SSL with Oracle
Ok, so we all know there’s The Oracle Way and The Wrong Way (at least according to Oracle DBAs who aren’t me). Well, today I had to renew the SSL cert for an iAS installation. This isn’t something that would make me think twice – I’ve been dealing with SSL setups since 1996, or thereabouts, and iAS is just the 1.3 branch of Apache with a couple of directives overridden. So nothing to worry about.
Ah. Except it doesn’t use an SSL key or certificate in any way you’d consider normal. Instead, it uses a wallet. Stored on the server. Managed from a java gui. On a headless machine which doesn’t have a graphics board and lives 400 miles from me (hence headless).
So, I guess the preferred practice is to copy the wallet locally and work with it there, but that’s just plain silly – I have no desire to clutter up my machine with 4 gig of oracle client crap when I have SQLplus on the server. So – two ssh tunnels and a bit of X forwarding later and I have Oracle Wallet Manager running on my macbook.
There’s the expired certificate – I’ll export it to the filesystem to get a backup of it. Ok, not I’ll export the CSR and just use it to request a new cert. Off to the vendor, hand over a couple of hundred quid and BINGO! Nice shiny new certificate.
Right – I’ll remove the old one…done. Import the new one. Invalid. Hmmm. Does a double check. Import as Trusted Cert (just for elimination). Works fine. Hrm – is it self signing? No idea. I’ll just reload the old cert for now while I work it out. Read in the old cert and……what? It’s turned into a new one? Is there some kind of autosigning happening somewhere?
I am Jacks sense of complete bewilderment.
Leave a Comment