In my previous post I discussed the first steps in the configuration of an Oracle database for user authentication using a smart card, such as the DoD Common Access Card (CAC). Along with some general considerations for setting up SSL/TLS authentication, I went over the construction of the database server’s Oracle Wallet. In this post I will continue with the server configuration – specifically the sqlnet.ora and listener.ora files.
Configure the Server sqlnet.ora File
If your configuration is for a basic database server (i.e. not RAC), then your server sqlnet.ora file will be located in the $ORACLE_HOME\network\admin directory. If your configuration includes Oracle RAC or Oracle Restart using Grid Infrastructure, a second sqlnet.ora file will be located in the $GRID_HOME\network\admin directory. In this case, both files must be modified to include the same AUTHENTICATION_SERVICES, WALLET_LOCATION, and SSL parameters.
The server sqlnet.ora file should contain the following entries. VALID_NODE checking may have to be disabled.
SQLNET.AUTHENTICATION_SERVICES = (BEQ,TCPS) # Timeout parameters may need to be adjusted for individual # servers SQLNET.INBOUND_CONNECT_TIMEOUT = 180 SQLNET.EXPIRE_TIME = 1 # Parameters for native Oracle encryption (if used by non-SSL # clients) must be set to "accepted" or "rejected". A setting of # "required" will cause SSL connections to fail because Oracle # does not allow double encryption. SQLNET.ENCRYPTION_SERVER = accepted SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, 3DES168) SQLNET.CRYPTO_CHECKSUM_SERVER = accepted SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1, MD5) SSL_VERSION=1.0 # Use this parameter to specify the location of the Oracle wallet # which contains server and client certificates and credentials WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = wallet_path) ) ) # Use this parameter to specify the location of the Oracle wallet # which contains encryption keys for Transparent Data Encryption. # This should be a separate wallet from the credential/certificate # wallet. ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = encryption_wallet_path) ) )
Configure the Server listener.ora File
In this configuration, the listener must listen for both TCP and TCPS protocols, which must use separate ports. The default port for TCP services is 1521. The standard port recommended by Oracle for TCPS services is 2484. Depending on individual server and system configurations, this may require the addition or alteration of firewall exceptions for incoming connections.
Configure the Server listener.ora File for the Database Home
If your configuration is for a basic database server installation (i.e. not Oracle RAC or Oracle Restart), your server listener.ora file will be located in the [ORACLE_HOME]\network\admin directory.
- It is safer to shut down the listener first, before making any changes to the file.
$> lsnrctl stop
- In this configuration, the listener.ora file should contain the following entries. It is important that the TCP address comes before the TCPS address.
(ADDRESS = (PROTOCOL = TCP)(HOST = host_name)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCPS)(HOST = host_name)(PORT = 2484)) WALLET_LOCATION = (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=wallet_location) ) ) SSL_VERSION=1.0
- Once the configuration has been changed, restart the listener and check the status.
$> lsnrctl start $> lsnrctl status LSNRCTL for Linux: Version 184.108.40.206.0 - Production on 18-JAN-2018 11:35:05 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 220.127.116.11.0 - Production Start Date 01-JAN-2018 00:00:00 Uptime 1 days 0 hr. 0 min. 0 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File oracle_home/network/admin/listener.ora Listener Log File oracle_home/diag/tnslsnr/.../log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=xx.xx.xx.xx)(PORT=2484))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=xx.xx.xx.xx)(PORT=1521)))
Configure the Server listener.ora File for Grid Infrastructure
If your configuration is for Oracle RAC or Oracle Restart using Grid Infrastructure, your server listener.ora file will be located in the [GRID_HOME]\network\admin directory, and the steps for configuring TCPS services are slightly different.
- It is safer to shut down the listeners first, before making any changes to the file.
$> srvctl stop listener $> srvctl stop scan_listener
- The listener.ora file should contain the following entries.
WALLET_LOCATION = (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=wallet_location) ) ) SSL_VERSION=1.0
- Use srvctl to add the TCPS services to each listener.
$> srvctl modify listener -p "TCP:1521/TCPS:2484" $> srvctl modify scan_listener -p "TCP:1521/TCPS:2484"
- Restart each listener and check the status.
$> srvctl start listener $> srvctl start scan_listener $> srvctl config listener Name: LISTENER Network: 1, Owner: grid Home: <CRS home> End points: TCP:1521/TCPS:2484 $> srvctl config scan_listener SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:2484 SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:2484 SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:2484 $> lsnrctl status listener … $> lsnrctl status listener_scan1 …
It may be necessary to restart each database, as well.
This completes the initial configuration steps for the server. In my next post I will look at configuration of the Windows client.