Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tcps cert order #2683

Merged
merged 8 commits into from
Aug 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions OracleDatabase/SingleInstance/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ There are two ways to enable TCPS connections for the database:
* Use the `-e ENABLE_TCPS=true` option with the `docker run` command. A listener endpoint will be created at the container port 2484 for TCPS.
* With User provided SSL Certificates
* Use the `-e ENABLE_TCPS=true` and `-e TCPS_CERTS_LOCATION=<location of certs in container>` option with the `docker run` command. Also mount a local host directory (containing `cert.crt` and `client.key`) at `TCPS_CERTS_LOCATION` using `-v` option.
* `cert.cert` is a certificate chain in the order of root, followed by intermediate and then client certificate.
* `cert.cert` is a certificate chain in the order of client, followed by intermediate and then root certificate.

2. Enable TCPS after the database is created.

Expand All @@ -239,7 +239,7 @@ There are two ways to enable TCPS connections for the database:
docker exec <container name> /opt/oracle/configTcps.sh

* With User provided SSL Certificates
* `cert.cert` is a certificate chain in the order of root, followed by intermediate and then client certificate.
* `cert.cert` is a certificate chain in the order of client, followed by intermediate and then root certificate.
* Copy your `cert.crt` and `client.key` files into the container at `TCPS_CERTS_LOCATION` using the following command

docker cp cert.crt client.key <container name>:<TCPS_CERTS_LOCATION>
Expand Down
24 changes: 17 additions & 7 deletions OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -150,11 +152,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -207,7 +217,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down
22 changes: 16 additions & 6 deletions OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -154,11 +156,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -211,7 +221,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down
22 changes: 16 additions & 6 deletions OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ EOF
# Removing cert from /tmp location
rm /tmp/"$(hostname)"-certificate.crt
else
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${CLIENT_CERT_LOCATON}" <<EOF
orapki wallet add -wallet "${CLIENT_WALLET_LOC}" -trusted_cert -cert "${INTERMEDIATE_CERT_LOCATION}" <<EOF
${WALLET_PWD}
EOF

# removing temp cert file
rm "${INTERMEDIATE_CERT_LOCATION}"
fi

# Generate tnsnames.ora and sqlnet.ora for the consumption by the client
Expand Down Expand Up @@ -122,7 +125,6 @@ function disable_tcps() {
rm -rf "$WALLET_LOC" "$CLIENT_WALLET_LOC"
}


###########################################
################## MAIN ###################
###########################################
Expand Down Expand Up @@ -154,11 +156,19 @@ if [[ -z "${TCPS_CERTS_LOCATION}" ]]; then
CUSTOM_CERTS=false
else
CUSTOM_CERTS=true
# Client Cert location
CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Client Cert location (from user)
CLIENT_CERT_LOCATION="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file

# Intermediate Cert location (Extracted from user provided chained certificate)
INTERMEDIATE_CERT_LOCATION="/tmp/cert_temp.crt" # certificate file

# Client key location
CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key
CLIENT_KEY_LOCATION="${TCPS_CERTS_LOCATION}"/client.key # client key

# Extracting intermediate certificate from user given chain certificate file
# Removing the first occurence of following pattern
sed '{0,/-END CERTIFICATE-/d}' "$CLIENT_CERT_LOCATION" > "$INTERMEDIATE_CERT_LOCATION"
fi

# Disable TCPS control flow
Expand Down Expand Up @@ -211,7 +221,7 @@ EOF
else
# creating pkcs12 file in case of custom certs
echo "Creating pkcs12 file"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATON}" -inkey "${CLIENT_KEY_LOCATON}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"
openssl pkcs12 -export -in "${CLIENT_CERT_LOCATION}" -inkey "${CLIENT_KEY_LOCATION}" -out /tmp/"$(hostname)"-open.p12 -password pass:"${PKCS12_PWD}"

# Adding custom pkcs12 file in database server wallet
echo "Importing pkcs12 file in server wallet"
Expand Down