In Part 1 and Part 2 of this series I described the process for configuring the server wallet, sqlnet.ora, and listener.ora files. In this post I will discuss how to configure the client for SSL authentication with a smart card.
At this point it is assumed that an Oracle Client has already been installed. The client must be at least version 188.8.131.52 or higher. This configuration will not work on lower versions. Ensure that Oracle Clients are patched as patches become available and test them in Development and Test environments before deploying to Production.
There is no client Oracle Wallet required to use the DoD Command Access Card when using the Microsoft Certificate Store. Hardware and software, such as ActivClient, must be installed to enable Windows to read the certificate from the CAC / PIV.
Configure the Client sqlnet.ora File
The client sqlnet.ora file should contain the following entries:
SQLNET.AUTHENTICATION_SERVICES = (TCPS) SQLNET.EXPIRE_TIME=1 # Parameters for native Oracle encryption (if used by non-SSL # servers) must be set to "accepted" or "rejected". A setting of # "required" will cause SSL connections to fail because Oracle # does not allow double encryption. SQLNET.ENCRYPTION_CLIENT = accepted SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = accepted SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA1) # Ensure that the certificate from the server matches DN in # tnsnames.ora. SSL_SERVER_DN_MATCH = TRUE SSL_VERSION = 1.0 WALLET_LOCATION = (SOURCE=(METHOD=MCS))
Configure the Client tnsnames.ora File
The tnsnames.ora file must contain an entry for the TCPS connection to the database on port 2484. The SECURITY section should include the distinguished name of the server certificate for validation.
[DB_NAME] = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = [HOST_ADDRESS])(PORT = 2484)) (CONNECT_DATA = (SERVICE_NAME = [SERVICE_NAME])) (SECURITY = (SSL_SERVER_CERT_DN = "CN=[HOST_ADDRESS],OU=USAF,OU=PKI,OU=DoD,O=U.S. Government,C=US")) )
Once the client configuration files are set correctly, you are ready to configure the database itself, which will be the subject of part 4.