. The Web Installer is intended to be used by end users. This installer will configure itself based on the supplied license key and only download those. Sep 17, 2015. However, starting in with Toad for Oracle version 12.5, the old style legacy key will no longer be supported. The legacy key has a format of. Using Toad Edge with MySQL Database Invisible columns in Oracle 12c 2 awesome, free Toad Data Point tools that you may not know about.
Sep 17, 2015. However, starting in with Toad for Oracle version 12.5, the old style legacy key will no longer be supported. The legacy key has a format of. Save time and reduce risks with Toad for Oracle, the leading database development and optimization software, as ranked by IDC. With Toad, you’ll improve. Feb 11, 2014.
There's going to be a minor licensing change when Toad 12.5 goes live. Starting with this beta, license keys compatible with Toad for Oracle. Toad for Oracle is the de facto Oracle developer and database administration software tool for SQL development and tasks.
The most popular Oracle DBA tool. May 27, 2017. Toad DBA Suite For Oracle 11.6 Commercial License Key. Http:// for Oracle/12.5.1/Software/zh-CHS/Toad DBA Suite for Oracle 12.5.1. TOAD for Oracle Freeware, free download. Tool for Oracle Application Developers. Review of TOAD for Oracle Freeware with a star rating, 2 screenshots along.
Apr 30, 2017. Http:// for Oracle/12.5.1.
Toad For Oracle 11.6 64-bit Commercial + Keygen. Toad DBA Suite for Oracle 11.5 Commercial incl Keygen. Toad for Oracle (64-bit) is a comprehensive database tool for development and administration that enables you to perform daily tasks efficiently and. Mar 5, 2015 - 1 min(Download MediaFire) All twos in the Toad for Oracle Serial Download deck are regarded as. Toad offers optional features in the DB Admin Module (under Database/Monitor) which WILL ACCESS the Oracle OEM Diagnostics Pack such as:.
TOAD fro oracle 10.5 没问题哈哈! 用户名:oracle 序列号:0-6392. 2010-09-03 13: 18. 求Toad for Oracle 10.5 license key. Sit message: li Authorization key.
Download TOAD for Oracle Freeware: Tool for Oracle Application Developers. It is developed by Quest Software. This title is being offered by Canadian. Toad for Oracle 12.8 Serial Number 11.2.0.3, 12.1 Server Requirements Oracle. DBA Suite For Oracle (64bit) 12.1 when searching for Toad For Oracle 12.5. Free Download TOAD for Oracle 12.11.0.95 - Efficiently administer Oracle databases, as well as manage SQL, HTML, Java and text files with the.
License Key Not Working in Toad for Oracle 12.5 and Above. Message Says It Needs In most cases, the Toad for Oracle license keys do not change when. About Toad Data Point. Toad ® Data Point is a multi-platform database query tool built for anyone who needs to access data, understand data relationships. Toad has been tested on Oracle Exadata 2.0 running Oracle database 11g R2. License keys compatible with Toad for Oracle 9.7 and earlier versions are no longer supported. Getting Started with Toad for Oracle 12.5.
8.1.2 Using SSL Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols. By using Oracle Advanced Security SSL functionality to secure communications between clients and servers, you can. Use SSL to encrypt the connection between clients and servers. Authenticate any client or server, such as Oracle Application Server 10g, to any Oracle database server that is configured to communicate over SSL You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes:.
Only the server authenticates itself to the client. Both client and server authenticate themselves to each other. Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself. 8.1.3 How SSL Works in an Oracle Environment: The SSL Handshake When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps:. The client and server establish which s to use. This includes which encryption algorithms are used for data transfers. The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA.
This step verifies the identity of the server. Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA.
The client and server exchange key information using public key cryptography. Based on this information, each generates a. All subsequent communications between the client and the server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite. The authentication process consists of the following steps:. On a client, the user initiates an Oracle Net connection to the server by using SSL. SSL performs the handshake between the client and the server. If the handshake is successful, the server verifies that the user has the appropriate to access the database.
8.2 Public Key Infrastructure in an Oracle Environment A public key infrastructure (PKI) is a substrate of network components that provide a security underpinning, based on trust assertions, for an entire organization. A PKI exists so that disparate network entities can access its security services, which use public-key cryptography on an as-needed basis. Oracle provides a complete PKI that is based on RSA Security, Inc., Public-Key Cryptography Standards, and which interoperates with Oracle servers and clients. 8.2.1 About Public Key Cryptography Traditional private-key or symmetric-key cryptography requires a single, secret key that is shared by two or more parties to a secure communication. This key is used to both encrypt and decrypt secure messages sent between the parties, requiring prior, secure distribution of the key to each party.
The problem with this method is that it is difficult to securely transmit and store the key. Public-key cryptography provides a solution to this problem, by employing s and a secure method for key distribution. The freely available is used to encrypt messages that can only be decrypted by the holder of the associated.
The private key is securely stored, together with other security credentials, in an encrypted container called a. Public-key algorithms can guarantee the secrecy of a message, but they do not necessarily guarantee secure communications because they do not verify the identities of the communicating parties.
To establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its own public key for a legitimate key (the attack). In order to avoid such an attack, it is necessary to verify the owner of the public key, a process called.
Authentication can be accomplished through a (CA), which is a third party that is trusted by both of the communicating parties. The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date). The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known and does not have to be authenticated each time it is accessed. Such CA public keys are stored in wallets.
8.2.2.1 Certificate Authority A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key. Different CAs may have different identification requirements when issuing certificates. Some CAs may verify a requester's identity with a driver's license, some may verify identity with the requester's fingerprints, while others may require that requesters have their certificate request form notarized. The CA publishes its own certificate, which includes its public key.
Each network entity has a list of trusted CA certificates. Before communicating, network entities exchange certificates and check that each other's certificate is signed by one of the CAs on their respective trusted CA certificate lists. Network entities can obtain their certificates from the same or different CAs.
By default, Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet. Oracle Application Server Certificate Authority, part of Oracle Identity Management Infrastructure, is a new Oracle PKI component available in Oracle Application Server 10g (9.0.4). 8.2.2.2 Certificates A certificate is created when an entity's public key is signed by a trusted certificate authority (CA). A certificate ensures that an entity's identification information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, public key, and an expiration date, as well as a serial number and information. It can also contain information about the privileges associated with the certificate. When a network entity receives a certificate, it verifies that it is a, that is, one that has been issued and signed by a. A certificate remains valid until it expires or until it is revoked. 8.2.2.3 Certificate Revocation Lists Typically, when a CA signs a certificate binding a public key pair to a user identity, the certificate is valid for a specified period of time. However, certain events, such as user name changes or compromised private keys, can render a certificate invalid before the validity period expires. When this happens, the CA revokes the certificate and adds its serial number to a Certificate Revocation List (CRL).
CAs periodically publish CRLs to alert the user population when it is no longer acceptable to use a particular public key to verify its associated user identity. When servers or clients receive user certificates in an Oracle environment, they can validate the certificate by checking its expiration date, signature, and revocation status. Certificate revocation status is checked by validating it against published CRLs. If certificate revocation status checking is turned on, then the server searches for the appropriate CRL depending on how this feature has been configured. The server searches for CRLs in the following locations:. Oracle Internet Directory., a location specified in the CRL Distribution Point (CRL DP) X.509, version 3, certificate extension when the certificate is issued. 8.2.2.4 Wallets A wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.
In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates, with the exception of Diffie-Hellman. Security administrators use Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients.
Specifically, you use Oracle Wallet Manager to do the following:. Generate a public-private key pair and create a certificate request. Store a user certificate that matches with the private key.
Configure trusted certificates. 8.2.2.5 Hardware Security Modules Oracle Advanced Security uses these devices for the following functions:. Store cryptographic information, such as private keys. Perform cryptographic operations to off load RSA operations from the server, freeing the CPU to respond to other transactions Cryptographic information can be stored on two types of hardware devices:. (Server-side) Hardware boxes where keys are stored in the box, but managed by using tokens.
(Client-side) Smart card readers, which support storing private keys on tokens. An Oracle environment supports hardware devices using APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11 specification. Figure 8-1 SSL in Relation to Other Authentication Methods In this example, SSL is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client.
The client seeks to connect to the Oracle database server. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use. Once the SSL handshake is successfully completed, the user seeks access to the database. The Oracle database server authenticates the user with the authentication server using a non-SSL authentication method such as Kerberos or RADIUS. Upon validation by the authentication server, the Oracle database server grants access and authorization to the user, and then the user can access the database securely by using SSL.
8.4 SSL and Firewalls Oracle Advanced Security supports two types of firewalls:. Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor. Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall. When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets. Firewalls do not inspect encrypted traffic. When a firewall encounters data addressed to an SSL port on an intranet server, it checks the target IP address against its access rules and lets the SSL packet pass through to permitted SSL ports, rejecting all others.
With the Oracle Net Firewall Proxy kit, a product offered by some firewall vendors, firewall applications can provide specific support for database network traffic. If the proxy kit is implemented in the firewall, then the following processing takes place:. The Net Proxy (a component of the Oracle Net Firewall Proxy kit) determines where to route its traffic. The database listener requires access to a in order to participate in the SSL handshake. The listener inspects the SSL packet and identifies the target database, returning the port on which the target database listens to the client.
This port must be designated as an SSL port. The client communicates on this server-designated port in all subsequent connections. The number of ports that are open in the firewall increase as a function of the number of database connections requested for different databases. This approach prohibits the database server from using randomly chosen SSL ports, because the SSL ports on the firewall must match those chosen by the database. 8.6.2.2 Step 2: Specify the Database Wallet Location on the Server Use Oracle Net Manager to specify required configuration parameters for the server (Refer to ):. Navigate to the Oracle Advanced Security profile.
(Refer to ) The Oracle Advanced Security SSL window is displayed. Click the SSL tab and select Configure SSL for: Server. In the Wallet Directory box, enter the directory in which the Oracle wallet is located or click Browse to find it by searching the file system.
Note that if you are configuring the database-to-directory SSL connection for Enterprise User Security, then Database Configuration Assistant automatically creates a database wallet while registering the database with the directory. You must use that wallet to store the database PKI credentials for SSL-authenticated Enterprise User Security.
8.6.2.3 Step 3: Set the SSL Cipher Suites on the Server (Optional) A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth. When you install Oracle Advanced Security, the SSL cipher suites listed in are set for you by default and negotiated in the order they are listed. You can override the default order by setting the SSLCIPHERSUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSLRSAWITHRC4128SHA, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:. Compatibility.
Server and client must be configured to use compatible cipher suites for a successful connection. Cipher priority and strength. Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible.
The level of security you want to use. For example, triple-DES encryption is stronger than DES. The impact on performance. For example, triple-DES encryption is slower than DES. Notes: Regarding Diffie-Hellman anonymous authentication:. If you set the server to employ this cipher suite, then you must also set the same cipher suite on the client.
Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, then you must set the SSLCLIENTAUTHENTICATION parameter to FALSE. For more information, refer to. There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DHANON, which does not authenticate the client.
Lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. The following table also lists the authentication, encryption, and data integrity types each cipher suite uses. 8.6.2.4 Step 4: Set the Required SSL Version on the Server (Optional) You can set the SSLVERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the server communicates. You can require these systems to use any valid version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window.
To set the SSL version for the server:. In the Require SSL Version list, the default is Any. Accept this default or select the SSL version you want to use. Select File, Save Network Configuration. If you chose Any, then the sqlnet.ora file is updated with the following entry: SSLVERSION=UNDETERMINED. 8.6.2.5 Step 5: Set SSL Client Authentication on the Server (Optional) The SSLCLIENTAUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.
You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication ( DHanon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or RADIUS. 8.6.2.6 Step 6: Set SSL as an Authentication Service on the Server (Optional) The SQLNET.AUTHENTICATIONSERVICES parameter in the sqlnet.ora file sets the SSL authentication service. Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.
To set the SQLNET.AUTHENTICATIONSERVICES parameter on the server: Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET.AUTHENTICATIONSERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter. 8.6.3.2 Step 2: Configure Oracle Net Service Name to Include Server DNs and Use TCP/IP with SSL on the Client You must specify the server's and TCPS as the protocol in the client network configuration files to enable server DN matching and TCP/IP with SSL connections. Server DN matching prevents the database server from faking its identity to the client during connections by matching the server's global database name against the DN from the server certificate. You must manually edit the client network configuration files, tnsnames.ora and listener.ora, to specify the server's DN and the TCP/IP with SSL protocol. The tnsnames.ora file can be located on the client or in the LDAP directory.
If it is located on the client, then it typically resides in the same directory as the listener.ora file. Depending on the operating system, these files reside in the following directory locations:.
(UNIX) $ORACLEHOME /network/admin/. (Windows) ORACLEBASE ORACLEHOME network admin To edit the tnsnames.ora and listener.ora files, use the following steps:. In the client tnsnames.ora file, add the SSLSERVERCERTDN parameter and specify the database server's DN as follows: (SECURITY= (SSLSERVERCERTDN='cn=finance,cn=OracleContext,c=us,o=acme')) The client uses this information to obtain the list of DNs it expects for each of the servers, enforcing the server's DN to match its service name. Shows an entry for the Finance database in the tnsnames.ora file. Alternatively, the administrator can ensure that the common name (CN) portion of the server's DN matches the service name.
In the client tnsnames.ora file, enter tcps as the PROTOCOL in the ADDRESS parameter. This specifies that the client will use TCP/IP with SSL to connect to the database that is identified in the SERVICENAME parameter. Also shows an entry that specifies TCP/IP with SSL as the connecting protocol in the tnsnames.ora file.
In the listener.ora file, enter tcps as the PROTOCOL in the ADDRESS parameter. Shows an entry that specifies TCP/IP with SSL as the protocol.
Note: The following alert is displayed when you select No: Security Alert Not enforcing the server X.509 name match allows a server to potentially fake its identity. Oracle recommends selecting YES for this option so that connections are refused when there is a mismatch. Select File, Save Network Configuration. The sqlnet.ora file on the client is updated with the following entries: SSLCLIENTAUTHENTICATION =TRUE walletlocation = (SOURCE= (METHOD=File) (METHODDATA= (DIRECTORY=walletlocation))) SSLSERVERDNMATCH=(ON/OFF).
8.6.3.4 Step 4: Set the Client SSL Cipher Suites (Optional) A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth. When you install Oracle Advanced Security, the SSL cipher suites listed in are set for you by default. This table lists them in the order they are tried when two entities are negotiating a connection. You can override the default by setting the SSLCIPHERSUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSLRSAWITHRC4128SHA, all other cipher suites in the default setting are ignored. You can prioritize the cipher suites.
When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:. The level of security you want to use.
For example, triple-DES encryption is stronger than DES. The impact on performance. For example, triple-DES encryption is slower than DES.
Refer to for information about using SSL hardware accelerators with Oracle Advanced Security. Administrative requirements. The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication, which disallows the exchange of certificates.
You typically prioritize cipher suites starting with the strongest and moving to the weakest. Lists the SSL cipher suites supported in the current release of Oracle Advanced Security.
These cipher suites are set by default when you install Oracle Advanced Security. The table also lists the authentication, encryption, and data integrity types each cipher suite uses. 8.6.3.5 Step 5: Set the Required SSL Version on the Client (Optional) You can set the SSLVERSION parameter in the sqlnet.ora file.
This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use any valid version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window. When Any is selected, TLS 1.0 is tried first, then SSL 3.0, and SSL 2.0 are tried in that order. Ensure that the client SSL version is compatible with the version the server uses. To set the required SSL version for the client:. In the Require SSL Version list, the default setting is Any.
Toad For Oracle Trial Version
Accept this default or select the SSL version you want to configure. Select File, Save Network Configuration. The sqlnet.ora file is updated. If you selected Any, then it is updated with the following entry: SSLVERSION=UNDETERMINED.
8.6.3.6 Step 6: Set SSL as an Authentication Service on the Client (Optional) The SQLNET.AUTHENTICATIONSERVICES parameter in the sqlnet.ora file sets the SSL authentication service. Typically, the sqlnet.ora file is located in the same directory as the other network configuration files. Depending on the platform, the sqlnet.ora file is in the following directory location:. (UNIX) $ORACLEHOME /network/admin. (Windows) ORACLEBASE ORACLEHOME network admin Set the SQLNET.AUTHENTICATIONSERVICES parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using RADIUS. To set the client SQLNET.AUTHENTICATIONSERVICES parameter: Add TCP/IP with SSL ( TCPS) to this parameter in the sqlnet.ora file by using a text editor.
For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET.AUTHENTICATIONSERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter. Action: Check the following:. Ensure that the correct wallet location is specified in the sqlnet.ora file so the system can find the wallet. Use Oracle Net Manager to ensure that cipher suites are set correctly in the sqlnet.ora file.
Sometimes this error occurs because the sqlnet.ora has been manually edited and the cipher suite names are misspelled. Ensure that case sensitive string matching is used with cipher suite names. Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail. For more diagnostic information, enable Oracle Net tracing on the peer.
Action: Check the following:. Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail. If you are using a Diffie-Hellman anonymous cipher suite and the SSLCLIENTAUTHENTICATION parameter is set to true in the server's listener.ora file, then the client does not pass its certificate to the server. When the server does not receive the client's certificate, it (the server) cannot authenticate the client so the connection is closed. To resolve this use another cipher suite, or set this listener.ora parameter to false.
Enable Oracle Net tracing and check the trace output for network errors. For details, refer to Actions listed for. Action: Check the following:. Check the certificate to determine whether it is valid. If necessary, get a new certificate, inform the sender that her certificate has failed, or resend. Check to ensure that the server's wallet has the appropriate s to validate the client's certificate. If it does not, then use Oracle Wallet Manager to import the appropriate trust point into the wallet.
Refer to, for details. Ensure that the certificate has not been revoked and that certificate revocation list (CRL) checking is turned on. For details, refer to.
8.8 Certificate Validation with Certificate Revocation Lists The process of determining whether a given certificate can be used in a given context is referred to as certificate validation. Certificate validation includes determining that. A trusted (CA) has digitally signed the certificate.
The certificate's digital signature corresponds to the independently-calculated hash value of the certificate itself and the certificate signer's (CA's) public key. The certificate has not expired. The certificate has not been revoked The SSL network layer automatically performs the first three validation checks, but you must configure certificate revocation list (CRL) checking to ensure that certificates have not been revoked.
CRLs are signed data structures that contain a list of revoked certificates. They are usually issued and signed by the same entity who issued the original certificate. (Refer to, ) This section contains the following topics:. 8.8.2 How CRL Checking Works Certificate revocation status is checked against CRLs, which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the (CRL DP) extension on the certificate. Typically, CRL definitions are valid for a few days. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use CRL DPs then CRLs are downloaded each time a certificate is used, so there is no need to regularly refresh the CRLs.
The server searches for CRLs in the following locations in the order listed. When the system finds a CRL that matches the certificate CA's DN, it stops searching.
Local file system The system checks the sqlnet.ora file for the SSLCRLFILE parameter first, followed by the SSLCRLPATH parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs. Note: Note: if you store CRLs on your local file system, then you must use the orapki utility to periodically update them. Fro more information, refer to. Oracle Internet Directory If the server cannot locate the CRL on the local file system and directory connection information has been configured in an ldap.ora file, then the server searches in the directory. It searches the CRL subtree by using the CA's and the DN of the CRL subtree.
The server must have a properly configured ldap.ora file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. Also note that if you store CRLs in the directory, then you must use the orapki utility to periodically update them. For details, refer to. CRL DP If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the appropriate CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Advanced Security supports downloading CRLs over HTTP and LDAP. Figure 8-7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected Following steps describe how to configure Certificate Validation with Certificate revocation Lists:.
Select one of the following options from the Revocation Check list (refer to, ):. REQUIRED Requires certificate revocation status checking. The SSL connection is rejected if a certificate is revoked or no CRL is found.
SSL connections are accepted only if it can be verified that the certificate has not been revoked. REQUESTED Performs certificate revocation status checking if a CRL is available. The SSL connection is rejected if a certificate is revoked.
SSL connections are accepted if no CRL is found or if the certificate has not been revoked. Note: For performance reasons, only user certificates are checked for revocation. (Optional) If CRLs are stored on your local file system, then set one or both of the following fields that specify where they are stored. These fields are available only when Revocation Check is set to REQUIRED or REQUESTED. Certificate Revocation Lists Path: Enter the path to the directory where CRLs are stored or click Browse to find it by searching the file system. Specifying this path sets the SSLCRLPATH parameter in the sqlnet.ora file. If a path is not specified for this parameter, then the default is the wallet directory.
Both DER-encoded (binary format) and -encoded (BASE64) CRLs are supported. Certificate Revocation Lists File: Enter the path to a comprehensive CRL file (where PEM-encoded (BASE64) CRLs are concatenated in order of preference in one file) or click Browse to find it by searching the file system. Specifying this file sets the SSLCRLFILE parameter in the sqlnet.ora file. If this parameter is set, then the file must be present in the specified location, or else the application will error out during startup.
If you want to store CRLs in a local file system directory by setting the Certificate Revocation Lists Path, then you must use the orapki utility to rename them so the system can locate them. (Optional) If CRLs are fetched from Oracle Internet Directory, then directory server and port information must be specified in an ldap.ora file. When configuring your ldap.ora file, you should specify only a non-SSL port for the directory. CRL download is done as part of the SSL protocol, and making an SSL connection within an SSL connection is not supported. Oracle Advanced Security CRL functionality will not work if the Oracle Internet Directory non-SSL port is disabled. Select File, Save Network Configuration.
The sqlnet.ora file is updated. To disable certificate revocation status checking:. Select NONE from the Revocation Check list. Select File, Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSLCERTREVOCATION=NONE. 8.8.4.2 Renaming CRLs with a Hash Value for Certificate Validation When the system validates a certificate, it must locate the CRL issued by the CA who created the certificate. The system locates the appropriate CRL by matching the issuer name in the certificate with the issuer name in the CRL.
When you specify a CRL storage location for the Certificate Revocation Lists Path field in Oracle Net Manager,which sets the SSLCRLPATH parameter in the sqlnet.ora file, use the orapki utility to rename CRLs with a hash value that represents the issuer's name. Creating the hash value enables the server to load the CRLs. On UNIX operating systems, orapki creates a symbolic link to the CRL. On Windows operating systems, it creates a copy of the CRL file. In either case, the symbolic link or the copy created by orapki are named with a hash value of the issuer's name.
Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded. Depending on the operating system, enter one of the following commands to rename CRLs stored in the file system. To rename CRLs stored in UNIX file systems: orapki crl hash -crl crlfilename -wallet walletlocation -symlink crldirectory -summary To rename CRLs stored in Windows file systems: orapki crl hash -crl crlfilename -wallet walletlocation -copy crldirectory -summary where crlfilename is the name of the CRL file, walletlocation is the location of a wallet that contains the certificate of the CA that issued the CRL, and crldirectory is the directory where the CRL is located. Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to renaming the CRL.
Specifying the -summary option causes the tool to display the CRL issuer's name. 8.8.4.3 Uploading CRLs to Oracle Internet Directory Publishing CRLs in the directory enables CRL validation throughout your enterprise, eliminating the need for individual applications to configure their own CRLs. All applications can use the CRLs stored in the directory where they can be centrally managed, greatly reducing the administrative overhead of CRL management and use. The user who uploads CRLs to the directory by using orapki must be a member of the directory group CRLAdmins ( cn=CRLAdmins,cn=groups,%sOracleContextDN%). This is a privileged operation because these CRLs are accessible to the entire enterprise. Contact your directory administrator get added to this administrative directory group.
To upload CRLs to the directory, enter the following at the command line: orapki crl upload -crl crllocation -ldap hostname:sslport -user username -wallet walletlocation -summary where crllocation is the file name or URL where the CRL is located, hostname and sslport (SSL port with no authentication) are for the system on which your directory is installed, username is the directory user who has permission to add CRLs to the CRL subtree, and walletlocation is the location of a wallet that contains the certificate of the CA that issued the CRL. Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. Specifying the -summary option causes the tool to print the CRL issuer's name and the LDAP entry where the CRL is stored in the directory. The following example illustrates uploading a CRL with the orapki utility: orapki crl upload -crl /home/user1/wallet/crldir/crl.txt -ldap host1.oracle.com:3533 -user cn=orcladmin. 8.8.4.4 Listing CRLs Stored in Oracle Internet Directory You can display a list of all CRLs stored in the directory with orapki, which is useful for browsing to locate a particular CRL to view or download to your local computer.
This command displays the CA who issued the CRL (Issuer) and its location (DN) in the CRL subtree of your directory. To list CRLs in Oracle Internet Directory, enter the following at the command line: orapki crl list -ldap hostname: sslport where the hostname and sslport are for the system on which your directory is installed. Note that this is the directory SSL port with no authentication as described in the preceding section. 8.8.4.6 Deleting CRLs from Oracle Internet Directory The user who deletes CRLs from the directory by using orapki must be a member of the directory group CRLAdmins.
Refer to for information about this directory administrative group. To delete CRLs from the directory, enter the following at the command line: orapki crl delete -issuer issuername -ldap host:sslport -user username -summary where issuername is the name of the CA who issued the CRL, the hostname and sslport are for the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree. Ensure that this must be a directory SSL port with no authentication. Refer to, for more information about this port. Using the -summary option causes the tool to print the CRL LDAP entry that was deleted. For example, the following orapki command: orapki crl delete -issuer 'CN=root,C=us' -ldap machine1:3500 -user cn=orcladmin -summary produces the following output, which lists the location of the deleted CRL in the directory: Deleted CRL at cn=root cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext. 8.8.5 Troubleshooting Certificate Validation To determine whether certificates are being validated against CRLs, you can enable Oracle Net tracing.
When a revoked certificate is validated by using CRLs, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry and exit: nzcrlVCSVerifyCRLSignature: entry nzcrlVCSVerifyCRLSignature: exit nzcrlVCDVerifyCRLDate: entry nzcrlVCDVerifyCRLDate: exit nzcrlCCSCheckCertStatus: entry nzcrlCCSCheckCertStatus: Certificate is listed in CRL nzcrlCCSCheckCertStatus: exit. Action: Ensure that your certificate authority publishes the CRL to the URL that is specified in the certificate's CRL DP extension.
Manually download the CRL. Then depending on whether you want to store it on your local file system or in Oracle Internet Directory, perform the following steps: If you want to store the CRL on your local file system:.
Use Oracle Net Manager to specify the path to the CRL directory or file. Refer to. Use the orapki utility to configure the CRL for system use. Refer to If you want to store the CRL in Oracle Internet Directory:.
Use Oracle Net Configuration Assistant to create and configure an ldap.ora file with directory connection information. Use the orapki utility to upload the CRL to the directory. 8.9.1 General Guidelines for Using Hardware Security Modules with Oracle Advanced Security The following general guidelines apply if you are using a hardware security module with Oracle Advanced Security:. Contact your hardware device vendor to obtain the necessary hardware, software, and PKCS #11 libraries.
Install the hardware, software, and libraries where appropriate for the hardware security module you are using. Test your hardware security module installation to ensure that it is operating correctly. Refer to your device documentation for instructions. Create a wallet of the type PKCS11 by using Oracle Wallet Manager and specify the absolute path to the PKCS #11 library (including the library name) if you wish to store the private key in the token. Oracle PKCS11 wallets contain information that points to the token for private key access.
You can use the wallet containing PKCS #11 information just as you would use any Oracle wallet, except the private keys are stored on the hardware device and the cryptographic operations are performed on the device as well. 8.9.2 Configuring Your System to Use nCipher Hardware Security Modules Hardware security modules made by nCipher Corporation are certified to operate with Oracle Advanced Security. These modules provide a secure way to store keys and off-load cryptographic processing. Primarily, these devices provide the following benefits:. Off-load cryptographic processing that frees your server to respond to other requests. Secure private key storage on the device. Allow key administration through the use of smart cards.
8.9.2.2 About Installing an nCipher Hardware Security Module To use the secure accelerator, you must provide the absolute path to the directory that contains the nCipher PKCS #11 library (including the library name) when you create the wallet by using Oracle Wallet Manager. This enables the library to be loaded at runtime. Typically, the nCipher card is installed at the following locations:. /opt/nfast for UNIX. C: nfast for Windows The nCipher PKCS #11 library is located at the following location for typical installations:. /opt/nfast/toolkits/pkcs11/libcknfast.so for UNIX 32-Bit.
/opt/nfast/toolkits/pkcs11/libcknfast-64.so for UNIX 64-Bit. C: nfast toolkits pkcs11 cknfast.dll for Windows. 8.9.3.2 About Installing a SafeNET Hardware Security Module To use the secure accelerator, you must provide the absolute path to the directory that contains the SafeNET PKCS #11 library (including the library name) when you create the wallet using Oracle Wallet Manager. This enables the library to be loaded at runtime. Typically, the SafeNET Luna SA client is installed at the following location:. /usr/lunasa for UNIX. C: Program Files LunaSA for Windows The SafeNET Luna SA PKCS #11 library is located at the following location for typical installations:.
/usr/lunasa/lib/libCryptoki2.so for UNIX. C: Program Files LunaSA cryptoki2.dll for Windows.
8.9.4 Troubleshooting Using Hardware Security Modules To detect whether the module is being used, you can turn on Oracle Net tracing. If the wallet contains PKCS #11 information and the private key on the module is being used, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry and exit: nzpkcs11Init: entry nzpkcs11CPChangeProviders: entry nzpkcs11CPChangeProviders: exit nzpkcs11GPKGetPrivateKey: entry nzpkcs11GPKGetPrivateKey: exit nzpkcs11Init: exit.
Nzpkcs11Decrypt: entry nzpkcs11Decrypt: exit nzpkcs11Sign: entry nzpkcs11Sign: exit.