Configuring Transport Layer Security for Client Authentication and Encryption Using Microsoft Certificate Store

To perform this configuration with Microsoft Certificate Store (MCS), you use the orapki command-line tool to generate certificates and manipulate the Oracle wallets.

About Configuring Transport Layer Security for Client Authentication and Encryption Using Microsoft Certificate Store

This type of configuration is the foundation of the Common Access Cards and PIV cards authentication.

As long as the software libraries that are delivered with the Common Access Cards and PIV cards are capable of transparently loading the necessary certificates into the Microsoft Certificate Store, then the Transport Layer Security (TLS) authentication that you configure will be transparently performed.

It is important to note that all the signing certificates of the user certificate that is loaded to the PIV card must be manually loaded into the server’s wallet as part of the TLS configuration at the server level.

Step 1: Create and Configure the Server Wallet

You must use orapki to create a server wallet and the server’s self-signed certificate.

  1. Log in to the Oracle Database server.

  2. Create a directory for the server wallet.

    For example:

    mkdir /home/oracle/wallet_tls/server
  3. Go to this directory.

    cd /home/oracle/wallet_tls/server
  4. Create the server wallet.

    orapki wallet create -wallet . -auto_login -pwd password
  5. Check the directory.

    For example:

    ls -la

    Output similar to the following appears:

    total 16
    drwxr-xr-x. 2 oracle oinstall 4096 Oct 28 07:18 .
    drwxr-xr-x. 6 oracle oinstall 4096 Oct 28 07:17 ..
    
    -rw-------. 1 oracle oinstall 120 Oct 28 07:18 cwallet.sso
    
    -rw-rw-rw-. 1 oracle oinstall 0 Oct 28 07:18 cwallet.sso.lck
    
    -rw-------. 1 oracle oinstall 75 Oct 28 07:18 ewallet.p12
    
    -rw-rw-rw-. 1 oracle oinstall 0 Oct 28 07:18 ewallet.p12.lck
  6. Create the server’s self-signed certificate.

    orapki wallet add -wallet . -dn "cn=server" -self_signed -keysize 2048 -sign_alg sha256 -validity 365 -pwd password

Step 2: Create and Configure the Client Wallet

You must use orapki to create a client wallet and a certificate request.

  1. Log in to the Oracle Database client.

  2. Create a directory for the client wallet.

    For example:

    mkdir /home/oracle/wallet_tls/client
  3. Go to this directory.

    cd /home/oracle/wallet_tls/client
  4. Create the client wallet.

    orapki wallet create -wallet . -auto_login -pwd password
  5. Create a request for a user certificate and export the request.

    orapki wallet add -wallet . -dn "cn=client" -keysize 2048 -sign_alg sha256 -pwd password
    orapki wallet export -wallet . -dn "cn=client" -request req.txt -pwd password
  6. Copy the certificate request from the client directory to the server directory.

    For example:

    cp req.txt ../server/
    cd ../server/
  7. Sign the certificate of the client and also export server’s CA certificate.

    For example:

    orapki cert create -wallet . -request req.txt -cert sign.txt -validity 1000 -pwd password
    orapki wallet export -wallet . -dn "cn=server" -cert server.txt
    cp server.txt ../client
    cp sign.txt ../client
    orapki wallet add -wallet . -trusted_cert -cert server.txt -pwd password
    orapki wallet add -wallet . -user_cert -cert sign.txt -pwd password
    cp sign.txt server.txt ../client/
    cd ../client

Step 3: Create an External User in the Oracle Database

You must create an external user to be used with the client and server connection.

  1. As a user who can create users and grant them privileges, log in to the PDB that will use this external user account.

  2. Create the external user.

    For example:

    CREATE USER tlsuser IDENTIFIED EXTERNALLY AS 'cn=client';
  3. Grant this account the CONNECT privilege.

    GRANT CONNECT TO tlsuser;

Step 4: Configure the Server listener.ora File

Next, you must check and then restart the server listener.ora file.

  1. Log in to the Oracle Database server.

  2. Check the server listener.ora file to ensure that it is correctly configured.

    For example:

    cat /u01/app/oracle/product/release/dbhome_1/network/admin/listener.or

    Output similar to the following appears:

    LISTENERBOS =
         (DESCRIPTION_LIST =
           (DESCRIPTION =
             (ADDRESS = (PROTOCOL = TCP)(HOST = domain.com)(PORT = 1529))
            )
           (DESCRIPTION =
             (ADDRESS = (PROTOCOL = TCPS)(HOST = domain.com)(PORT = 1530))
             )
           )
    WALLET_LOCATION =
          (SOURCE =
            (METHOD = File)
              (METHOD_DATA =
               (DIRECTORY = /home/oracle/wallet_tls/server))
  3. Restart the listener and check if the database is registered to this listener.

    su - oracle
    ./lsnrctl start

    Output similar to the following appears:

    Listener Parameter File /u01/app/oracle/product/release/dbhome_1/network/admin/listener.ora
    Listener Log File /u01/app/oracle/diag/tnslsnr/service/instance/alert/log.xml
    Listening Endpoints Summary...
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=domain.com)(PORT=1523)))
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=domain.com)(PORT=1525)))
      Services Summary...
       Service "service" has 1 instance(s).
        Instance "instance", status READY, has 1 handler(s) for this service...
       Service "serviceDB" has 1 instance(s).
        Instance "instance", status READY, has 1 handler(s) for this service...
     The command completed successful

Step 5: Configure the Server sqlnet.ora File

You must ensure that the sqlnet.ora file points to the server wallet that you created earlier.

  1. Log in to the Oracle Database server.

  2. Check the sqlnet.ora file to ensure that it points to the server wallet.

    For example:

    NAMES.DIRECTORY_PATH=(TNSNAMES)
    SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS)
    SSL_CLIENT_AUTHENTICATION = TRUE
    WALLET_LOCATION =
     (SOURCE =
      (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /home/oracle/wallet_tls/server)
        )
    )

Step 6: Import the Client Wallet into the Microsoft Certificate Store

You must use the Microsoft Management Console (MMC) to perform this import operation.

  1. Start the MMC (mmc.exe).

  2. Select File, then add/remove snap-in.

  3. Select Certificates, then Add.

  4. Select My user account, then Finish, and then OK.

  5. Go to the Console Root, then Certificates Current User, then Personal, then Certificates.

  6. Right-click All Tasks, then select Import, then Next, then Browse.

  7. Select the certificate file that contains the certificate needed for the connection (for example, ewallet.p12).

  8. Select Open, then Next.

  9. Enter the wallet password.

  10. Select the Mark this as exportable checkbox.

  11. Select the Include all extended properties checkbox.

  12. Select Place all certificates in the following store: Personal.

  13. Select Next, then Finish.

  14. Ensure that the client’s certificate was added to the MY store, by going to Console Root, and then selecting Certificates Current User, then Personal, then Certificates.

  15. Ensure that the CA certificates were added to the ROOT store by going to Console Root, and then selecting Certificates Current User, then Trusted Root Certification Authorities, then Certificates.

Step 7: Configure the Client sqlnet.ora File

You must configure the client sqlnet.ora file to use Microsoft Certificate Store for the client wallet.

  1. Log in to the Oracle Database client.

  2. Check the client side sqlnet.ora file.

    For example:

    WALLET_LOCATION = (SOURCE = (METHOD=MCS))

Step 8: Configure the Oracle Database

In the Oracle database, configure the OS_AUTHENT_PRE and REMOTE_OS_AUTH parameters.

  1. Set the OS_AUTHENT_PRE and REMOTE_OS_AUTH parameters.

    ALTER SYSTEM SET REMOTE_OS_AUTHENT=FALSE SCOPE=SPFILE;
    ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE;
  2. Restart the database instance.

Step 9: Test the Client and Server Connection

After you complete the Microsoft Certificate Store configuration, you should test the and server connection.

  1. To verify that the MCS is used for the TLS connection, enable the client trace by adding the following lines in the client’s sqlnet.ora file.

    trace_level_client=16
    trace_directory_client=trace_directory
    DIAG_ADR_ENABLED=OFF
  2. Make a connection to the server using SQL*Plus and then ensure that the certificates are loaded successfully from MCS.

    nztwOpenWallet: [enter]
    nztwOpenWallet: WRL mcs:, type = 24
    nztwOpenWallet: Loading the EXTKS provider for MCS type wallet
    nztwOpenWallet: [exit] OK