Oracle Cloud Infrastructure Documentation

Create a Self-Signed Certificate for a DB System with Client Authentication Disabled

This example shows you how to create a self-signed certificate for a DB system with client authentication disabled. You can upload the certificate during target database registration when you configure a TLS connection.

To create a self-signed certificate for a DB system with client authentication disabled:
  1. Ensure that the location to the orapki utility is added to your path. The examples in this procedure use this utility.
  2. On your server, create a location for your wallet and change to the wallet directory.
    mkdir /mywallets
    cd /mywallets
  3. Create a wallet in the current directory.
    orapki wallet create -wallet ./ -pwd password -auto_login 
  4. View the contents of the wallet.
    orapki wallet display -wallet . -pwd password

    Notice that there are no certificates in the wallet yet.

  5. Create a self-signed (root) certificate and add it to the wallet.
    orapki wallet add -wallet . -dn "CN=rootca" -keysize 2048 -self_signed -validity 3650 -sign_alg sha256 -pwd password

    The certificate is added to the wallet for the user with the specified distinguished name (CN=rootca).

    The certificate contains a key pair (private key and public key).

    -keysize is the size of the private key.

    -validity 3650 specifies the number of days, starting from the current date, that the certificate is valid.

    -self_signed means that an external certification authority (CA) does not need to sign the private key and public key.

    sha256 is the signing algorithm.

  6. View the contents of the wallet and verify that you have a User Certificate and a Trusted Certificate:
    orapki wallet display -wallet . -pwd password

    Under User Certificates, you should now have CN=rootca.

    Under Trusted Certificates, you should now have CN=rootca.

    The User Certificate and Trusted Certificate are the same in that they sign themselves (self-signed).

  7. Export the self-signed certificate from the wallet:
    orapki wallet export -wallet . -dn "CN=rootca" -cert root1.crt -pwd password

    root1.crt is the name of the exported file.

  8. Configure the wallet on the target database by doing the following:
    1. Copy the self-signed certificate to the wallet folder on your target database.
    2. In the listener.ora file on the target database, add a line SSL_CLIENT_AUTHENTICATION = FALSE, enable the port for TCPS (for example, 1553), and define the wallet. Use the following code example as a guideline.
      # listener configuration file
      
      CONNECT_TIMEOUT_LISTENER = 0
      SSL_CLIENT_AUTHENTICATION = FALSE
      LISTENER = (ADDRESS_LIST =
      	(ADDRESS=(PROTOCOL=ipc)(KEY=19c))
      	(ADDRESS=(PROTOCOL=tcp)(HOST=ipaddress)(PORT=1552))
      	(ADDRESS=(PROTOCOL=tcps)(HOST=ipaddress)(PORT=1553))
      )
      WALLET_LOCATION = 
        (SOURCE =
      	(METHOD = FILE)
      	(METHOD_DATA =
      	   (DIRECTORY = /home/oracle/wallet)
      	)
         )
    3. In the sqlnet.ora file on the target database, add a line SSL_CLIENT_AUTHENTICATION = FALSE and add the wallet location. Use the following code example as a guideline.
      # sqlnet configuration file for clients
      
      automatic_ipc = off
      SQLNET.AUTHENTICATION_SERVICES = (beq, none)
      SSL_CLIENT_AUTHENTICATION = FALSE
      names.preferred_servers = (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=19c_ns))(CONNECT_DATA=(RPC=ON)))
      
      namesctl.noconfirm = true
      WALLET_LOCATION=
      	(SOURCE=(METHOD=FILE)(METHOD_DATA=
      	  (DIRECTORY=/home/oracle/mywallets)))
    4. From a command window, restart the listener on the target database.
      lsnrctl start
      lsnrctl stop
  9. When you register the target database in Oracle Data Safe, make sure to do the following:
    • Select the connection type TLS.
    • Set the port number according to the port number you set in the listener.ora file. In this example, the port number is 1553.
    • For the server distinguished name, enter the name you used when you created the self-signed certificate in the wallet. In this example, the name is CN=rootca.
    • For the wallet or certificate type, select PEM Certificate and select the self-signed certificate that you exported from the wallet. In this example, the file is root1.crt.