May 11, 2019 Uncategorized 1 Comment

With Oracle 12.2 update, there are few security enhancements done which may affect your existing working code suddenly stopped working and you may face ORA errors like, Certificate Validation Failure or Certificate of the remote server does not match.

For this blog post, I want to cover few important topics:

  • How to create new wallet:
    • Use following command to create new wallet.
    • Make sure, the wallet directory you create has enough permission to your Oracle user.

orapki wallet create -wallet <your_wallet_directory_path> -pwd <your_wallet_pwd> -auto_login

  • How to download certificate file:
    • Ideally, if you download Root certificate, it should work fine. Following are the steps to download Root Certificate for https://s3.amazonaws.com request.
    • Or, create new certificate file using following text. Please make sure you do not left any extra space or new line character at the end.

—–BEGIN CERTIFICATE—–

MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
—–END CERTIFICATE—–

  • How to Import certificate file:
    • Use following command to import certificate in your wallet.
orapki wallet add -wallet <wallet_directory_path> -trusted_cert -cert <your_certificate_file_path> -pwd <wallet_password>
    • Verify certificate using following command.
orapki wallet display -wallet <your_wallet_directory_path>
  • Important changes for Oracle 12.2:
    • p_https_host is the new parameter in APEX_WEB_SERVICE.MAKE_REST_REQUEST function
    • Set p_https_host = “s3.amazonaws.com” to that parameter
  • Still getting same error? Try following steps:
    • While testing, always create new session after any change to Wallet.
    • Add following line before assigning header variables in your REST request. This will first clear your previous request’s header variables.
apex_web_service.g_request_headers.delete();
    • If you are on Linux server, execute following command from your DB server to make sure that any other firewall is not blocking the requested URL. If the call is successful, it will print 2-3 certificates. If failed, it may still print localhost certificate or any other error information.
openssl s_client -showcerts -connect s3.amazonaws.com:443
  • Still getting error?
    • Remember one thing. Your Oracle database never lies and will not malfunction. It may not give your exact and correct error message, but there must be some issue in-configuring the Wallet & Certificates or may be Network or Infrastructure level. So, keep trying.
    • Write me, if I can help you out !!!
Hope this helps.
Regards,
Jaydip Bosamiya
jbosamiya@gmail.com
, , , , ,
Written by Jaydip Bosamiya