{"id":43,"date":"2012-06-21T12:47:00","date_gmt":"2012-06-21T10:47:00","guid":{"rendered":""},"modified":"2015-11-19T13:41:31","modified_gmt":"2015-11-19T12:41:31","slug":"using-ssl-client-certificates-for-authentication-in-utl_http","status":"publish","type":"post","link":"https:\/\/ilmarkerm.eu\/blog\/2012\/06\/using-ssl-client-certificates-for-authentication-in-utl_http\/","title":{"rendered":"Using SSL client certificates for authentication in UTL_HTTP"},"content":{"rendered":"<p>Starting from 11.2 its possible to use SSL client certificates to authenticate yourself to a remote web service using SSL client certificates. I did not find much information on it using Google or documentation, that is why I&#8217;m writing this post.<\/p>\n<p>Please refer to <a href=\"http:\/\/www.oracle-base.com\/articles\/misc\/utl_http-and-ssl.php\">this post by Tim Hall<\/a> to get started on connecting to HTTPS service using UTL_HTTP, all of this is needed before continuing with SSL client certificate authentication.<\/p>\n<p>The first thing you need is to generate user certificate request inside Oracle Wallet, sign it by CA and load the returned certificate back to Wallet. I&#8217;m not going to very detailed steps here, but basically (using Oracle Wallet Manager OWM):<\/p>\n<ol>\n<li>Open the wallet you created using Tim Hall&#8217;s post mentioned previously.<\/li>\n<li>Go to Operations > Add Certificate Request<\/li>\n<li>Fill in all the needed fields<\/li>\n<li>After certificate request has been created, go to Operations > Export Certificate Request<\/li>\n<li>Send the request to a Certification Authority (that the remote service trusts) for signing and wait for a reply (in a form of signed certificate)<\/li>\n<li>Import the signed certificate to wallet &#8211; go to Operations > Import User Certificate<\/li>\n<\/ol>\n<p>If you are using 11g OWM\/ORAPKI and when importing the user certificate to wallet OWM displays an error or ORAPKI corrupts your wallet, you can just use OWM\/ORAPKI programs from 10gR2 database client. This is due to bug Bug 9395937: UNABLE TO IMPORT USER CERTIFICATE IN OWM 11.1, WORKS IN 10.2.<\/p>\n<p>Next thing is to add ACL privileges inside the database. <a hre=\"http:\/\/docs.oracle.com\/cd\/E11882_01\/appdev.112\/e25788\/u_http.htm#CEGDJBGI\">UTL_HTTP documentation<\/a> requires the use of use-client-certificates ACL privilege. How to do that I&#8217;ll refer to Tim Hall&#8217;s post again <a href=\"http:\/\/www.oracle-base.com\/articles\/11g\/fine-grained-access-to-network-services-11gr1.php\">Fine-Grained Access to Network Services in Oracle Database 11g Release 1<\/a>. In the example below I already have ACL all_access.xml and I&#8217;m granting connect and use-client-certificates privileges to CLTEST schema.<\/p>\n<pre>\nSQL> exec DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('all_access.xml','CLTEST', true, 'connect');\n\nPL\/SQL procedure successfully completed.\n\nSQL> exec DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('all_access.xml','CLTEST', true, 'use-client-certificates');\n\nPL\/SQL procedure successfully completed.\n<\/pre>\n<p>Now the step that is not mentioned in UTL_HTTP documentation and got me stuck for weeks until I opened SR to Oracle Support. The network ACL needs also privileges on the Wallet file using <b>DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL<\/b>.<\/p>\n<pre>\nSQL> exec DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('all_access.xml','file:\/path\/to\/oracle\/wallet');\n\nPL\/SQL procedure successfully completed.\n<\/pre>\n<p>After the privileges have been assigned, you can use UTL_HTTP to query remote web service like you do with normal HTTPS connection. If the remote web service requests client to be authenticated using certificates, UTL_HTTP automatically handles it in the background and uses the user certificate located in the wallet. For example:<\/p>\n<pre>\nSQL> SELECT utl_http.request('https:\/\/secure.service.com\/status', '', 'file:\/\/path\/to\/oracle\/wallet', 'WalletPassword') FROM dual;\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Starting from 11.2 its possible to use SSL client certificates to authenticate yourself to a remote web service using SSL client certificates. I did not find much information on it using Google or documentation, that is why I&#8217;m writing this post. Please refer to this post by Tim Hall to get started on connecting to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4,13],"class_list":["post-43","post","type-post","status-publish","format-standard","hentry","category-blog-entry","tag-oracle","tag-plsql"],"_links":{"self":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/43","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":2,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"predecessor-version":[{"id":174,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/43\/revisions\/174"}],"wp:attachment":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}