Skip to content

Commit

Permalink
Tcps cert order (#2683)
Browse files Browse the repository at this point in the history
* Taking reverse order of certs from user

* Taking reverse order of certs from user

* readMe changes

* tcps certs order reversed

* tcps certs order reversed

* tcps certs order reversed

---------

Co-authored-by: Yunus Qureshi <[email protected]>
Co-authored-by: Gerald Venzl <[email protected]>
  • Loading branch information
3 people authored Aug 18, 2023
1 parent 8e59a92 commit f2f3014
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 21 deletions.
4 changes: 2 additions & 2 deletions OracleDatabase/SingleInstance/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ There are two ways to enable TCPS connections for the database:
* Use the `-e ENABLE_TCPS=true` option with the `docker run` command. A listener endpoint will be created at the container port 2484 for TCPS.
* With User provided SSL Certificates
* Use the `-e ENABLE_TCPS=true` and `-e TCPS_CERTS_LOCATION=<location of certs in container>` option with the `docker run` command. Also mount a local host directory (containing `cert.crt` and `client.key`) at `TCPS_CERTS_LOCATION` using `-v` option.
* `cert.cert` is a certificate chain in the order of root, followed by intermediate and then client certificate.
* `cert.cert` is a certificate chain in the order of client, followed by intermediate and then root certificate.

2. Enable TCPS after the database is created.

Expand All @@ -239,7 +239,7 @@ There are two ways to enable TCPS connections for the database:
docker exec <container name> /opt/oracle/configTcps.sh

* With User provided SSL Certificates
* `cert.cert` is a certificate chain in the order of root, followed by intermediate and then client certificate.
* `cert.cert` is a certificate chain in the order of client, followed by intermediate and then root certificate.
* Copy your `cert.crt` and `client.key` files into the container at `TCPS_CERTS_LOCATION` using the following command

docker cp cert.crt client.key <container name>:<TCPS_CERTS_LOCATION>
Expand Down
24 changes: 17 additions & 7 deletions OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -150,11 +152,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -207,7 +217,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down
22 changes: 16 additions & 6 deletions OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -154,11 +156,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -211,7 +221,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down
22 changes: 16 additions & 6 deletions OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -154,11 +156,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -211,7 +221,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down

0 comments on commit f2f3014

Please sign in to comment.