Before you use a secure Oracle connection with Oracle database authentication or Kerberos authentication to connect to an SSL-enabled Oracle database, the organization administrator needs to perform the prerequisite tasks.
1Create a truststore certificate.
2Create a keystore certificate. Applicable only when Client authentication is enabled in the Oracle database.
Adding the server certificate to the truststore
Add the server certificate to the client's truststore to establish a secure Oracle connection.
Use the following keytool command to add the server certificate to the client's truststore:
keytool -import -trustcacerts -alias ca -file <server certificate with path> -keystore <name of truststore to be generated with extension> -storepass <password for truststore> -storetype <store type>
For example, consider you have a server certificate oratls_server.cert in the following location: C:\SSL\oracle
1Run the following command to create the truststore truststore.jks with the truststore password “password”:
Create a keystore certificate when client authentication is enabled in the Oracle server. You must create a keystore certificate that contains all the client certificates to establish an Oracle connection.
Perform the following steps to create a keystore certificate:
1Download and install the Oracle client from the Oracle website.
2Run the following command to create an Oracle wallet:
orapki wallet create -wallet <Path where wallet is to be created> -auto_login -pwd <wallet password>
3Run the following command to create a self-signed client certificate to the Oracle wallet:
orapki wallet add -wallet <Path where wallet is to be created> -dn "CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>" -keysize <key size in bits> -self_signed-validity <number of days> -pwd <wallet password>
The command runs and creates the pkcs12 certificate at the specified location.
You must specify the values of the CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>, keysize <key size in bits>, self_signed -validity <number of days>, and pwd <wallet password> from the server certificate.
4 Run the following orapki command to export the self-signed client certificate:
orapki wallet export -wallet <wallet path> -dn "CN=<common name>, OU=<organization unit>, O=<organization>, L=<locality>, ST=<state>, C=<country>" -cert <Name of the exported certificate with path>
The -dn command identifies the client certificate uniquely as the server wallet contains multiple client certificates installed.
5Install the self-signed client certificate in the server Oracle wallet.
Note: The client authentication fails if you do not add the self-signed client certificate to the server database Oracle wallet.
6 Add the server certificate as a trusted certificate to the Oracle wallet.
Run the following command to add the server certificate:
orapki wallet add -wallet <wallet path> -trusted_cert -cert <Name of the server certificate with path> -pwd <wallet password>
Note: You must use the same wallet password for all orapki commands.
Example Tasks
Perform the following tasks to create a keystore certificate:
aRun the following command to create an Oracle wallet:
You can now use the keystore C:\app\client\ksuwalka\product\12.1.0\client_1\owm\wallet\ewallet.p12 with keystore password oracle4u.
Kerberos authentication
You can use Kerberos authentication to connect to Oracle databases by placing the required configuration files on the Secure Agent machine. You can also use Kerberos authentication to connect to SSL-enabled Oracle databases.
When you configure Kerberos authentication to connect to Oracle, consider the following guidelines:
•You can't use the Hosted Agent or serverless runtime environment.
•Ensure that the Secure Agent and database server that you use are registered in the KDC server.
•You can't add more than one KDC to a krb5.conf file.
•You can't generate a credential cache file for more than one Kerberos principal user.
Configuring Kerberos authentication
Before you use Kerberos authentication to connect to Oracle on Linux or Windows, the organization administrator needs to perform the prerequisite tasks.
1To configure the Java Authentication and Authorization Service configuration file (JAAS), perform the following tasks:
aCreate a JAAS configuration file on the Secure Agent machine.
bAdd the following entries to the JAAS configuration file:
[realms] <REALM NAME> = { kdc = <Location where KDC is installed> admin_server = <Location where KDC is installed> } [domain_realm] <domain name or host name> = <Domain name or host name of Kerberos> <domain name or host name> = <Domain name or host name of Kerberos>
3Set the following environment variables on the Secure Agent machine.
5To generate the credential cache file on the Secure Agent machine and use Kerberos authentication to connect to Oracle, perform the following tasks:
aOn the Secure Agent machine, run the following command and specify the Oracle user name and realm name:
Kinit <user name>@<realm_name>
bWhen prompted, enter the password for the Kerberos principal user.
Setting environment variables
To use Kerberos authentication to connect to Oracle, you need to set the required environment variables on the Secure Agent machine.
Set the following environment variables:
•setenv KRB5CCNAME <Absolute path and file name of the credentials cache file>
•setenv KRB5_CONFIG <Absolute path of the Kerberos configuration file>\krb5.conf
•setenv JAASCONFIG <Absolute path of the JAAS config file>\<File name>.conf
After you set the environmental variables, you need to restart the Secure Agent.
Alternatively, you can add the environment variables when you create an Oracle connection.
To add the environment variables when you configure a connection and use Kerberos authentication, you need to add the KRB5_CONFIG, KRB5CCNAME, and JAASCONFIG properties in the Metadata Advanced Connection Properties field in an Oracle connection.
For example, add the properties in the following format:
KRB5_CONFIG=<Absolute path of the Kerberos configuration file>\krb5.conf;KRB5CCNAME=<Absolute path of the credential cache file>/<File name>;JAASCONFIG=<Absolute path of the JAAS config file>\<File name>.conf
Note: Ensure that you separate each key-value pair with a semicolon.