I am trying to make an ssl based oci connection to Oracle 11g ssl enabled database using OBIEE BI server and Admin tool. The wallet and all required configurations are in place. However the connection establishment fails and in the sqlnet trace file I get the following error.
(12184) [25-OCT-2015 12:45:21:521] ntzcsgtab: INTERNAL ERROR - unknown cipher suite 157.
(12184) [25-OCT-2015 12:45:21:521] ntzcsgtab: failed with error 543
(12184) [25-OCT-2015 12:45:21:521] ntzcsgtab: exit
(12184) [25-OCT-2015 12:45:21:521] ntzini: Could not initialize Cipher Suite table.
(12184) [25-OCT-2015 12:45:21:521] ntzini: failed with error 543
I am not specifying any particular cipher suite in sqlnet.ora either in client or database, and using the default ones.
Next I tried to create jdbc connection using oci driver (using oracle instant client) and using same wallet, in a simple java client program. I was able to successfully establish the SSL enabled connection.
So it seems like Oracle client inside OBIEE might be missing some feature to handle SSL based connection. Any idea how to fix this?
Thanks in advance
Related
Trying to configure the ODBC driver on Windows is returning the following message
[Simba][DriverSupport] (1120) SSL verification failed because the server host name specified for the connection does not match the’CN’ entry in the ‘Subject’ field or any of the ‘DNS Name’ entries of the ‘Subject Alternavice Name’ field in the server certificate.
Using the default cacerts.pem file
What step am I missing?
I'm new in ejbca and i have to install it on a virtual machine for job
Ubuntu 20.04
ejbca_7_4_3_2
wildfly-18.0.0.Final
mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
openjdk version "1.8.0_312"
Apache Ant(TM) version 1.10.7 compiled on October 24 2019
After a few try's(and a lot of virtual machines cloned and deleted), i finally get the "build successfully" message with the commands ant runinstall and ant deploy-keystore
But when i try to use the URL https://localhost:8443/ejbca/ (the certificate SuperAdmin.p12 is installed) my browser(firefox 96.0 64bits) give the message
An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
i have this errors on my log file, the first one related with ant -q clean deployear
and the last, appear every time i try to access via URL https://localhost:8443/ejbca/
ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception
Sounds like a TLS configuration issue. You will find the TLS configuration you did when configuring WildFly in the commands you ran like:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'
The result is somewhere in standalone.xml in WildFly, and you can modify it directly in WildFly. For example if you have EC keys in the server certificate while using the above RSA algorithm selection.
In server.log you should also see when WildFly starts up if there are any error in parsing the values, or keystores.
Make sure that you server and client certificates have keys and algorithms that match the TLS algorithm settings, otherwise WildFly will remove those algortihms.
My Hive server is SSL as well as Kerberos enabled. But when I try to connect to hiverserver2 via beeline using following command:
*!connect jdbc:hive2://**hostnameOfServer**:10000/hive;ssl=true;sslTrustStore=**keystorePath**;trustStorePassword=**passwordfor keystore**;principal=**Kerberos hive principal** **database username** **database password** org.apache.hive.jdbc.HiveDriver*
I get following error :
Error: Could not open client transport with JDBC Uri: jdbc:hive2://hostnameOfServer:10000/hive;ssl=true;sslTrustStore=keystorePath;trustStorePassword=passwordfor
keystore;principal=Kerberos hive principal database username
database password org.apache.hive.jdbc.HiveDriver: Invalid status 21 (state=08S01,code=0)
Also I tried using following command on beeline:
jdbc:hive2://**hostnameOfServer**:10000/hive;principal=**Kerberos hive principal**?transportMode=https;httpPath=cliservice;auth=kerberos;sasl.qop=auth.
But got same error.
Are ssl and kerberos compatible to each other?
Yes it is compatible from version Hive-2.0.0. Check the below JIRA task for more information
https://issues.apache.org/jira/browse/HIVE-14019
I use WebSphereMQ v7.1 and HermesJMS v1.14 SoapUI.
I set up everything to connect this apps without SSL and they work fine.
The problem is, when I try to connect with SSL. I set below params:
SSLCipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
channel, hostName, port, queueManager,
transportType: 1
and in hermes.bat I added trustStore and keystore.
In WMQ I have set: TRIPLE_DES_SHA_US on channel. On this page-> http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/ja34740_.htm
I see that I match CipherSpec and CipherSuite correct.
What is wrong?
UPDATE
Below error from Hermes
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'channel1'. [3=channel1]
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment
(RemoteConnection.java:4322)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH
(RemoteConnection.java:2902)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess
(RemoteConnection.java:1440)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect
(RemoteConnection.java:1115)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection
(RemoteConnectionPool.java:350)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1599)
On this page -> http://www-01.ibm.com/support/docview.wss?uid=swg21614686 I find that solution for this problem is:
Ensure that there is a cipher suite set on the client matching the
cipher spec on the queue manager's server connection channel.
but as I mentioned earlier I matched CipherSpec and CipherSuite correct.
Are using an Oracle JRE/JDK? I had the same issue and wrote about it here: http://www.capitalware.com/rl_blog/?p=3074
The simplest solution is to use IBM's JRE/JDK.
I am trying create an SSL enabled connection to the Oracle database 11g (Release 11.2.0.1.0) using jdbc. I just want to use SSL for encryption only and not authentication, which is why I am using the Diffie-Hellman anonymous cipher suites, but it is failing.
I totally understand that anonymous cipher suites are not advisable and inherently insecure against man-in-the-middle attacks and probably I will not use it in production. But I would still like to find out what is wrong with my implementation that is preventing the ssl connection. Following is the excerpt of the code
String url = "jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<IP>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=<service_name>)) )";
Properties props = new Properties();
props.setProperty("user", "hr");
props.setProperty("password", "hr");
props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)");
// commented out since Diffie-Hellman cipher suite should not require trust store or key-store, but the connection works only if I uncomment it.
//props.setProperty("javax.net.ssl.trustStore", "/truststore/cwallet.sso");
//props.setProperty("javax.net.ssl.trustStoreType", "SSO");
Connection conn = null;
try {
//Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(),3);
Class.forName("oracle.jdbc.OracleDriver");
conn = DriverManager.getConnection(url, props);
System.out.println("conn " + conn);
} catch (Exception e) {
e.printStackTrace();
}
IN sqlnet.ora I added the following to make sure client is not authenticated and client server uses the same cipher suite:
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)
However when I run the code I get the following error:
java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:538)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:154)
at oracle.bi.modeling.Test.createConnection(Test.java:50)
at oracle.bi.modeling.Test.main(Test.java:18)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)
at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)
at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:686)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:246)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1056)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308)
... 8 more
Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:327)
at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:110)
at oracle.net.nt.ConnOption.connect(ConnOption.java:130)
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353)
... 13 more
Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.
at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:415)
at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:311)
... 16 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:406)
... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 20 more
If do specify the trust store, then the connection works fine when I uncomment the following lines:
props.setProperty("javax.net.ssl.trustStore", "/truststore/cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType", "SSO");
But Diffie-Hellman cipher suite should not require truststore or keystore. So what am I doing wrong?
I do see the following in one of oracle docs:
http://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1009717
"There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client."
However I am not using OCI client. Instead I am using JDBC (ojdbc6.jar). Does the same exist even in JDBC? If so what is the work around to use Diffie-Hellman cipher suite?
Thanks
Joyjit