Hope someone can spot what I'm doing wrong as I'm going bald from this.
I have used utl_http & wallets to call https on 11gR1 without much trouble, but our new 12c installation is causing me a lot of grief.
I have tried importing the trusted certificate using both oracle wallet manager, and command line, without any success.
I know that oracle can be picky as to caching the wallet, so I have tried multiple new sessions without any luck.
I have downloaded the three neccessary certificates for *.presstogo.com, Geotrust SSL CA & Geotrust Global CA.
The command-line version of my building the wallet is as follows:
orapki wallet create -wallet /oracle/product/12.0.1/owm/wallets/test1237 -pwd test=1237 -auto_login
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "*.presstogo.com" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "GeoTrust SSL CA" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "Geotrust Global CA" -pwd test=1237
orapki wallet display -wallet /oracle/product/12.0.1/owm/wallets/test1237
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: CN=GeoTrust SSL CA,O=GeoTrust\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Subject: CN=*.presstogo.com,OU=IT,O=Press to go AS,L=Oslo,ST=Norway,C=NO,SERIAL_NUM=SJYpOHrRdCDHE8KZ6dRFGMJthOjs7-v3
Ok, lets test this. Login to sqlplus and run the following:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_detailed_excp_support ( true );
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://production.presstogo.com/mars/hello' );
lo_resp := utl_http.get_response ( lo_req );
-- A successfull request would have the status code "200".
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
exception
when others then
utl_http.end_response ( lo_resp );
raise;
end;
DECLARE
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 6
For the record, It is worth noting that the following does work:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://www.google.be' );
lo_resp := utl_http.get_response ( lo_req );
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
end;
/
Help me Obi-Wan, you're my only hope.
Answering my own question for the benefit of others.
According to Oracle Support only the certificate chain should be imported, not the end site certificate.
In the example I used above, only import the following certificates into the wallet:
Geotrust SSL CA & Geotrust Global CA
Do not import the *.presstogo.com certificate
To quote Oracle support:
The reason that the select is failing in 12c is that 12c does not want
to see the user cert in the wallet as a trusted cert.
This was apparently not an issue in previous versions but removing
that cert from the wallet fixed the issue here.
This contradicts all information I have found online regarding the use of utl_http to connect to Https sites, and confused the hell out of me.
Hopefully this will help others in my situation.
Related
I am trying to use UTL_HTTP package to send requests to a remote web server.
It works well using normal HTTP but when I try to use HTTPS, I always get ORA-29024.
What I did so far:
Create a wallet: mkdir /oracle/admin/mydb/my_wallet orapki wallet create -wallet /oracle/admin/valdb/my_walled -pwd mypwd -auto_login
Used Chrome to browse to the https website and downloaded the certificate to a p7b file
Stored the p7b file on the database machine in /tmp/mycert.p7b
Imported the certificate into the wallet: orapki wallet add -wallet /oracle/admin/mydeb/my_wallet/ -trusted_cert cert "/tmp/mycert.p7b" -pwd mypwd
Checked the wallet status: orapki wallet display -wallet /oracle/admin/mydb/my_wallet =>
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=*.remote.server.com
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Subject: CN=R3,O=Let's Encrypt,C=US
Tried to send a request:
EXEC UTL_HTTP.set_wallet('file:/oracle/admin/mydb/my_wallet', 'mypwd');
select UTL_HTTP.REQUEST('https://mes.customer.remove.server.com',NULL,'file:/oracle/admin/mydb/my_wallet','mypwd') from dual;
But unfortunately the return was:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1530
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1470
ORA-06512: at line 1
Any idea what else I could try?
Can it be caused because the certificate is a wildcard (*) certificate?
I have the same exact error, and yes it's because it is a wildcard certificate. What I did on 19c was to delete only the wildcard certificate from the wallet, but let all the others from the certification path and it worked. However the same behaviour doesn't apply on 12.2.0 . Tell me it it worked for you too on 19c.
When I execute the following statement that involves a UTL_HTTP.REQUEST call, I get ORA-29024: Certificate validation failure:
SELECT UTL_HTTP.REQUEST('https://www.google.com') from DUAL;
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1620
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1560
ORA-06512: at line 1
According to the Autonomous Database doc, UTL_HTTP is among the supported PL/SQL packages. Why is this query not working?
This error is a result of not completing the prerequisite steps for UTL_HTTP in Autonomous Database. As mentioned in the example from the doc, before calling the UTL_HTTP.REQUEST() procedure, we need to first create an Access Control List (ACL) for the host via the DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE() and set the wallet location via UTL_HTTP.SET_WALLET():
-- Create an Access Control List for the host
BEGIN
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
host => 'www.google.com',
ace => xs$ace_type(privilege_list => xs$name_list('http'),
principal_name => 'ADMIN',
principal_type => xs_acl.ptype_db));
END;
/
PL/SQL procedure successfully completed.
-- Set Oracle Wallet location (no arguments needed)
BEGIN
UTL_HTTP.SET_WALLET('');
END;
/
PL/SQL procedure successfully completed.
SELECT UTL_HTTP.REQUEST('https://www.google.com') from DUAL;
utl_http.request('https://www.google.com')
-------------------------------------------------------------------------------------
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"> ...
Disclaimer: I’m a Product Manager at Oracle.
When I am running this, i am getting error:
begin
UTL_MAIL.SEND(SENDER =>'admin#dbaclass.com',
RECIPIENTS=> 'support#dbaclass.com',
SUBJECT=> 'MAIL FROM dbaclasss SENDER',
MESSAGE => 'Welcome to dbaclass'
);
end;
Error:
Error report -
ORA-29278: SMTP transient error: 421 Service not available
ORA-06512: at "SYS.UTL_MAIL", line 654
ORA-06512: at "SYS.UTL_MAIL", line 671
ORA-06512: at line 2
29278. 00000 - "SMTP transient error: %s"
I checked the telnet command to check the stmp.gmail.com its working fine.
but when i tried this from oracle it is giving the above error.
Can someone please help me.
That will not work out of the box.
If your server is not ssl/tls you need at least set (maybe create local smtp first for test) and set acl:
ALTER SYSTEM SET smtp_out_server = 'mailserver.domain.com'
If server is secure (and gmail is) and you have no local smtp server to work with. You need to do more to set secure connection.
Look at this to get idea for start(you need walled or own secure ssl/tls implementation):
Give credentials to UTL_MAIL.SEND to bypass ORA-29278
Probably at this too:
http://oracle.ninja/sending-secure-e-mails-out-of-the-database-ssltls-utl_smtp-openssl-acl-wallet/
I try to reach a WebService provide by a secured site with a TLS 1.2 certificate encrypted that i exported and add in a wallet.
First i try to reach the site with the package UTL_HTTP.request on a 11.2.0.1.0 ORACLE Database but i have the ORA-28857 SSL error unknown message.
I try the same on a 12.1.0.1.0 ORACLE Database but i have the ORA-29024 message.
So, i searched on the web and find everything and nothing about the subject.....
Here is what i did:
First: I exported the certificate from Internet Explorer with the PKCS #7 (.p7b) format (Chains included)
then, i create a wallet with the orapki utility
orapki wallet create -wallet e:\wallet -pwd <pwd>
then i add my certificate
orapki wallet add -wallet e:\wallet -trusted_cert -cert e:\certificats\<cert file> -pwd <pwd>
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
ORA-29273: échec de demande HTTP ORA-06512: à "SYS.UTL_HTTP",
ligne 1722 ORA-28857: Erreur SSL inconnue ORA-06512: à ligne 1
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
I tried to create ACLs:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
acl => 'utl_http.xml',
description => 'Test ACL',
principal => '<user>',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
acl => 'utl_http.xml',
principal => '<user>',
is_grant => TRUE,
privilege => 'use-client-certificates',
start_date => null,
end_date => null);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => 'utl_http.xml',
host => '<secured site>',
lower_port => 1,
upper_port => 9999);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL(
acl => 'utl_http.xml',
wallet_path => 'file:E:\wallet');
END;
/
(I m not sure about usefulness of all but I'm ready to do everything to make that work ^^)
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
i read that Oracle 11 have problems withe TLS 1.2 encrypted certificate so i tried with an Oracle 12 (Same ways to create Wallet and ACL)
I have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
Hope I was clear in my explanations
I try to know what to do to reach a secure site by a certificate based on the certificate
Thank you for your much needed support
Best regards
May be I am too late, but I caught same issues and found some answers.
Oracle Database earlier than 11.2.0.3 does not support SHA2 SSL-standard, for example we cannot connect google from 11.2.0.1.
When use 12c - try to remove end certificate of chain from wallet. (I found this answer here: Using utl_http & wallets on 12c: certificate validation failure )
An Oracle wallet is in PKCS12 format. You can't use a PKCS7 formatted certificate inside an Oracle wallet. You want to use the "Base-64 encoded X.509 (.CER)" option instead. You must also get each certificate in the chain for the certificate of the site to which you want to connect. Those will be loaded into the Trusted Certificates section of the wallet.
There are good detailed instructions at this page:
UTL_HTTP and SSL(HTTPS) Using Oracle Wallets
When deploying an APNS certificate in a .wlapp file in MFP 7.0, I'm seeing a null-pointer exception when it validates the end-date, even though it has one. ( openssl pkcs12 -in apns-certificate-sandbox.p12 | openssl x509 -noout -enddate returns a valid date in the future).
It seems others have made this work, so I'm guessing it must be something I am doing wrong...has anyone else resolved similar issues with valid Apple Push Notification Service certs failing to be deployed on MFP
Relevant lines from the log:
947: "com.ibm.worklight.admin.services.ApplicationService E FWLSE3000E: A server error was detected.",
"948: com.ibm.worklight.admin.common.util.exceptions.ValidationException: FWLSE3119E: APNS certificate validation failed. See additional messages for details.",
"949: at com.ibm.worklight.admin.util.PushEnvironmentUtil.validateApnsConfiguration(PushEnvironmentUtil.java:232)",
"950: at com.ibm.worklight.admin.util.PushEnvironmentUtil.validatePushConfiguration(PushEnvironmentUtil.java:220)",
[ ... lots more trace here .. ]
"1030: Caused by: java.lang.NullPointerException",
"1031: at java.io.ByteArrayInputStream.(ByteArrayInputStream.java:117)",
"1032: at com.ibm.worklight.admin.util.PushEnvironmentUtil.getCertificateExpiryDate(PushEnvironmentUtil.java:362)",
"1033: at com.ibm.worklight.admin.util.PushEnvironmentUtil.validateApnsConfiguration(PushEnvironmentUtil.java:230)",
Initial hurdle was that the .wlapp file was not being built, so no apns certificate was in the file (it is just in .zip format with a meta directory that should hold the .p12 file). The underlying issue was that the tag's password field in application-descriptor.xml wasn't exactly right: it was following the example from "Push Notifications in iOS applications" at https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/notifications/push-notifications-native-ios-applications/ :
<pushSender password="apns-certificate-p12 password"/>
when it really should just have the password:
<pushSender password="password"/> </code></pre>
with the file named either apns-certificate-sandbox.p12 or apns-certificate-production.p12 depending on which server is to be used.
Double dumbass on me for not checking the official docs at http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/c_the_application_descriptor.html , which has it described correctly.
Moral: "When in doubt, RTFM"