1 Configure Secure Transport Layer Security for SilverWhere and Oracle Database Connection
Reference Documents
For detail on how to configure and use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, see official published document on Oracle Advanced Security.
For Oracle 12c database: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-secure-sockets-layer-authentication.html#GUID-6AD89576-526F-4D6B-A539-ADF4B840819F
For Oracle 19c database: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-secure-sockets-layer-authentication.html
Difference between Secure Sockets Layer and Transport Layer Security
Transport Layer Security (TLS) is an incremental version of Secure Sockets Layer (SSL) version 3.0. Although SSL was primarily developed by Netscape Communications Corporation, the Internet Engineering Task Force (IETF) took over the development and renamed it Transport Layer Security (TLS).
Recommended TLS Version for SilverWhere
TLS 1.2 and above is the recommended protocol for SilverWhere.
Prerequisites
The minimum Oracle Database Server version is Oracle Database Enterprise Edition 12c Release or later.
On the application machine, Oracle Database 12c 32bit ODAC or later and 12c Client or later are required.
The Oracle public key infrastructure (PKI), which provides Oracle Wallet and Oracle Wallet Manager (OWM), is required. The OraclePKI command is used to create keys to generate
certificates. The OraclePKI command can be found in $ORACLE_HOME/bin folder.
Using TLS for SilverWhere Clients and Oracle Database Connection
Transport Layer Security (TLS) can be used in a multi-tenant environment for SilverWhere applications. If you want to use Transport Layer Security (TLS) in a multi-tenant environment for a SilverWhere application, then you must ensure that database is able to use its own wallet with its own certificates for TLS authentication.
-
use TLS to encrypt the connection between clients and servers, and
-
authenticate any client or server, to any Oracle database server that is configured to communicate over TLS
Enabling TLS 1.2 for Silverwhere Clients and Oracle Database Connection
You must configure TLS 1.2 on the Oracle Database Server first, and then the SilverWhere Clients.
-
Log in to the Database Instance.
-
After you have completed the configuration, you are ready to log in to the database.
-
Step 1: Configure Oracle Wallet for Server (Database) Side
Open a command prompt window as a normal user.
Create a
directory on the server machine to store the server wallet at <SERVER_WALLET>. Run the make directory command below
at “C:/Oracle” folder.
>mkdir wallets
>cd wallets
>mkdir db
>cd db
Based on the sample above, the value for <SERVER_WALLET> is “C:\Oracle\wallets\db”.
Create a wallet for the Oracle Database server. Create an empty wallet with auto login enabled:
> orapki wallet create -wallet "<SERVER_WALLET>" -pwd <password> - auto_loginExample: orapki wallet create -wallet "C:\Oracle\wallets\db"
-pwd <password> -auto_login
Add a self-signed certificate in the wallet (a new pair of private/public keys is created):
> orapki wallet add -wallet "<SERVER_WALLET>" -pwd <password> -dn "CN=<server_machine_name>" -keysize 2048 -self_signed -validity <No. of Days>orapki wallet add -wallet "C:\Oracle\wallets\db" -pwd
<password> -dn "CN=server1" -keysize 2048 -self_signed -validity 365Check the contents of the wallet. Notice the self-signed certificate is both a user and trusted certificate.
> orapki wallet display -wallet "<SERVER_WALLET>" -pwd <password>Export the certificate so it can be loaded into the client wallet later.
> orapki wallet export -wallet "<SERVER_WALLET>" -pwd <password> -dn "CN=<server_machine_name>" -cert <SERVER_WALLET>\<server-certificate- name>.crtExample:
orapki wallet export -wallet "C:\Oracle\Wallets\db" -pwd <password>
-dn "CN=server1" -cert C:\Oracle\wallets\db\server-cert-db.crt
Check whether the certificate has exported to the above directory.
Step 2: Configure Oracle Wallet for Client (Application) Side
You must create a client wallet on all SilverWhere Client machines using the steps below and repeat the steps on each of the database client machines.
Open a command prompt window as a normal user.
Create a directory on the client machine to store the client wallet.
Let’s call it <CLIENT_WALLET>. Create it under
the “C:\Oracle” folder.
>mkdir wallets
>cd wallets
>mkdir db
>cd db
Based on the sample above, the value for <CLIENT_WALLET> is C:\Oracle\wallets\user
Create a wallet for the Oracle client. Create an empty wallet with auto login enabled:
> orapki wallet create -wallet "<CLIENT_WALLET>" -pwd <password> -auto_login. Add a self-signed certificate in the wallet (a new pair of private/public keys is created):
> orapki wallet add -wallet "<CLIENT_WALLET> " -pwd <password> -dn "CN=<client_machine_name>" -keysize 2048 -self_signed -validity <No. of Days>Note:
Ensure each client certificate has a unique name or use the client machine name as the certificate name.
Check the contents of the wallet. Note that the self-signed certificate is both a user and a trusted certificate.
> orapki wallet display -wallet "<CLIENT_WALLET>" -pwd <password>Export the certificate, so it can be loaded into the server wallet later.
> orapki wallet export -wallet "<CLIENT_WALLET>" -pwd <password> - dn "CN=<client_machine_name>" -cert <CLIENT_WALLET>\<client- certificate-name>.crtNote:
Ensure each client certificate has a unique name or use the client machine name as the certificate name.
Check whether the certificate is exported to the above directory.
Step 3: Perform Clients-Server Exchange Certificate Process
These instructions are for the exchange server and client public keys. These steps have to be repeated on each of the database client machines.
Copy <server-certificate-name>.crt from the server machine to the client machine <CLIENT_WALLET> folder.
Copy <client-certificate-name> crt from the client machine to the server machine <SERVER_WALLET> folder.
Load the server certificate into the client wallet.
> orapki wallet add -wallet "<CLIENT_WALLET>" -pwd <password> - trusted_cert -cert <CLIENT_WALLET>/<server-certificate-name>.crtCheck the contents of the client wallet. Note that the server certificate is now included in the list of trusted certificates.
> orapki wallet display -wallet "<CLIENT_WALLET>" -pwd <password>Load the client certificate into the server wallet.
> orapki wallet add -wallet "<SERVER_WALLET>" -pwd <password> - trusted_cert -cert <SERVER_WALLET>/<client-certificate-name>.crtCheck the contents of the server wallet. Note that the client certificate is now included in the list of trusted certificates.
Step 4: Configure the Oracle Database to Listen for TCPS Connection
Configure the listener.ora and sqlnet.ora files on the Database Server using the following steps.
Figure 1-1 Net Manager
To configure the listener.ora file,
-
Launch the Net Manager Tool.
-
Expand the Listeners container under Local, and select the Listener.
-
Click Add Address and select TCP/IP with SSL as the protocol.
-
Enter the hostname and port as shown in the below screen shot.
Figure 1-2 Listener, Address Tab
-
Click File, and then Save Network Configuration to save the setting. Below is an example of the listener.ora file
... LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = example.com)(PORT = <PORT NO>)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = example.com)(PORT = <PORT NO>)) ) ) ...
To configure the sqlnet.ora file using Oracle Net Manager:
-
Click Profile, and then select Network Security from the drop-down list.
-
Select the SSL tab, and then the Server option.
-
Enter the values as shown below:
-
Configuration Method: File System
-
Wallet Directory:
<SERVER_WALLET> -
Configure SSL for: Server
-
Revocation Check: None
-
Require Client Authentication: FALSE
Figure 1-3 Net Manager — Network Security
-
-
Click File, and then Save Network Configuration to save. At this point, exit the Oracle Net Manager tool and ensure all changes are saved.
Since the Oracle Net Manager does not allow for certain values to be changed, open
<ORACLE_HOME>/network/admin/sqlnet.oraand make sure the following properties are set toSSL_VERSION = 1.2 SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_GCM_SHA256)
In <ORACLE_HOME>/dbs/init.ora make
sure the following property is set to_use_fips_mode=FALSE
-
Open the command prompt and follow the below steps using Run as Administrator
> lsnrctl stop > lsnrctl start
<ORACLE_HOME>/network/admin/sqlnet.ora
... SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,NTS) SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2 WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = C:/Oracle/wallets/db))
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_GCM_SHA256)
...
<ORACLE_HOME>/network/admin/listener.ora
...
SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = C:/Oracle/wallets/db))
)
...
To configure the tnsnames.ora file:
-
Click Service Naming in Net Manager.
-
Click Edit, and then Create to create a new service. Complete the Net Service Name Wizard as described below:
- Net Service Name:
<Service Name> -
Select: “TCP/IP with SSL (Secure Internet Protocol)”
-
Host Name:
<Host Name> -
Port Number:
<Port Number> -
(Oracle8i or later) Service Name:
<Service Name> -
Connection Type: Default database Test the connection on page 5 of the wizard
Figure 1-4 Net Manager Service Name
Here is the sample tnsnames.ora file:... <DB_TNS_NAME> = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS) (HOST = <DB_Address>) (PORT = <DB_Port>))) (CONNECT_DATA = (SERVICE_NAME = <DB_Name>)) ) ... - Net Service Name:
-
Click File, and then Save Network Configuration to save.
-
Click File, and then click Exit. All server configurations have been completed.
Step 5: Configure the Oracle Client to Connect with TCPS Connection
Perform the following configuration on the machine running the SilverWhere application.
-
Follow the steps in Step 4 for configuring the client sqlnet.ora file. This file is located in the
<ORACLE_HOME>/network/adminfolder. File contents are similar to the example below.... SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,NTS) SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION = 1.2 WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:/Oracle/wallets/user)) ) SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_GCM_SHA256) ... -
Follow the steps in Step 4 for configuring the tnsnames.ora file on client/ application. This file is located in the
<ORACLE_HOME>/network/adminfolder. Below are the sample file contents:<DB_TNS_NAME> = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS) (HOST = <DB_Address>) (PORT = <DB_Port>)))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = <DB_Name>) ) ) -
Connect to the Database using SQL*Plus client with SSL.
-
Launch the SQL*Plus session from the command line, by typing the username and password as
<username>/<password>@ssl_connectstring.
Note:
To enable the IIS Server connection to the database, the wallet folder of the IIS server must give permission to IIS_IUSR to access to the wallet. For further details, see Oracle Database Security Guide, section “Configuring Secure Sockets Layer Authentication” located at: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG9665
Disabling TLS 1.0, TLS 1.1, and disallow cipher suites in TLS 1.2
In order to disable TLS 1.0 and 1.1, follow the instructions below.
Note:
We strongly recommend backing up your current registry before making any changes. This can be done by clicking File, then Export, and then saving the backup at a safe location
-
Open up the Registry Editor by typing in regedit in the search box on the taskbar and selecting it
-
In the left panel, browse to
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\S ecurityProviders\SCHANNEL\Protocols -
Verify if registry keys for Client and Server are present for TLS 1.0 and TLS 1.1 by expanding the folders:
-
If TLS is not present, follow the below steps to create them:
-
Right click TLS 1.0, then choose New and select Key from the list
-
Name the new key Client
-
Repeat steps 1-2 and name the key Server
-
Repeat steps 1-3 for TLS 1.1
-
-
If TLS is present, follow the below steps to disable them:
-
Select TLS 1.0 and right click Client, then choose New and select DWORD (32-bit) Value from the list
-
Name the new key Enabled
-
Right click the newly created key and click Modify
-
Verify that the Value data is 0 and the Base is set to Hexadecimal
-
Repeat steps 1-4 for Server
-
Repeat steps 1-5 for TLS 1.1
-
-
- Close the Registry Editor and restart your computer
Disable cipher suites in TLS 1.2
To disable cipher suites in TLS 1.2, follow the instructions below:
-
Open Windows PowerShell with administrator privileges
-
Disable Cipher Suites (IANA) with Categories as D1 and U1, by running the following commands:
-
Disable-TlsCipherSuite –Name “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
-
Disable-TlsCipherSuite –Name “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_256_GCM_SHA384”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_256_CBC_SHA256”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_256_CBC_SHA”
-
Disable-TlsCipherSuite –Name “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256”
-
Disable-TlsCipherSuite –Name “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_128_GCM_SHA256”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_128_CBC_SHA256”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_AES_128_CBC_SHA”
-
Disable-TlsCipherSuite –Name “TLS_RSA_WITH_3DES_EDE_CBC_SHA”
-
-
Close PowerShell and restart your computer