The database listener can be configured to listen on an SSL-enabled port. With Oracle Wallet Manager and certificates (either self-signed by your own certificate authority or provided by an external CA such as Verisign) this can provide more secure client to database connections.
First off, you would launch the Wallet Manager application (owm is the binary)
Click on the Wallet menu and go to New wallet. You will be presented with a password box – specify the password you want to protect your wallet.
You will then be prompted to create a new certificate request. You can either do this or click No and go through that process later. Below is the new CSR screen:
Once this certificate has been created, export the certificate (select the CSR, go to the Operations menu and click Export Certificate Request). This is then sent to the Certificate Authority for signing.
Once that’s done, you will get back the signed certificate as well as the Certificate Authority’s own certificate to import (Operations menu, Import Trusted Certificate for the CA cert, Import User Certificate for the signed cert). These certificates should also be provided to your applications team.
With all this in place, you need to configure the TNS files.
listener.ora configuration
SID_LIST_LISTENER =(SID_LIST =(SID_DESC =(GLOBAL_DBNAME = database.domain.com)(ORACLE_HOME = /opt/oracle/product/10.2.0)(SID_NAME = service_name)))LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = host.domain.com)(PORT = 1521)))(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = host.domain.com)(PORT = 2521))))WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/product/10.2.0/wallet)))SSL_CLIENT_AUTHENTICATION=FALSE
sqlnet.ora configuration
SQLNET.AUTHENTICATION_SERVICES = (BEQ,TCPS)WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/product/10.2.0/wallet)))SSL_CLIENT_AUTHENTICATION = FALSE
tnsnames.ora entry
DB_ALIAS.DOMAIN =(DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCPS)(HOST = host.domain.com)(PORT = 2521)))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = service_name))(SECURITY = (SSL_SERVER_CERT_DN="CN=host.com,OU=IT,O=Organisation,L=city,ST=State,C=Country")))
You can use SSL to authenticate user connections as well but this is not something we have done in this environment. The SSL security here is just to authenticate the database itself to the middle tiers.
Cheers,
Ian
