format.
I have this output from this command orapki wallet display -wallet Z:\Documents\dev\plsql_http_request\wallets -pwd iciC29000 :
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=www.ibm.com,O=International Business Machines Corporation,L=Armonk,ST=NEW YORK,C=US
Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
Then, I modify rights of the wallet file : file permissions
Then, i execute this pl/sql script :
set serveroutput on size 30000;
declare
v_req utl_http.req;
v_res utl_http.resp;
v_buffer varchar2(4000);
begin
UTL_HTTP.set_detailed_excp_support ( TRUE );
utl_http.set_wallet('file:Z:\Documents\dev\plsql_http_request\wallets\','iciC29000');
v_req := utl_http.begin_request('https://www.ibm.com');
v_res := utl_http.get_response(v_req);
utl_http.read_text(v_res, v_buffer, NULL);
utl_http.end_response(v_res);
dbms_output.put_line(v_res.status_code);
dbms_output.put_line(v_res.reason_phrase);
dbms_output.put_line(v_buffer);
end;
And now, i'm stucked with these errors :
Error report -
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at line 15
29024. 00000 - "Certificate validation failure"
*Cause: The certificate sent by the other side could not be validated. This may occur if
the certificate has expired, has been revoked, or is invalid for another reason.
*Action: Check the certificate to determine whether it is valid. Obtain a new certificate,
alert the sender that the certificate has failed, or resend.
Thanks a lot for your help.

adding certificate in cell truststore through unix

I have executed below unix commands to add certificate in node truststore on websphere 7.0.
Can you please help me how can I add certificate in cell truststore.
I executed the below commands:
was70nd -profile cert_add (key | trust) [-n ]
[-pwd ] -signer -alias -f
Thanks in advance
You can add the certificate through the WAS Admin Console. Go to following Location
Menu --> Security --> SSL certificate and key management --> click on Key stores and certificates --> click on the desired truststore --> click on the Signer certificates.
From here you can import your certificate into the WebSphere truststore.

How do I install a CA bundle on Laravel Forge?

I've got an application that's getting SSL warnings on Chrome for Android and it turns out I need to add my CA Bundle from RapidSSL. I don't see a way to do this using Laravel Forge. How can I accomplish this?
My nginx config was auto-generated by Laravel Forge and looks like this:
# FORGE SSL (DO NOT REMOVE!)
ssl on;
ssl_certificate /etc/nginx/ssl/mydomain.com/1646/server.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.com/1646/server.key;
Status before: untrusted page
I had the same issue with a comodo certificate from https://cheapsslsecurity.com/. At first I installed only the domain specific certificate via the laravel forge webinterface (www_timtimer_at.crt) which resulted in an untrusted page.
Stumbling upon the answer of #Citizen and the post Nginx not serving intermediate certificate helped me to fix it. See this post also for debugging instructions.
How to fix the problem
SSL-Status
Use openssl s_client -connect www.timtimer.at:443 to check the certificate chain. (As am I am using Windows I just used the git bash to use this command). It should be a real chain like the following (s=subject, i=issuer). So you always have a subject with an issuer. This issuer should be the next subject which is issued by another authority and so on. The last subject is itselfs issuer.
At first my certificate chain looked like the following:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.timtimer.at
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
The Verify return code was: 21 (unable to verify the first certificate).
Solution
Check your server configuration file (I am using Laravel forge with nginx, so my file would be /etc/nginx/sites-available/default to get the location of the certificate you are using. Look out for the following section
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;
So in my case the certificate is stored in /etc/nginx/ssl/default/2658/server.crt. Now edit this file and make sure you put all the needed certificates in there. I added the content of the certificates from the zip-file in the following order:
www_timtimer_at.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
The file should look like like the following
-----BEGIN CERTIFICATE-----
... (www_timtimer_at.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (COMODORSAAddTrustCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (COMODORSADomainValidationSecureServerCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (AddTrustExternalCARoot.crt)
-----END CERTIFICATE-----
After a /etc/init.d/nginx restart everything looked good.
I received the following certificate chain after executing openssl s_client -connect www.timtimer.at:443:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.timtimer.at
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
The Verify return code was: 19 (self signed certificate in certificate chain).
Ok, so I solved this problem by doing the following:
Download the RapidSSL CA bundle:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549
Paste it below my certificate in a text file.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Pasted the three certs in one into Laravel forge when it asks for my certificate.
And it worked!

how can I load invalid certification web page using JavaFX.

Hi I am trying to load web page in webView pannel in JAVAFX.
I am able to load the web page whose certification is valid like google,yahoo. But unable to load invalid certification Sites.
Please suggest how can I add certification to my Web Site.
Thanks.
This is because the certificate cannot be found in default java certificates store.
Try to create java truststore with the root certificate from the "invalid certification sites". Command similar to this:
keytool -importcert -trustcacerts -alias somealias -file certificate.crt -deststorepass somePassword -destkeystore truststore.jks
Then start your java program with VM options:
-Djavax.net.ssl.trustStore="pathto\truststore.jks" -Djavax.net.ssl.trustStorePassword="somePassword" -Djavax.net.debug=all
Additional option -Djavax.net.debug=all allows you to debug the ssl handshake and see potential errors with certificates.

Authenticate user via Client Signed SSL Certificate in ASP.NET application

I want to add extra security to a site and generate self-signed client certificates for my users.
I set IIS to require client certificates, created a self-signed certificate for the server and followed a few articles explaining how to create the client sertificate via makecert and pvk2pfx (all of them using the following method):
makecert -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer
makecert -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2
pvk2pfx -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po PASSWORD
I installed MyPersonalCA in trusted certification authorities and JohnDoe.pfx in appropriate certification storage.
However when I open my site I am getting:
HTTP Error 403.7 - Forbidden
What am I missing? Why isn't the browser sending the client certificate?
There are following conditions under which the browser will let you pick a certificate:
The certificate has to be generated with "client authentication" option
1.3.6.1.5.5.7.3.2 - id_kp_clientAuth
The certificate that signs your certificate has to be installed in the trusted root certification authorities on the server (not on the client!)
The certificate itself has to be installed in browser's certificate store (a system store for ie and chrome, an internal store in firefox)
Note that this is still not enough for authentication, you also need a custom authentication module or configure mappings between certificates and users manually at the server.

Resources