Dec 07

Setting up SSL ACL in 12cR2

Before you can connect to a website you need to setup the oracle wallet. Start by going to the website you are going to be connecting to. In this case I am just using my own site. I am also using Safari on OSX, the steps differ slightly depending on operating system and browser.

After clicking the padlock icon, and show certificate, we represented with the certificate chain. The root certificate is trusted by the browser, which then is used to validate the intermediary certificate which belongs to the encryption authority, in this case it’s Let’s Encrypt. Lets Encrypt in turn validates the certificate for my site. When oracle tries to connect to balddba.com it will need the intermediary and the root certificate to validate the server we are connecting to.

When I download the certificate we need to convert it to base-64 encoding so that we can handle it like a text file.

Convert the certificates to base-64

On the database server, create a folder to hold the wallet. Since I am doing this on the oracle cloud, and I only have one database SID, and the database is not RAC, I am not worrying about putting the wallet into a dynamic location. If you want to have a wallet per sid, you can use the $QNAME variable in the sqlnet.ora

Modify the sqlnet.ora to point to the new wallet directory

Create a new auto login wallet using orapki

Add the root and intermediate certificates to the wallet

Then validate the certificates are in the wallet

Now that the wallet is setup with our certificates,

I am starting off by creating myself a new user, so that I am starting from scratch and not using the dba privileges.

Give the user access to connect and to use the url_http package

We create a new ACL for the host, and for the wallet

Now we can test the connection

There is something I think should be pointed out, there is a change from 12.1 to 12.2. utl_http.request takes in a new argument called https_host.

I was getting the following error

There is now another parameter that needs to be set, the  https_host has to match the common name in the certificate.

Here is my certificate

So after adding the arguemnt I am able to get to the page




Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">