Oracle Cloud Infrastructure Documentation

Create a Self-Signed Certificate for a Target Database with Client Authentication Enabled

This example shows you how to create a self-signed certificate for a target database with client authentication enabled. You can upload the certificate during target database registration when you configure a TLS connection. This information applies to DB systems only. Using self-signed certificates is fine for testing purposes. However, for production systems, Oracle recommends that you use certificates signed by a trusted or internal certificate authority (CA).

Part 1: Create a Server Wallet and Certificate

Make sure that SSL/TLS encryption is enabled on your target database before you complete this part.

To create a server wallet and certificate:
  1. Create an auto-login wallet.
    mkdir -p <wallet path>
    orapki wallet create -wallet "<wallet path>" -pwd <wallet password> -auto_login

    For example:

    orapki wallet create -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1 -auto_login
  2. Create a self-signed certificate and load it into the wallet.
    orapki wallet add -wallet "<wallet path>" -pwd <wallet password> -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650

    For example:

    orapki wallet add -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1 -dn "CN=CloudST2.debdev19.oraclecloud.internal" -keysize 1024 -self_signed -validity 3650
  3. Check the contents of the wallet. Notice that the self-signed certificate is both a user certificate and trusted certificate.
    orapki wallet display -wallet "<wallet path>" -pwd <wallet password>

    For example:

    orapki wallet display -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1
     
    ... 
    Requested Certificates:
    User Certificates:
    Subject:        CN=CloudST2.debdev19.oraclecloud.internal
    Trusted Certificates:
    Subject:        CN=CloudST2.debdev19.oraclecloud.internal
  4. Export the certificate so that you can load it into the client wallet later.
    orapki wallet export -wallet "<wallet path>" -pwd <wallet password>  -dn "CN=`hostname`" -cert <certificate file name>.crt

    For example:

    orapki wallet export -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1 -dn "CN=CloudST2.debdev19.oraclecloud.internal" -cert CloudST2-certificate.crt 
  5. Check that the certificate has been exported as expected.
    cat <certificate file name>.crt

    For example:

    cat CloudST2-certificate.crt
    -----BEGIN CERTIFICATE-----
    MIIB0TCCAToCAQAwDQYJKoZIhvcNAQEEBQAwMTEvMC0GA1UEAxMmQ2xvdWRTVDIuZGViZGV2MTku
    b3JhY2xlY2xvdWQuaW50ZXJuYWwwHhcNMTYwNTExMTEyMDI2WhcNMjYwNTA5MTEyMDI2WjAxMS8w
    LQYDVQQDEyZDbG91ZFNUMi5kZWJkZXYxOS5vcmFjbGVjbG91ZC5pbnRlcm5hbDCBnzANBgkqhkiG
    9w0BAQEFAAOBjQAwgYkCgYEAr6fhuQly2t3i8gugLVzgP2kFGVXVOzqbggEIC+Qazb15JuKs0ntk
    En9ERGvA0fxHkAkCtIPjCzQD5WYRU9C8AQQOWe7UFHae7PsQX8jsmEtecpr5Wkq3818+26qU3Jyi
    XxxK/rRydwBO526G5Tn5XPsovaw/PYJxF/fIKMG7fzMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCu
    fBYJj4wQYriZIfjij4eac/jnO85EifF3L3DU8qCHJxOxRgK97GJzD73TiY20xpzQjWKougX73YKV
    Tp9yusAx/T/qXbpAD9JKyHlKj16wPeeMcS06pmDDXtJ2CYqOUwMIk53cK7mLaAHCbYGGM6btqP4V
    KYIjP48GrsQ5MOqd0w==
    -----END CERTIFICATE-----

Part 2: Create a Client Wallet and Certificate

To create a client wallet and certificate:
  1. Create another auto-login wallet.
    c:\>mkdir -p <client wallet dir> 
    c:\>orapki wallet create -wallet "<wallet path>" -pwd <wallet password> -auto_login

    For example:

    C:\Work\CloudWallet>orapki wallet create -wallet "C:\work\myclientwallet" -pwd welcome_1 -auto_login
  2. Create a self-signed certificate and load it into the wallet.
    C:\>orapki wallet add -wallet "<client wallet path>" -pwd <wallet password> -dn "CN=%client computer name%" -keysize 1024 -self_signed -validity 3650

    For example:

    C:\work\myclientwallet>orapki wallet add -wallet "C:\work\myclientwallet" -pwd welcome_1 -dn "CN=gbr30139.example.com" -keysize 1024 -self_signed -validity 3650
  3. Check the contents of the wallet. Notice that the self-signed certificate is both a user certificate and trusted certificate.
    orapki wallet display -wallet "<client wallet path>" -pwd <wallet password>

    For example:

    C:\work\myclientwallet>orapki wallet display -wallet "C:\work\myclientwallet" -pwd welcome_1
    
    ...
    Requested Certificates:
    User Certificates:
    Subject:        CN=gbr30139.example.com
    Trusted Certificates:
    Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
    Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject:        CN=gbr30139.example.com
  4. Export the certificate so that you can load it into the server later.
    orapki wallet export -wallet "<client wallet path>" -pwd <wallet password> -dn "CN=<client computer name>" -cert <clent computer name>-certificate.crt

    For example:

    C:\work\myclientwallet>orapki wallet export -wallet "C:\work\myclientwallet" -pwd welcome_1 -dn "CN=gbr30139.example.com" -cert gbr30139-certificate.crt
  5. Check the certificate.
    more c:\%computername%-certificate.crt

    For example:

    C:\work\myclientwallet>more gbr30139-certificate.crt
    
    -----BEGIN CERTIFICATE-----
    MIIBsTCCARoCAQAwDQYJKoZIhvcNAQEEBQAwITEfMB0GA1UEAxMWZ2JyMzAxMzkudWsub3JhY2xl
    LmNvbTAeFw0xNjA1MTExMTQzMzFaFw0yNjA1MDkxMTQzMzFaMCExHzAdBgNVBAMTFmdicjMwMTM5
    LnVrLm9yYWNsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKH8G8sFS6l0llu+RMfl
    7Yt+Ppw8J0PfDEDbTGP5wtsrs/22dUCipU9l+vif1VgSPLE2UPJbGM8tQzTC6UYbBtWHe4CshmvD
    EVlcIMsEFvD7a5Q+P45jqNSEtV9VdbGyxaD6i5Y/Smd+B87FcQQCX54LaI9BJ8SZwmPXgDweADLf
    AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAai742jfNYYTKMq2xxRygGJGn1LhpFenHvuHLBvnTup1N
    nZOBwBi4VxW3CImvwONYcCEFp3E1SRswS5evlfIfruCZ1xQBoUNei3EJ6O3OdKeRRp2E+muXEtfe
    U+jwUE+SzpnzfpI23Okl2vo8Q7VHrSalxE2KEhAzC1UYX7ZYp1U=
    -----END CERTIFICATE-----

Part 3: Exchange Client and Server Certificates

Each side of the connection needs to trust the other. Therefore, you must load the server certificate as a trusted certificate into the client wallet, and load the client certificate into the server wallet.

To exchange client and server certificates:
  1. Load the server certificate into the client wallet.
    orapki wallet add -wallet "<client wallet path>" -pwd <wallet password> -trusted_cert -cert <server certificate path>

    For example:

    C:\work\myclientwallet>orapki wallet add -wallet "C:\work\myclientwallet" -pwd welcome_1 -trusted_cert -cert C:\work\myclientwallet\CloudST2-certificate.crt
  2. Check the contents of the client wallet. Notice that the server certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "<client wallet path>" -pwd <wallet password>

    For example:

    C:\work\myclientwallet>orapki wallet display -wallet "C:\work\myclientwallet" -pwd welcome_1
    
    ...
    Requested Certificates:
    User Certificates:
    Subject:        CN=gbr30139.example.com
    Trusted Certificates:
    Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject:        CN=gbr30139.example.com
    Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
    Subject:        CN=CloudST2.debdev19.oraclecloud.internal
    Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    
  3. Load the client certificate into the server wallet.
    orapki wallet add -wallet "<server wallet path>" -pwd welcome_1 -trusted_cert -cert <client certificate file>

    For example:

    orapki wallet add -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1 -trusted_cert -cert gbr30139-certificate.crt
  4. Check the contents of the server wallet. Notice that the client certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "<wallet path>" -pwd <wallet password>

    For example:

    orapki wallet display -wallet "/u01/app/oracle/myserverwallet" -pwd welcome_1
    
    ...
    Requested Certificates:
    User Certificates:
    Subject:        CN=CloudST2.debdev19.oraclecloud.internal
    Trusted Certificates:
    Subject:        CN=CloudST2.debdev19.oraclecloud.internal
    Subject:        CN=gbr30139.example.com
    

Part 4: Configure the Server Network

To configure the server network:
  1. On the database server, add the following entries into the $ORACLE_HOME/network/admin/sqlnet.ora file.
    WALLET_LOCATION =
       (SOURCE =
         (METHOD = FILE)
         (METHOD_DATA =
           (DIRECTORY = /u01/app/oracle/myserverwallet)
         )
       )
    
    SSL_CLIENT_AUTHENTICATION = TRUE
  2. Configure the listener to accept SSL/TLS encrypted connections. In the $ORACLE_HOME/network/admin/listener.ora file, add the wallet information and add a TCPS entry.

    For example:

    SSL_CLIENT_AUTHENTICATION=TRUE
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /u01/app/oracle/myserverwallet)
        )
      )
    
    LISTENER =
      (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = server1.localdomain)(PORT = 1521))
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
          (ADDRESS = (PROTOCOL = TCPS)(HOST = server1.localdomain)(PORT = 1522))
        )
    )
  3. Restart the listener.
    $ lsnrctl stop
    $ lsnrctl start