I try to reach a WebService provide by a secured site with a TLS 1.2 certificate encrypted that i exported and add in a wallet.
First i try to reach the site with the package UTL_HTTP.request on a 11.2.0.1.0 ORACLE Database but i have the ORA-28857 SSL error unknown message.
I try the same on a 12.1.0.1.0 ORACLE Database but i have the ORA-29024 message.
So, i searched on the web and find everything and nothing about the subject.....
Here is what i did:
First: I exported the certificate from Internet Explorer with the PKCS #7 (.p7b) format (Chains included)
then, i create a wallet with the orapki utility
orapki wallet create -wallet e:\wallet -pwd <pwd>
then i add my certificate
orapki wallet add -wallet e:\wallet -trusted_cert -cert e:\certificats\<cert file> -pwd <pwd>
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
ORA-29273: échec de demande HTTP ORA-06512: à "SYS.UTL_HTTP",
ligne 1722 ORA-28857: Erreur SSL inconnue ORA-06512: à ligne 1
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
I tried to create ACLs:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
acl => 'utl_http.xml',
description => 'Test ACL',
principal => '<user>',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
acl => 'utl_http.xml',
principal => '<user>',
is_grant => TRUE,
privilege => 'use-client-certificates',
start_date => null,
end_date => null);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => 'utl_http.xml',
host => '<secured site>',
lower_port => 1,
upper_port => 9999);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL(
acl => 'utl_http.xml',
wallet_path => 'file:E:\wallet');
END;
/
(I m not sure about usefulness of all but I'm ready to do everything to make that work ^^)
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
i read that Oracle 11 have problems withe TLS 1.2 encrypted certificate so i tried with an Oracle 12 (Same ways to create Wallet and ACL)
I have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
Hope I was clear in my explanations
I try to know what to do to reach a secure site by a certificate based on the certificate
Thank you for your much needed support
Best regards
May be I am too late, but I caught same issues and found some answers.
Oracle Database earlier than 11.2.0.3 does not support SHA2 SSL-standard, for example we cannot connect google from 11.2.0.1.
When use 12c - try to remove end certificate of chain from wallet. (I found this answer here: Using utl_http & wallets on 12c: certificate validation failure )
An Oracle wallet is in PKCS12 format. You can't use a PKCS7 formatted certificate inside an Oracle wallet. You want to use the "Base-64 encoded X.509 (.CER)" option instead. You must also get each certificate in the chain for the certificate of the site to which you want to connect. Those will be loaded into the Trusted Certificates section of the wallet.
There are good detailed instructions at this page:
UTL_HTTP and SSL(HTTPS) Using Oracle Wallets
Related
I build a Flask Python REST app on a Oracle Cloud compute instance. The REST Call works from my client just fine. (I added Ingress Rule for 0.0.0.0/0).
My plan is to have the Comupute Instance only accesible from my ATP Database and call the REST Service from PL/SQL. When I try to call the Webservice, I get the following error:
DECLARE
l_clob CLOB;
BEGIN
l_clob := apex_web_service.make_rest_request(
p_url => 'https://130.zz.yy.xx:5000/test',
--p_url=> 'https://httpbin.org/get',
p_http_method => 'GET'
);
END;
Error report -
ORA-29273: HTTP request failed
ORA-06512: at "APEX_220100.WWV_FLOW_WEB_SERVICES", line 1182
ORA-06512: at "APEX_220100.WWV_FLOW_WEB_SERVICES", line 782
ORA-01031: insufficient privileges
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1209
ORA-06512: at "APEX_220100.WWV_FLOW_WEB_SERVICES", line 756
ORA-06512: at "APEX_220100.WWV_FLOW_WEB_SERVICES", line 1023
ORA-06512: at "APEX_220100.WWV_FLOW_WEB_SERVICES", line 1371
ORA-06512: at "APEX_220100.WWV_FLOW_WEBSERVICES_API", line 568
ORA-06512: at line 5
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
Normal REST Calls work just fine. What could be the problem?
The ATP can not access the compute instance because of some network settings?
ATP is not happy with the SSL settings or some other nasty HTTPS stuff?
The restrictions of calling REST APIs from APEX on autonomous database are outlined here:
https://docs.oracle.com/en/cloud/paas/atp-cloud/atpgs/autonomous-apex-web-services.html
So ...
must be a public endpoint, and the SSL certificate must be provided by a public CA.
For HTTPS, only the default port (443) is allowed; other ports raise the error message you're seeing.
configuring a proxy server in APEX is not supported on ADB; you then also
get the "Insufficient Privileges" error.
I am trying to use UTL_HTTP package to send requests to a remote web server.
It works well using normal HTTP but when I try to use HTTPS, I always get ORA-29024.
What I did so far:
Create a wallet: mkdir /oracle/admin/mydb/my_wallet orapki wallet create -wallet /oracle/admin/valdb/my_walled -pwd mypwd -auto_login
Used Chrome to browse to the https website and downloaded the certificate to a p7b file
Stored the p7b file on the database machine in /tmp/mycert.p7b
Imported the certificate into the wallet: orapki wallet add -wallet /oracle/admin/mydeb/my_wallet/ -trusted_cert cert "/tmp/mycert.p7b" -pwd mypwd
Checked the wallet status: orapki wallet display -wallet /oracle/admin/mydb/my_wallet =>
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=*.remote.server.com
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Subject: CN=R3,O=Let's Encrypt,C=US
Tried to send a request:
EXEC UTL_HTTP.set_wallet('file:/oracle/admin/mydb/my_wallet', 'mypwd');
select UTL_HTTP.REQUEST('https://mes.customer.remove.server.com',NULL,'file:/oracle/admin/mydb/my_wallet','mypwd') from dual;
But unfortunately the return was:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1530
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1470
ORA-06512: at line 1
Any idea what else I could try?
Can it be caused because the certificate is a wildcard (*) certificate?
I have the same exact error, and yes it's because it is a wildcard certificate. What I did on 19c was to delete only the wildcard certificate from the wallet, but let all the others from the certification path and it worked. However the same behaviour doesn't apply on 12.2.0 . Tell me it it worked for you too on 19c.
When I execute the following statement that involves a UTL_HTTP.REQUEST call, I get ORA-29024: Certificate validation failure:
SELECT UTL_HTTP.REQUEST('https://www.google.com') from DUAL;
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1620
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1560
ORA-06512: at line 1
According to the Autonomous Database doc, UTL_HTTP is among the supported PL/SQL packages. Why is this query not working?
This error is a result of not completing the prerequisite steps for UTL_HTTP in Autonomous Database. As mentioned in the example from the doc, before calling the UTL_HTTP.REQUEST() procedure, we need to first create an Access Control List (ACL) for the host via the DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE() and set the wallet location via UTL_HTTP.SET_WALLET():
-- Create an Access Control List for the host
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
host => 'www.google.com',
ace => xs$ace_type(privilege_list => xs$name_list('http'),
principal_name => 'ADMIN',
principal_type => xs_acl.ptype_db));
END;
/
PL/SQL procedure successfully completed.
-- Set Oracle Wallet location (no arguments needed)
BEGIN
UTL_HTTP.SET_WALLET('');
END;
/
PL/SQL procedure successfully completed.
SELECT UTL_HTTP.REQUEST('https://www.google.com') from DUAL;
utl_http.request('https://www.google.com')
-------------------------------------------------------------------------------------
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"> ...
Disclaimer: I’m a Product Manager at Oracle.
When I am running this, i am getting error:
begin
UTL_MAIL.SEND(SENDER =>'admin#dbaclass.com',
RECIPIENTS=> 'support#dbaclass.com',
SUBJECT=> 'MAIL FROM dbaclasss SENDER',
MESSAGE => 'Welcome to dbaclass'
);
end;
Error:
Error report -
ORA-29278: SMTP transient error: 421 Service not available
ORA-06512: at "SYS.UTL_MAIL", line 654
ORA-06512: at "SYS.UTL_MAIL", line 671
ORA-06512: at line 2
29278. 00000 - "SMTP transient error: %s"
I checked the telnet command to check the stmp.gmail.com its working fine.
but when i tried this from oracle it is giving the above error.
Can someone please help me.
That will not work out of the box.
If your server is not ssl/tls you need at least set (maybe create local smtp first for test) and set acl:
ALTER SYSTEM SET smtp_out_server = 'mailserver.domain.com'
If server is secure (and gmail is) and you have no local smtp server to work with. You need to do more to set secure connection.
Look at this to get idea for start(you need walled or own secure ssl/tls implementation):
Give credentials to UTL_MAIL.SEND to bypass ORA-29278
Probably at this too:
http://oracle.ninja/sending-secure-e-mails-out-of-the-database-ssltls-utl_smtp-openssl-acl-wallet/
I'm trying to send email using oracle 11g as below.
begin
utl_mail.send(
sender => 'user#xxx.com',
recipients => 'user#gmail.com',
message => 'Hello World'
);
but i got below error.
ORA-29279: SMTP permanent error: 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 ph1sm17301835pbb.45
ORA-06512: at "SYS.UTL_MAIL", line 654
ORA-06512: at "SYS.UTL_MAIL", line 671
ORA-06512: at line 2
29279. 00000 - "SMTP permanent error: %s"
*Cause: A SMTP permanent error occurred.
*Action: Correct the error and retry the SMTP operation.
how could i solve this ?
According to the GMail documentation, you need SMTP/Auth to send E-Mails via GMail.
Unfortunately, utl_mail doesn't support this - you'll have to use utl_smtp.
See Oracle Forums for an example.