8-8 Oracle Fusion Middleware Application Security Guide ■ Configuring SSL on a Client For additional and detailed information about SSL-related topics see the following documents: ■ SSL with Oracle JDBC Thin Driver at the following link: http:www.oracle.comtechnologytechjavasqlj_jdbcpdfwp-o racle-jdbc_thin_ssl_2007.pdf. ■ Oracle Database JDBC Developers Guide.

8.3.3.1 Configuring SSL on an Oracle DB Server

To configure SSL on an Oracle DB server, start Oracle Wallet Manager on the host where the DB server is running and using this tool proceed as follows:

1. Create a wallet.

2. Obtain a certificate from a trusted Certificate Authority CA and import it into the

wallet created.

3. Create a certificate request for the DB server.

4. Send the certificate request to the CA and obtain a signed certificate from the CA.

5. Import the signed certificate into the wallet; this certificate is the DB servers

certificate.

6. Check the box Auto Login under the menu Wallet to ensure that the DB server

picks up the wallet.

7. Save the wallet.

On the host where the DB server is running, start Oracle Net Manager and using this tool proceed as follows:

1. Navigate to Oracle Net Configuration Local Profile, then select Oracle

Advanced Security , and then click the tab SSL. 2. In that tab, set Wallet Directory to the wallet saved in step 7 above, and check Configure SSL for Server . For a two-way SSL, check the box Require Client Authentication . 3. Set the listener as follows:

1. Navigate to Oracle Net Configuration Local Listeners LISTENER.

2. Add an address the recommended port number is 2484.

3. Set its protocol to TCPIP with SSL.

4. Optionally, to create a TNS service to connect the DB with SSL on the host, proceed as follows:

1. Navigate to Oracle Net Configuration Local Service Naming.

2. Create a new service.

3. Set its protocol to TCPIP with SSL.

4. Set its port number to the port number entered for the listener. 5. Save the network configuration, and restart the DB listener. At this point, the DB server should support SSL on the specified port. Configuring the OPSS Security Store 8-9

8.3.3.1.1 Configuration Samples The following snippets illustrate portions of the files

sqlnet.ora, listener.ora, and tnsnames.ora all located in ORACLE_HOMEnetworkadmin after the above procedures are completed: sqlnet.ora QLNET.AUTHENTICATION_SERVICES= BEQ, TCPS SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = SOURCE = METHOD = FILE METHOD_DATA = DIRECTORY = myHomeowmwalletsmyWallets listener.ora SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = SOURCE = METHOD = FILE METHOD_DATA = DIRECTORY = myHomeowmwalletsmyWallets LISTENER = DESCRIPTION_LIST = DESCRIPTION = ADDRESS = PROTOCOL = IPCKEY = EXTPROC1521 DESCRIPTION = ADDRESS = PROTOCOL = TCPHOST = myHost.comPORT = 1521 DESCRIPTION = ADDRESS = PROTOCOL = TCPSHOST = myHost.comPORT = 2484 tnsnames.ora ORCLSSL = DESCRIPTION = ADDRESS_LIST = ADDRESS = PROTOCOL = TCPSHOST = myHost.comPORT = 2484 CONNECT_DATA = SERVICE_NAME = myService.com

8.3.3.2 Configuring SSL on a Client

This section explains how to connect a client to a DB server over SSL in the following sections: ■ Connecting to a DB Server with sqlplus or JDBC OCI Driver ■ Connecting to a DB Server with JDBC Thin Driver

8.3.3.2.1 Connecting to a DB Server with sqlplus or JDBC OCI Driver This task involves

specifying a trusted certificate for one-way SSL and a client certificate for two-way SSL.