Thursday 2 March 2017

example: utl_http and SSL/TLS on 12c #2

Simple wallet creation

In the previous example UTL_HTTP and TLS on 12c we created a wallet. Here is the short sequence for creating the wallet.

# sequence to generate wallet
#
# tested with a single (1) chain certificate; 
# the process is equal where multiple chains certificates are involved: add all the chains
#

# define the server we like to use
myserverCN=www.oracle.com
myWalletLocation=$ORACLE_HOME/wallet/$myserverCN
myWalletPassword=Welcome1

# fetch server cer
openssl s_client -connect $myserverCN:443 -showcerts </dev/null &> /tmp/request

# extract chain cer
beginCer=$( grep -n 'BEGIN CERTIFICATE' /tmp/request |tail -1|awk -F: '{print $1}' )
endCer=$( grep -n 'END CERTIFICATE' /tmp/request |tail -1|awk -F: '{print $1}' )
cerLength=$[ $endCer - $beginCer + 1 ]
head -$endCer /tmp/request |tail -$cerLength > /tmp/chain.cer

# resolve root cer
rootIssuer=$( head -1 /tmp/request |awk -F'CN = ' '{print "CN="$2}' )
# our stored root certs
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs -text -noout|grep 'Issuer:' > /tmp/issuers.out
# our root cer is in the bundle the Xth certificate
nthIssuerInBundle=$( grep -n "$rootIssuer" /tmp/issuers.out | awk -F: '{print $1}' )
beginCer=$( grep -n  'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt | head -$nthIssuerInBundle |tail -1|awk -F: '{print $1}' )
endCer=$( grep -n  'END CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt | head -$nthIssuerInBundle |tail -1 |awk -F: '{print $1}' )
cerLength=$[ $endCer - $beginCer + 1 ]
head -$endCer /etc/pki/tls/certs/ca-bundle.crt |tail -$cerLength > /tmp/root.cer

# create the wallet
orapki wallet create -wallet $myWalletLocation -auto_login -pwd $myWalletPassword
# add the chain
orapki wallet add -wallet $myWalletLocation -trusted_cert -cert /tmp/chain.cer -pwd $myWalletPassword
# add the root
orapki wallet add -wallet $myWalletLocation -trusted_cert -cert /tmp/root.cer -pwd $myWalletPassword
# display the resulting wallet contents
orapki wallet display -wallet $myWalletLocation -pwd Welcome1
Posted by at No comments:

Tuesday 28 February 2017

example: utl_http and SSL/TLS on 12c #1

UTL_HTTP and TLS

We are not using SSL, but as name we keep using it. Obviously we use the newer version TLS. However, older versions of Oracle (up to 11.2.0.4) may not support TLSv1.2:

SQL> select utl_http.request('https://www.oracle.com',null,'file:/u01/app/oracle/product/12/db/wallet','Welcome1') 
   from dual;

ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1720
ORA-28860: Fatal SSL error
ORA-06512: at line 1

Example


So we go through the basics, which is not straightforward on 12c, because of several security restrictions.

# prep our user
SQL> create user test identified by Welcome1;

User created.

SQL> grant connect,resource to test;

Grant succeeded.

begin
  dbms_network_acl_admin.create_acl (
    acl         => 'utl_http.xml',
    description => 'HTTP Access',
    principal   => 'TEST',
    is_grant    => TRUE,
    privilege   => 'connect',
    start_date  => null,
    end_date    => null);
 
  dbms_network_acl_admin.add_privilege (
    acl        => 'utl_http.xml',
    principal  => 'TEST',
    is_grant   => TRUE,
    privilege  => 'resolve',
    start_date => null,
    end_date   => null
  );
 
  dbms_network_acl_admin.assign_acl (
    acl        => 'utl_http.xml',
    host       => 'www.oracle.com',
    lower_port => 443,
    upper_port => 443
  );
end;
/

Examine the certificate chain:
openssl s_client -connect www.oracle.com:443 -showcerts \
   </dev/null &> /tmp/request
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = California, L = Redwood Shores, O = Oracle Corporation, OU = Content Management Services IT, CN = www.oracle.com
verify return:1
CONNECTED(00000003)
---

We need all certificates in the chain to trust the site identified as "CN = www.oracle.com";
We need the Certificate Authority certificate (#2) "CN = GeoTrust Global CA" and we need the Chain certificate (#1) "CN = GeoTrust SSL CA - G3".

At this point, we see in the openssl request, only the site certificate and the chain certificate are returned. The root certificate is assumed to be installed at the client site. On CentOS, that is installed in /etc/pki/tls/certs/ca-bundle.crt

In order to obtain the root certificate, we can extract one with a browser and transfer that to the server, or try to extract the certificate from the bundle on our server. We do the latter.

We start first with the chain certificate from the request; it contained 2 certificates; the chain and the server's certificate. We need only the first:
grep -n 'BEGIN CERTIFICATE' /tmp/request |tail -1
70:-----BEGIN CERTIFICATE-----
grep -n 'END CERTIFICATE' /tmp/request |tail -1
95:-----END CERTIFICATE-----

We copy the lines between 70 and 95 to the chain certificate:
head -95 /tmp/request |tail -26 > /tmp/chain.cer

We review the CA bundle on our server to contain a GeoTrust certificate:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt \
 | openssl pkcs7 -print_certs -text -noout|grep 'CN=GeoTrust Global CA'
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2

So we need to identy the correct certificate in the bundle. We do so by observing all issuers:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt \
  | openssl pkcs7 -print_certs -text -noout|grep 'Issuer:' > /tmp/issuers.out
# Count the root certificates by issuers and double check that against the bundle. They should match:
cat /tmp/issuers.out |wc -l
167
grep 'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt| wc -l
167

Check, so we need find what certificate is 'CN=GeoTrust Global CA'
grep -n 'CN=GeoTrust Global CA' /tmp/issuers.out 
80:        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

The 80th certificate we need to extract from the bundle:
grep -n  'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt \
|head -80|tail -1
1913:-----BEGIN CERTIFICATE-----
grep -n  'END CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt \
|head -80|tail -1
1932:-----END CERTIFICATE-----

That is the line numbers we need to extract between:
head -1932 /etc/pki/tls/certs/ca-bundle.crt | tail -20 > /tmp/root.cer

With the two certificates, we can construct our wallet;

echo $ORACLE_HOME
/u01/app/oracle/product/12/db
myWalletDir=$ORACLE_HOME/mywallet
mkdir $ORACLE_HOME/mywallet
# create the wallet
orapki wallet create -wallet $myWalletDir \
-auto_login -pwd Welcome1
# add the certificates
orapki wallet add -wallet $myWalletDir \
-trusted_cert -cert /tmp/root.cer -pwd Welcome1
orapki wallet add -wallet $myWalletDir \
-trusted_cert -cert /tmp/chain.cer -pwd Welcome1
# display the resulting wallet contents
orapki wallet display -wallet $myWalletDir -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Trusted Certificates: 
Subject:        CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
Subject:        CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US

ls $myWalletDir
cwallet.sso  cwallet.sso.lck  ewallet.p12  ewallet.p12.lck
echo $myWalletDir
/u01/app/oracle/product/12/db/mywallet

Now we can query. We use the wallet in format file:/path/to/myWalletDir, and the password of the wallet:

sqlplus test/Welcome1

select utl_http.request('https://www.oracle.com',null,
  'file:/u01/app/oracle/product/12/db/mywallet','Welcome1') from dual;

UTL_HTTP.REQUEST('HTTPS://WWW.ORACLE.COM',NULL,'FILE:/U01/APP/ORACLE/PRODUCT/12/
--------------------------------------------------------------------------------

<!DOCTYPE html>

<html lang="en-US" class="no-js">

And some housecleaning when we are done:

sqlplus / as sysdba

begin
  DBMS_NETWORK_ACL_ADMIN.DROP_ACL (
    acl         => 'utl_http.xml');
end;
/

drop user test;
Posted by at No comments:

Tuesday 10 January 2017

NetNewsWire 4 mac restore

Restoring is easy, a fresh install may proof challenging.

If you didn't create an export (OPML) then you may have to reimport the subscriptions from the preferences out of your timemachine backup.

In NetNewsWire 3, restore the application preferences within ~/Library/Application Support:
~/Library/Application Support/NetNewsWire/

In NetNewsWire 4, this changed. The preferences are now under ~/Library/Containers:
~/Library/Containers/com.blackpixel.netnewswire/

Procedure is the same:
  • Quit the application
  • In finder go to the folder (Menu > Go > Go to folder) and type ~/Library press enter an browse to the correct folder
  • Activate Time Machine
  • Restore
  • Confirm to overwrite the existing folder
Posted by at No comments:
Subscribe to: Posts (Atom)

Thursday 2 March 2017

example: utl_http and SSL/TLS on 12c #2

Simple wallet creation

In the previous example UTL_HTTP and TLS on 12c we created a wallet. Here is the short sequence for creating the wallet.

# sequence to generate wallet
#
# tested with a single (1) chain certificate; 
# the process is equal where multiple chains certificates are involved: add all the chains
#

# define the server we like to use
myserverCN=www.oracle.com
myWalletLocation=$ORACLE_HOME/wallet/$myserverCN
myWalletPassword=Welcome1

# fetch server cer
openssl s_client -connect $myserverCN:443 -showcerts </dev/null &> /tmp/request

# extract chain cer
beginCer=$( grep -n 'BEGIN CERTIFICATE' /tmp/request |tail -1|awk -F: '{print $1}' )
endCer=$( grep -n 'END CERTIFICATE' /tmp/request |tail -1|awk -F: '{print $1}' )
cerLength=$[ $endCer - $beginCer + 1 ]
head -$endCer /tmp/request |tail -$cerLength > /tmp/chain.cer

# resolve root cer
rootIssuer=$( head -1 /tmp/request |awk -F'CN = ' '{print "CN="$2}' )
# our stored root certs
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs -text -noout|grep 'Issuer:' > /tmp/issuers.out
# our root cer is in the bundle the Xth certificate
nthIssuerInBundle=$( grep -n "$rootIssuer" /tmp/issuers.out | awk -F: '{print $1}' )
beginCer=$( grep -n  'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt | head -$nthIssuerInBundle |tail -1|awk -F: '{print $1}' )
endCer=$( grep -n  'END CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt | head -$nthIssuerInBundle |tail -1 |awk -F: '{print $1}' )
cerLength=$[ $endCer - $beginCer + 1 ]
head -$endCer /etc/pki/tls/certs/ca-bundle.crt |tail -$cerLength > /tmp/root.cer

# create the wallet
orapki wallet create -wallet $myWalletLocation -auto_login -pwd $myWalletPassword
# add the chain
orapki wallet add -wallet $myWalletLocation -trusted_cert -cert /tmp/chain.cer -pwd $myWalletPassword
# add the root
orapki wallet add -wallet $myWalletLocation -trusted_cert -cert /tmp/root.cer -pwd $myWalletPassword
# display the resulting wallet contents
orapki wallet display -wallet $myWalletLocation -pwd Welcome1
Posted by at No comments:

Tuesday 28 February 2017

example: utl_http and SSL/TLS on 12c #1

UTL_HTTP and TLS

We are not using SSL, but as name we keep using it. Obviously we use the newer version TLS. However, older versions of Oracle (up to 11.2.0.4) may not support TLSv1.2:

SQL> select utl_http.request('https://www.oracle.com',null,'file:/u01/app/oracle/product/12/db/wallet','Welcome1') 
   from dual;

ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1720
ORA-28860: Fatal SSL error
ORA-06512: at line 1

Example


So we go through the basics, which is not straightforward on 12c, because of several security restrictions.

# prep our user
SQL> create user test identified by Welcome1;

User created.

SQL> grant connect,resource to test;

Grant succeeded.

begin
  dbms_network_acl_admin.create_acl (
    acl         => 'utl_http.xml',
    description => 'HTTP Access',
    principal   => 'TEST',
    is_grant    => TRUE,
    privilege   => 'connect',
    start_date  => null,
    end_date    => null);
 
  dbms_network_acl_admin.add_privilege (
    acl        => 'utl_http.xml',
    principal  => 'TEST',
    is_grant   => TRUE,
    privilege  => 'resolve',
    start_date => null,
    end_date   => null
  );
 
  dbms_network_acl_admin.assign_acl (
    acl        => 'utl_http.xml',
    host       => 'www.oracle.com',
    lower_port => 443,
    upper_port => 443
  );
end;
/

Examine the certificate chain:
openssl s_client -connect www.oracle.com:443 -showcerts \
   </dev/null &> /tmp/request
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = California, L = Redwood Shores, O = Oracle Corporation, OU = Content Management Services IT, CN = www.oracle.com
verify return:1
CONNECTED(00000003)
---

We need all certificates in the chain to trust the site identified as "CN = www.oracle.com";
We need the Certificate Authority certificate (#2) "CN = GeoTrust Global CA" and we need the Chain certificate (#1) "CN = GeoTrust SSL CA - G3".

At this point, we see in the openssl request, only the site certificate and the chain certificate are returned. The root certificate is assumed to be installed at the client site. On CentOS, that is installed in /etc/pki/tls/certs/ca-bundle.crt

In order to obtain the root certificate, we can extract one with a browser and transfer that to the server, or try to extract the certificate from the bundle on our server. We do the latter.

We start first with the chain certificate from the request; it contained 2 certificates; the chain and the server's certificate. We need only the first:
grep -n 'BEGIN CERTIFICATE' /tmp/request |tail -1
70:-----BEGIN CERTIFICATE-----
grep -n 'END CERTIFICATE' /tmp/request |tail -1
95:-----END CERTIFICATE-----

We copy the lines between 70 and 95 to the chain certificate:
head -95 /tmp/request |tail -26 > /tmp/chain.cer

We review the CA bundle on our server to contain a GeoTrust certificate:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt \
 | openssl pkcs7 -print_certs -text -noout|grep 'CN=GeoTrust Global CA'
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2

So we need to identy the correct certificate in the bundle. We do so by observing all issuers:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt \
  | openssl pkcs7 -print_certs -text -noout|grep 'Issuer:' > /tmp/issuers.out
# Count the root certificates by issuers and double check that against the bundle. They should match:
cat /tmp/issuers.out |wc -l
167
grep 'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt| wc -l
167

Check, so we need find what certificate is 'CN=GeoTrust Global CA'
grep -n 'CN=GeoTrust Global CA' /tmp/issuers.out 
80:        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

The 80th certificate we need to extract from the bundle:
grep -n  'BEGIN CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt \
|head -80|tail -1
1913:-----BEGIN CERTIFICATE-----
grep -n  'END CERTIFICATE' /etc/pki/tls/certs/ca-bundle.crt \
|head -80|tail -1
1932:-----END CERTIFICATE-----

That is the line numbers we need to extract between:
head -1932 /etc/pki/tls/certs/ca-bundle.crt | tail -20 > /tmp/root.cer

With the two certificates, we can construct our wallet;

echo $ORACLE_HOME
/u01/app/oracle/product/12/db
myWalletDir=$ORACLE_HOME/mywallet
mkdir $ORACLE_HOME/mywallet
# create the wallet
orapki wallet create -wallet $myWalletDir \
-auto_login -pwd Welcome1
# add the certificates
orapki wallet add -wallet $myWalletDir \
-trusted_cert -cert /tmp/root.cer -pwd Welcome1
orapki wallet add -wallet $myWalletDir \
-trusted_cert -cert /tmp/chain.cer -pwd Welcome1
# display the resulting wallet contents
orapki wallet display -wallet $myWalletDir -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Trusted Certificates: 
Subject:        CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
Subject:        CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US

ls $myWalletDir
cwallet.sso  cwallet.sso.lck  ewallet.p12  ewallet.p12.lck
echo $myWalletDir
/u01/app/oracle/product/12/db/mywallet

Now we can query. We use the wallet in format file:/path/to/myWalletDir, and the password of the wallet:

sqlplus test/Welcome1

select utl_http.request('https://www.oracle.com',null,
  'file:/u01/app/oracle/product/12/db/mywallet','Welcome1') from dual;

UTL_HTTP.REQUEST('HTTPS://WWW.ORACLE.COM',NULL,'FILE:/U01/APP/ORACLE/PRODUCT/12/
--------------------------------------------------------------------------------

<!DOCTYPE html>

<html lang="en-US" class="no-js">

And some housecleaning when we are done:

sqlplus / as sysdba

begin
  DBMS_NETWORK_ACL_ADMIN.DROP_ACL (
    acl         => 'utl_http.xml');
end;
/

drop user test;
Posted by at No comments:

Tuesday 10 January 2017

NetNewsWire 4 mac restore

Restoring is easy, a fresh install may proof challenging.

If you didn't create an export (OPML) then you may have to reimport the subscriptions from the preferences out of your timemachine backup.

In NetNewsWire 3, restore the application preferences within ~/Library/Application Support:
~/Library/Application Support/NetNewsWire/

In NetNewsWire 4, this changed. The preferences are now under ~/Library/Containers:
~/Library/Containers/com.blackpixel.netnewswire/

Procedure is the same:
  • Quit the application
  • In finder go to the folder (Menu > Go > Go to folder) and type ~/Library press enter an browse to the correct folder
  • Activate Time Machine
  • Restore
  • Confirm to overwrite the existing folder
Posted by at No comments:
Subscribe to: Posts (Atom)