I'm looking for guidance on steps to configure an Oracle 12c database to use SSL with JKS. I found a tutorial which was very clear on steps, however, this ended up being for oracle wallets which my client side does not support.
This is simply a test environment so making it simple I'm trying to just use self signed certs. I was able to create a keystore and export a certificate using these commands.
keytool -genkey -alias oraclekeystore -keyalg RSA -keypass xxx -storepass xxx -keystore KeyStore.jks -keysize 2048 -validity 1461
keytool -export -keystore KeyStore.jks -alias oraclekeystore -file client.cer
And I would use a command similar to below to import on client side with the exception the keystore may already exist but this is the command I found to do the import
sudo keytool -import -trustcacerts -keystore "/usr/lib/jvm/java-8-openjdk-i386/jre/lib/security/cacerts" -storepass xxx -noprompt -alias oraclekeystore -file "client.cer"
Now the next part on how to configure the database to accept connections using TLS with this keystore/cert is where I'm stuck. I see when using a wallet we would add some configs to sqlnet.ora file
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
And set the listener up by stopping the listener, updating listener.ora and starting it again.
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = ol7-121.localdomain)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = ol7-121.localdomain)(PORT = 2484))
)
)
ADR_BASE_LISTENER = /u01/app/oracle
However, I'm unsure how to do this using a JKS and self signed cert without Oracle wallets. Does anyone have experience with this or have set up this scenario? Or any resources which may help to configure the server in this scenario?
Thank you!
Related
I have an Oracle instance on a AWS EC2 instance. When I run this in the AWS linux terminal, it is successful.
ubuntu#ip-xxx-xx-xx-xxx:~$ sqlplus user101/pass101#ip-xxx-xx-xx-xxx:1521/XE
However, when I run the same arguments when connecting through cx_Oracle I get a:
"ORA-12154: TNS:could not resolve the connect identifier specified" error
I know some common problems are with the tnsnames.ora file. I've placed that below.
XE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = ip-172-xx-xx-xx)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
)
)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
)
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
)
)
~
At the moment the full Easy Connect syntax is being interpreted as a TNS entry.
According to the Connect() documentation, you can use your current code if you specify that you are passing the user argument:
If the user parameter is passed and the password and dsn parameters are not passed, the user parameter is assumed to be a connect string in the format user/password#dsn, the same format accepted by Oracle applications such as SQL*Plus.
So this should work:
connection = cx_oracle.Connect(user="user101/pass101#ip-172-xx-xx-xx:1521/XE")
According to the Oracle connection handling documentation, you could also split that out:
connection = cx_oracle.Connect(
user="user101",
password="pass101",
dsn="ip-172-xx-xx-xx:1521/XE",
encoding="UTF-8"
)
Or if you want to use tnsnames.ora then just give that alias as the DSN value:
connection = cx_oracle.Connect(
user="user101",
password="pass101",
dsn="XE",
encoding="UTF-8"
)
I am to trying connect to a database using TNS, and I am able to connect successfully using an alias:
sqlplus user/password#UHKGLXXX
However, when I connect to same database using the service name, I get the below error:
sqlplus user/password#pl0676o.hk.bbc:2006/UHKGLXXX.hk.bbc
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
Can someone please help me out with this.
Below is the TNSNAMES entry :
UHKGLXXX =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = pl0676o.hk.bbc)(PORT = 2006))
)
(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = UHKGLXXX.hk.bbc)
)
)
LISTENER_UHKGLXXX = (ADDRESS = (PROTOCOL = TCP)(HOST = pl0676o.hk.bbc)(PORT = 2006))
Have a look at your sqlnet.ora file.
Maybe it contains:
NAMES.DIRECTORY_PATH = (TNSNAMES)
This only allows for TNSNAMES alias use.
Change this to:
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
I have an Oracle 12.2.01 installed on Windows 2008 server. Whenever I try to connect a batch file using sqlplus sys/password#master as sysdba #E:/script.sql I get
ORA-12545:Connect failed because target host or object does not exist.
I can ping, tnsping and connect through sqlplus using the exact same syntax.
If I remove the "#master" the script will work. I need to figure out why because some of our scripts will need to use "#master" at customer locations.
Listener file:
# listener.ora Network Configuration File: C:\oracle\product\12.2.0\dbhome_1\NETWORK\ADMIN\listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = MASTER)
(ORACLE_HOME = C:\oracle\product\12.2.0\dbhome_1)
(SID_NAME = MASTER)
)
)
LISTENER =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = WIN-VFT0F2BL0T6)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.10.82)(PORT = 1521))
)
)
> ADR_BASE_LISTENER = C:\oracle\product\12.2.0\dbhome_1\log
SQLNET file:
# sqlnet.ora Network Configuration File: c:\oracle\product\12.2.0\dbhome_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
# SQLNET.AUTHENTICATION_SERVICES= (NONE)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
tnsnames file:
# tnsnames.ora Network Configuration File: C:\oracle\product\12.2.0\dbhome_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.
MASTER =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.10.82)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = MASTER)
)
)
I have oracle Enterprise edition and oracle forms installed on my computer, when i connect to my database from sqlplus and sqldevelopper, it connects without errors, but when i try to connect from oracle forms, it gives me this error:
ORA-12154:could not resolve the connect identifier specified
I have looked online and i read somewhere that it might be because i have more than one oracle client installed on my computer, and the sqlplus uses the right file and oracle forms uses the one that is not right, and i think that is my case, because i have two of the tnsnames.ora file :
in here:
C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\tnsnames.ora
and in here:
C:\oracle\product\10.2.0\NETWORK\ADMIN\SAMPLE
here is the content of the first tnsnames.ora file:
# tnsnames.ora Network Configuration File: C:\oracle\product\10.2.0\db_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = BOUHDID.Home)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ORCL)
)
)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
)
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
)
)
if it's the case, how can i fix this?
You could just set the TNS_ADMIN environment variabele.
This alawys points to the tnsnames.ora directory. And all oracle products look at this variabele.
So you just have to set TNS_ADMIN to:
C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN
I solved my problem by doing these steps:
uninstalled Oracle froms and reports.
uninstalled Oracle dababase with universal installer.
Deleted all the registries and services associated with oracle.
Reinstalled Oracle database.
Reinstalled oracle forms & reports.
copied from my tnsnames.ora file located in
C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN to the tnsnames.ora file located in C:\orant\NET80\ADMIN
this part:
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = BOUHDID)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
and it worked like a charm.
Depending on your Oracle_Home variable config, please check if TNS entry is present in the domains folder created while installing oracle forms & reports.
Example: C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\config\fmwconfig\tnsnames.ora
How I can connect to Pluggable Database Directly?
I'm trying this.
sqlplus scott/tiger#pdborcl;
But I'm getting ORA-12154: TNS:could not resolve the connect identifier specified
After that I tried to add localhost.
sqlplus scott/tiger#localhost/pdborcl;
Then I got
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
But when I connected as System, then I can easily connect using.
sqlplus scott/tiger#pdborcl;
Please help me I really want to get rid of System login again and again.
#TNSNAMES.ora File
# tnsnames.ora Network Configuration File: C:\app\OracleHome\product\12.1.0\dbhome_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.
LISTENER_ORCL =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
)
)
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
PDBORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdborcl)
)
)
SQLNET
# sqlnet.ora Network Configuration File: C:\app\OracleHome\product\12.1.0\dbhome_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
tnsping pdborcl
You basically need a couple of items to be in place before a direct connection to a pluggable database can be established.
Ensure the pluggable database is started and open, there is a tnsnames.ora entry for the pdb, confirm the listener has picked up the tnsnames entry for the pdb after you added it, reload the listener configuration if already running.
If you have issues connecting to the pdb using different users, check for permission differences between them.