Configuring SSL connection for Oracle 12

Question

I am trying to configure an Oracle 12 instance to allow (and later force) SSL-encrypted connections (only encryption, no authentication).

I did like described in SSL With Oracle JDBC Thin Driver:

Changed in listener.ora from

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
    )
  )

to

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = myhost)(PORT = 2484))
    )
  )

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/tmp/oracle_wallet_tmp)))
SSL_CLIENT_AUTHENTICATION=FALSE

and also added the last two lines to sqlnet.ora.

I then created the wallet with

orapki wallet create -wallet /tmp/oracle_wallet_tmp  -pwd test1234

and restarted the listener with

lsnrctl stop
lsnrctl start

The non-encryption session still works fine. But

But when trying to connect via JDBC on an encrypted connection I get

Exception in thread "main" java.sql.SQLRecoverableException: I/O-Fehler: Received fatal alert: handshake_failure
  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:682)
  at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:711)
  at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:385)
  at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:30)
  at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:558)
  at java.sql.DriverManager.getConnection(DriverManager.java:571)
  at java.sql.DriverManager.getConnection(DriverManager.java:187)
  at orassl.Orassl.<init>(Orassl.java:23)
  at orassl.Orassl.main(Orassl.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
  at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
  at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
  at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
  at oracle.net.ns.Packet.send(Packet.java:419)
  at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)
  at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:151)
  at oracle.net.ns.NSProtocol.connect(NSProtocol.java:263)
  at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1360)
  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:486)
  ... 8 more

The listener log file listener/alert/log.xml only tells me

<msg time='2014-03-04T14:03:19.906+01:00' org_id='oracle' comp_id='tnslsnr'
 type='UNKNOWN' level='16' host_id='myhost'
 host_addr='hostip'>
 <txt>04-MAR-2014 14:03:19 * &lt;unknown connect data&gt; * 12561
 </txt>
</msg>
<msg time='2014-03-04T14:03:19.907+01:00' org_id='oracle' comp_id='tnslsnr'
 type='UNKNOWN' level='16' host_id='myhost'
 host_addr='hostip'>
 <txt>TNS-12561: TNS:unknown error
 </txt>
</msg>
<msg time='2014-03-04T14:03:19.933+01:00' org_id='oracle' comp_id='tnslsnr'
 type='UNKNOWN' level='16' host_id='myhost'
 host_addr='hostip'>
 <txt>04-MAR-2014 14:03:19 * &lt;unknown connect data&gt; * 12561
 </txt>
</msg>
<msg time='2014-03-04T14:03:19.933+01:00' org_id='oracle' comp_id='tnslsnr'
 type='UNKNOWN' level='16' host_id='myhost'
 host_addr='hostip'>
 <txt>TNS-12561: TNS:unknown error
 </txt>
</msg>

The client connects with the following:

props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)");
props.setProperty("user", "dbuser");
props.setProperty("password", "dbpass");
final Connection c= DriverManager.getConnection("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostip)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=mysid)))", props );

What am I still doing wrong?

Answer 1

Two important points I found getting SSL working (JDBC with SQLDeveloper, sqlplus command)

• The withepaper's comment regarding the anonymous DH ciphers isn't valid for 12c anymore, you should be OK with the standard ciphers – in my case, commenting out the SSL_CIPHER_SUITES on servers sqlnet.ora and listner.ora did the trick.

• In the database you have to explictly set the local_listener parameter to a value that supports SSL. For simplicity you can copy your LISTENER config from listener.ora to $ORACLE_HOME/network/admin/tnsnames.ora and then set your local_listener to that value, e.g. alter system set local_listener='LISTENER';

• The 256bit AES Ciphers don't work out of the box with Java – you have to install the Java Cryptography Extension (JCE)

If you have access to Metalink, Note 762286.1, "End To End Examples of using SSL With Oracle's JDBC THIN Driver (Doc ID 762286.1)" might help.

One more hint: as XML tends to be a bit hard to read, you can examine the plain text log file under the trace subdirectory. e.g. /u01/app/diag/tnslsnr/$HOST/listener/trace/listener.log.