Monday, December 15, 2008

Enabling SSL for Oracle HTTP Server

Enabling SSL for the HTTP server is a relative simple task, and the essential steps are described next.

1) Edit the "opmn.xml" file
(don't forget to make a backup copy). You can edit this file via the OEM or manually (via shell).
Access the Oracle Entreprise Manager (http://your_server:1810) and at the bottom of the page, click the link that reads "Process Management".
In the "opmn.xml" file, change the value for the "HTTP_Server" "start-mode" to "ssl-enabled" and click Apply.

2)Edit the "ssl.conf" file.
This file is accessible via the OEM on the HTTP_Server > Administration > Advanced Server Properties > ssl.conf

Just above the closing tag, enter the following directives:

RewriteEngine on

RewriteOptions inherit

In this same file find the line that reads "#SSLVerifyClient require", and uncomment it (delete the "#").

Finally change the "SSLWallet file" value to $ORACLE_HOME/oca/wallet/ssl and click the Apply button after finishing your edit.

3) Reset the OCA SSL Wallet password.

Run the following command on the linux shell:

$ORACLE_HOME/oca/bin/./ocactl setpasswd -type CASSL

Enter the OCA administrators password.

Enter the new wallet password.

Confirm the new wallet password.

4) Edit the Wallet.

Now that you have the wallet's password open it using the Oracle Wallet Manager and insert as a trusted certificate the CA certificate you created.

5) Import your user certificate to Firefox/IE.
You can now access your website through a secure channel and using user authentication via digital certificate.


Note: this post assumes that you have successfully create a CA certificate and a user certificate signed by the CA. I recommend using OpenSSL. In the next few days I'll post on OpenSSL focusing on this issue. Feedback is more than welcomed!

Sunday, December 7, 2008

FTP and SFTP on the Database...

When designing your application with an Oracle database, you may find more productive to trigger FTP jobs from inside the database itself.

If you rely on simple FTP protocol, you can use two main approaches:
  1. Build a Java procedure to run shell scripts (with a PL/SQL wrapper), like the one available here, and invoke a third party FTP software. This option has the advantage of less code to manage, but of course, you will have to depend on third party software, which depending on your application's context may be an unwanted feature.
  2. Develop a pure PL/SQL package to send and receive files. Using the UTL_TCP and UTL_FILE packages, you can easily implemente a FTP API. Even easier is using an already implemented API, like the one available on Oracle-Base and the XUTL_FTP package. You may find more examples throughout the Oracle Bloggers or on the OTN network.
Now, if your application is evolving, and you now wish to use SFTP directly from the database, the PL/SQL native packages don't allow you to implemente a SFTP API, like the FTP APIs shown above.

First of all, do not confuse SFTP with FTPS. SFTP is based on the SSH protocol, and is called SFTP simply merely to "marketing techniques" by the SSH group. FTPS is the secure version of the original FTP protocol.

In my case I was called to implement a SFTP API for the database. Well, the lack of PL/SQL infrastructure to do so I turned to JAVA! Using the ChannelSFTP class of the JSch package, I easily implemented a simple API to send and receive files via SFTP.
Finally with the .jar deploy I loaded my package to the Oracle database (after loading the JSch jar and the Jzlib jar) and build the PL/SQL wrappers.

The first battery of tests demonstrated: success! SFTP from the database!
In conclusion, Oracle's architecture allows multiple solutions to a problem, and with Java there's always a way out!
If you want the code for the Java SFTP API or/and PL/SQL wrappers fell free to email me.

Using the UTL_DBWS Package

In my previous post, I mentioned the UTL_DBWS package, that provides a ready to use method to consume web services from the database itself, using pure PL/SQL.

Although you only need PL/SQL to consume, the package itself is based on a couple of java classes.

If you’re using a 10.1 or 10.2 database, the PL/SQL code is already installed, but the Java package isn’t! This will cause an error when using the package to establish a connection to the web services, complaying that a particular Java class does not exist

To correct this, get the dbws callout utility. You can download it here.

Then, apply it to the database using the following commands:

loadjava -u user/userpass -r -v -f -s -grant public -noverify -genmissing dbwsa.jar

loadjava -u user/userpass -r -v -f -s -grant public -noverify -genmissing dbwsclient.jar

After this, the PL/SQL package should now function correctly.

Here are a couple of web services to test your code, if do not have any one available:

Consuming Web Services using PL/SQL

For the last couple of days..I’ve been studying how to consume web services within the Oracle database using PL/SQL..

A quick glance at my personal library (Google!)…led me to conclude that there are two major ways to do this:

In my particular case I’m building my own API, solely because I couldn’t consume the desired web service via HTTPS.

I lost a lot of time searching how to consume a web service over HTTPS using the UTL_DBWS package, with little success, and frustrated I decided to go with the first solution.

Using the UTL_HTTP package with a Oracle Wallet, I successfully consumed web service over HTTPS with little effort. This was achieved using the following procedure, before the HTTP request:

utl_http.SET_WALLET(your_wallet_path, your_wallet_pass);

Pretty simple and straight forward…

I’ll post more related code tomorrow from my PC at work..

Meanwhile I started working on FTP and SFTP (not confuse with FTPS) from the database, which I’ll post some examples in the next days!

Any doubts or feedback be sure to comment or send me an e-mail!

Starting....

Hi there…

For the last few months, I’ve working as ORACLE developer and doing some DBA related tasks….

Since I’ve come across some interesting issues…often not exposed on the web as they should…simply not concise enough…or perhaps to serve as reference to future developers…since I have found personal blogs about Oracle to be very useful…

So…I’m gonna start my own blog…to keep as a referrence to myself…and hopefully to help others…