oracle 在 12c 上使用 utl_http 和 wallets:证书验证失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19380116/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using utl_http & wallets on 12c: certificate validation failure
提问by Tony Reed
Hope someone can spot what I'm doing wrong as I'm going bald from this.
希望有人能发现我做错了什么,因为我要秃顶了。
I have used utl_http & wallets to call https on 11gR1 without much trouble, but our new 12c installation is causing me a lot of grief.
我已经使用 utl_http & wallets 在 11gR1 上调用 https 没有太多麻烦,但是我们新的 12c 安装让我很伤心。
I have tried importing the trusted certificate using both oracle wallet manager, and command line, without any success. I know that oracle can be picky as to caching the wallet, so I have tried multiple new sessions without any luck.
我尝试使用 oracle 钱包管理器和命令行导入受信任的证书,但没有成功。我知道 oracle 在缓存钱包方面可能很挑剔,所以我尝试了多个新会话,但没有任何运气。
I have downloaded the three neccessary certificates for *.presstogo.com, Geotrust SSL CA & Geotrust Global CA.
我已经为 *.presstogo.com、Geotrust SSL CA 和 Geotrust Global CA 下载了三个必要的证书。
The command-line version of my building the wallet is as follows:
我构建钱包的命令行版本如下:
orapki wallet create -wallet /oracle/product/12.0.1/owm/wallets/test1237 -pwd test=1237 -auto_login
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "*.presstogo.com" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "GeoTrust SSL CA" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "Geotrust Global CA" -pwd test=1237
orapki wallet display -wallet /oracle/product/12.0.1/owm/wallets/test1237
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: CN=GeoTrust SSL CA,O=GeoTrust\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Subject: CN=*.presstogo.com,OU=IT,O=Press to go AS,L=Oslo,ST=Norway,C=NO,SERIAL_NUM=SJYpOHrRdCDHE8KZ6dRFGMJthOjs7-v3
Ok, lets test this. Login to sqlplus and run the following:
好的,让我们测试一下。登录到 sqlplus 并运行以下命令:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_detailed_excp_support ( true );
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://production.presstogo.com/mars/hello' );
lo_resp := utl_http.get_response ( lo_req );
-- A successfull request would have the status code "200".
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
exception
when others then
utl_http.end_response ( lo_resp );
raise;
end;
DECLARE
宣布
*
*
ERROR at line 1:
第 1 行的错误:
ORA-29273: HTTP request failed
ORA-29273: HTTP 请求失败
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-06512:在“SYS.UTL_HTTP”,第 1130 行
ORA-29024: Certificate validation failure
ORA-29024: 证书验证失败
ORA-06512: at line 6
ORA-06512:在第 6 行
For the record, It is worth noting that the following does work:
为了记录,值得注意的是以下确实有效:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://www.google.be' );
lo_resp := utl_http.get_response ( lo_req );
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
end;
/
Help me Obi-Wan, you're my only hope.
帮助我欧比旺,你是我唯一的希望。
回答by Tony Reed
Answering my own question for the benefit of others.
为了他人的利益,回答我自己的问题。
According to Oracle Support only the certificate chain should be imported, not the end site certificate. In the example I used above, only import the following certificates into the wallet:
根据 Oracle Support 的说法,只应导入证书链,而不是终端站点证书。在我上面使用的示例中,只将以下证书导入钱包:
Geotrust SSL CA& Geotrust Global CA
Geotrust SSL CA& Geotrust Global CA
Do not import the *.presstogo.com certificate
不要导入 *.presstogo.com 证书
To quote Oracle support:
引用 Oracle 支持:
The reason that the select is failing in 12c is that 12c does not want to see the user cert in the wallet as a trusted cert.
This was apparently not an issue in previous versions but removing that cert from the wallet fixed the issue here.
select 在 12c 中失败的原因是 12c 不想将钱包中的用户证书视为受信任的证书。
这在以前的版本中显然不是问题,但是从钱包中删除该证书可以解决此问题。
This contradicts all information I have found online regarding the use of utl_http to connect to Https sites, and confused the hell out of me.
这与我在网上找到的有关使用 utl_http 连接到 Https 站点的所有信息相矛盾,并使我感到困惑。
Hopefully this will help others in my situation.
希望这会帮助其他人在我的情况下。
