Search

Total Pageviews

Categories

Linux (8) Windows (5) Container (4) Development (4) Database (3) Docker (3) Mac OS (3) QuickStart (3) Ubuntu (3) AWS (1) Fedora (1) FreeBSD (1) Git (1) Java (1) MyBatis (1) Oracle Linux (1) Spring Boot (1) Unix (1) VMware (1) Virtualization (1) kdevtmpfsi (1) kinsing (1)

Featured Post

Your container's CPU usage is more than 100%, "kdevtmpfsi" the cryptomining malware is running | So how to resolve

How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container). One d...

Showing posts with label Container. Show all posts
Showing posts with label Container. Show all posts

Wednesday, May 6, 2020

Your container's CPU usage is more than 100%, "kdevtmpfsi" the cryptomining malware is running | So how to resolve

How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container).


One day your server (container) running with CPU load so high, more than 100% then you check the processes with "top" command and short by CPU load with shortcut keys "Shift + p", it looks like below:


So, I'm sorry your server is infected the crypto-mining malware that named "kdevtmpfsi", similar "kdevtmpfs" a system Linux process.

I will list some links about the malware, the cause, and it's propagating mechanism end of this post.

Now I go to the detail steps to resolve this issue in my server,  I'm using Amazon Linux 2 AMI.

Step 1: As you can see in the image above, the process is running by the root user, so I need to check the root's cronjob.


As you can see, this cronjob will download script unk.sh from the hacker's server 195.3.146.118 and execute it in your server. So you need to remove the cronjob by the following command.

sudo crontab -u root -r

You should re-check to make sure the cronjob is already removed.

Step 2: Find path to 2 scripts "kdevtmpfsi" and "kinsing" with commands:

sudo find / -name kdevtmpfsi
sudo find / -name kinsing

You will get the results like the paths: "/tmp/kdevtmpfsi" and "/var/tmp/kinsing", so please remove all access permissions to the files.

sudo chmod 000 /tmp/kdevtmpfsi
sudo chmod 000 /var/tmp/kinsing

Note: remove access permissions to the files, not remove the files because they can self-propagate again via "kinsing" daemon.

Step 3: Kill process "kdevtmpfsi" first, you can check the process id from the "top" command above.

sudo kill -9 14867

Step 4: Now check with "top" command you can see process "kinsing" is running, its trying to re-initialize "kdevtmpfsi" process, check it's process id or with command "sudo netstat -lnp | grep kinsing" then kill it.

sudo kill -9 32222

Note: if you not yet kill process "kdevtmpfsi" you can not see process "kinsing".

Step 5: Come back with "top" command and make sure the both processes are not running anymore. If they still running, so kill again with order: "kdevtmpfsi" first, then "kinsing" second, and wait for moments about 5 - 10 minutes to make sure they have not come back. Ok, now you can delete for both scripts "/tmp/kdevtmpfsi" and "/var/tmp/kinsing".

sudo rm -rf  /tmp/kdevtmpfsi
sudo rm -rf /var/tmp/kinsing

Ok, with these steps I already resolve the issue with "kdevtmpfsi" the cryptomining malware running in my server, Amazon Linux 2 AMI. Hope that these steps helpful for you.

Here are links about malware "kdevtmpfsi": the cause, and it's propagating mechanism:




Posted by at 2 comments:
Labels: , , , , ,

Sunday, November 24, 2019

QuickStart: The fastest and easiest way to run an Local SMTP Server for testing or development.

Run Local SMTP Server on your development environment.

Your code needs to run the test cases with send email from SMTP server but you have no SMTP Mail Server on your local and you get the error below:


> :bootRun
org.springframework.mail.MailSendException: Mail server connection failed; nested exception is com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1;
  nested exception is:
        java.net.ConnectException: Connection refused (Connection refused). Failed messages: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1;
  nested exception is:
        java.net.ConnectException: Connection refused (Connection refused)
        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:448)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:361)
        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:356)


Option 1: Via Docker

- Install Docker If you not yet.
- Register a Docker ID https://hub.docker.com/ if you don't have.
- Login Docker Hub.
- Skip this step if Docker already installed on your Mac/PC and you already logged in Docker Hub.







Pull and run djfarrelly/maildev Image from Docker Hub.

- Search for "djfarrelly/maildev" in Docker Hub and Checkout the document for more details.



- Run the command below to starting a Local SMTP Mail Server Instance as a Docker container named "MailDev" and mapping port 25(SMTP) and 80(Web) from the container to port 25 and 1080 on your Docker host (your PC/Mac). This will take you a few minutes to download the image and Starting the container.

docker run -d -it --name MailDev -p 1080:80 -p 25:25  djfarrelly/maildev




- Now re-run your test cases again:

2019-11-23 23:26:43.499 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.aop.logging.LoggingAspect  : Enter: me.koacervate.service.MailService.sendCreationEmail() with argument[s] = [User{login='koacervate', firstName='Khue', lastName='Duke', email='koacervate@googlemail.com', imageUrl='null', activated='true', langKey='en', activationKey='null'}]
2019-11-23 23:26:43.500 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Sending creation email to 'koacervate@googlemail.com'
2019-11-23 23:26:43.526 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Send email[multipart 'false' and html 'true'] to 'koacervate@googlemail.com' with subject 'jsbrgprjs account activation' and content=<!DOCTYPE html>
<html lang="en">
    <head>
        <title>jsbrgprjs account activation</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <link rel="shortcut icon" href="http://127.0.0.1:8080/favicon.ico" />
    </head>
    <body>
        <p>Dear koacervate</p>
        <p>Your jsbrgprjs account has been created, please click on the URL below to access it:</p>
        <p>
            <a href="http://127.0.0.1:8080/account/reset/finish?key=RCTVtLkilrCdawcCDYKf">http://127.0.0.1:8080/account/reset/finish?key=RCTVtLkilrCdawcCDYKf</a>
        </p>
        <p>
            <span>Regards,</span>
            <br/>
            <em>jsbrgprjs Team.</em>
        </p>
    </body>
</html>

2019-11-23 23:26:44.073 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Sent email to User 'koacervate@googlemail.com'

2019-11-23 23:26:44.073 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.aop.logging.LoggingAspect  : Exit: me.koacervate.service.MailService.sendCreationEmail() with result = null

- You can see the sent email in Web UI http://localhost:1080/#/email/JevGMzCd


Option 2: Via install maildev node package as below:

$ npm install -g maildev
$ maildev
with options as below:

Usage

maildev [options]

  -h, --help                      output usage information
  -V, --version                   output the version number
  -s, --smtp <port>               SMTP port to catch emails [1025]
  -w, --web <port>                Port to run the Web GUI [1080]
  --ip <ip address>               IP Address to bind SMTP service to
  --outgoing-host <host>          SMTP host for outgoing emails
  --outgoing-port <port>          SMTP port for outgoing emails
  --outgoing-user <user>          SMTP user for outgoing emails
  --outgoing-pass <password>      SMTP password for outgoing emails
  --outgoing-secure               Use SMTP SSL for outgoing emails
  --auto-relay [email]            Use auto-relay mode. Optional relay email address
  --auto-relay-rules <file>       Filter rules for auto relay mode
  --incoming-user <user>          SMTP user for incoming emails
  --incoming-pass <pass>          SMTP password for incoming emails
  --web-ip <ip address>           IP Address to bind HTTP service to, defaults to --ip
  --web-user <user>               HTTP user for GUI
  --web-pass <password>           HTTP password for GUI
  --base-pathname <path>          base path for URLs
  --disable-web                   Disable the use of the web interface. Useful for unit testing
  --hide-extensions <extensions>  Comma separated list of SMTP extensions to NOT advertise
                                  (STARTTLS, SMTPUTF8, PIPELINING, 8BITMIME)
  -o, --open                      Open the Web GUI after startup
  -v, --verbose
  --silent
Please refer to documents at https://hub.docker.com/r/djfarrelly/maildev/ for more details.

Option 3: Integrate via API or SMTP with https://sendgrid.com/

You can register a free account for testing and choose to integrate via API or SMTP then follow the instructions in the website you will have all necessary information to send emails with your code.

  mail:
    host: smtp.sendgrid.net
    port: 465
    username: apikey
    password: SG.t2L6qpv3TjmvgcasoksVbg.DRsZrTwq3LmApU1uaQ6mjv-koafl0NaSzogCW6X9***
    properties:
      mail:
        smtp:
          auth: true
          starttls:
            enable: true


References:
- https://docs.docker.com
https://hub.docker.com/r/djfarrelly/maildev/
https://github.com/maildev/maildev

QuickStart: The fastest and easiest way to run an Instance of Oracle Database on Mac OS.
Posted by at No comments:
Labels: , , , , ,

Wednesday, July 31, 2019

QuickStart: How to connect to Oracle Database through TCPS (TCP/IP with SSL and TLS / Certificates) connection instead of TCP from Mac host to Oracle Database container.

Connect from your Mac to an Oracle Database container through TCPS (TCP/IP with SSL and TLS / Certificates) connection instead of TCP.

QuickStart: The fastest and easiest way to run an Instance of Oracle Database on Mac OS

In my previous post, I got some questions about how to connect to Oracle Database container through TCPS instead of TCP? So please follow the below steps for the questions:

In the previous post, we already have a docker container of Oracle Database Enterprise Edition Image running on our Mac, if you are not yet, please read the previous post first.

1) Download Oracle Instance Client for Mac includes Basic Package and SQL*Plus Package.

You should need a free Oracle account to download these package:

instantclient-basic-macos.x64-18.1.0.0.0.zip

instantclient-sqlplus-macos.x64-18.1.0.0.0.zip

Extract to one folder in your Mac.
After download and extract to a folder it should look like below:

Dos-Mac:instantclient_18_1 koacervate$ ll
total 480744
-rw-r--r--@ 1 koacervate  staff 1354 Feb 3 00:42 BASIC_README
-rw-rw-rw-@ 1 koacervate  staff 1358 Feb 3 00:42 SQLPLUS_README
-rwxr-xr-x@ 1 koacervate  staff 9888 Feb 3 00:42 adrci
drwxr-xr-x  7 koacervate  staff 224 Jul 30 23:28 client_wallet
drwxr-xr-x  7 koacervate  staff 224 Jul 27 23:23 client_wallet_backup
drwxr-xr-x  6 koacervate  staff 192 Jul 27 21:17 client_wallet_bk
-rwxr-xr-x@ 1 koacervate  staff 40448 Feb 3 00:42 genezi
-r-xr-xr-x@ 1 koacervate  staff 342 Apr 24 2015 glogin.sql
lrwxr-xr-x@ 1 koacervate  staff 20 Jul 24 21:36 libclntsh.dylib -> libclntsh.dylib.18.1
-r-xr-xr-x@ 1 koacervate  staff 94966232 Oct 30 2018 libclntsh.dylib.18.1
-r-xr-xr-x@ 1 koacervate  staff 4786360 Oct 30 2018 libclntshcore.dylib.18.1
-r-xr-xr-x@ 1 koacervate  staff 8554544 Oct 14 2018 libnnz18.dylib
lrwxr-xr-x@ 1 koacervate  staff 18 Jul 24 21:36 libocci.dylib -> libocci.dylib.18.1
-r-xr-xr-x@ 1 koacervate  staff 1593632 Oct 30 2018 libocci.dylib.18.1
-rwxr-xr-x@ 1 koacervate  staff 126944172 Feb 3 00:41 libociei.dylib
-r-xr-xr-x@ 1 koacervate  staff 151980 Oct 29 2018 libocijdbc18.dylib
-r-xr-xr-x@ 1 koacervate  staff 247244 Oct 8 2018 libons.dylib
-r-xr-xr-x@ 1 koacervate  staff 100492 Oct 30 2018 liboramysql18.dylib
-rwxrwxrwx@ 1 koacervate  staff 1277332 Feb 3 00:40 libsqlplus.dylib
-r-xr-xr-x@ 1 koacervate  staff 1655772 Oct 30 2018 libsqlplusic.dylib
drwxr-xr-x  3 koacervate  staff 96 Jul 27 22:02 log
drwxr-xr-x@ 5 koacervate  staff 160 Jul 30 23:34 network
-r-xr-xr-x@ 1 koacervate  staff 4161484 Dec 6 2017 ojdbc8.jar
drwxr-xr-x  7 koacervate  staff 224 Jul 27 23:22 server_wallet
-rwxr-xr-x@ 1 koacervate  staff 8528 Feb 3 00:42 sqlplus
-r-xr-xr-x@ 1 koacervate  staff 1366460 Dec 6 2017 ucp.jar
-rwxr-xr-x@ 1 koacervate  staff 150080 Feb 3 00:42 uidrvci

-rw-r--r--@ 1 koacervate  staff 74263 Feb 7 2018 xstreams.jar

2) Generate wallets (certificates) for both client-side (your Mac host) and server-side (your Oracle Database container).

You need to access to your Oracle Database container and use "orapki" tool generate wallets:

Dos-Mac:~ koacervate$ docker exec -it oracle-db /bin/bash
[oracle@0ef8c79a8c4b /]$

Create a folder to store server and create a new auto-login wallet for server-side:


[oracle@0ef8c79a8c4b /]$ mkdir -p /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet
[oracle@0ef8c79a8c4b /]$ orapki wallet create -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet -auto_login -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ orapki wallet add -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256 -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ orapki wallet display -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=0ef8c79a8c4b
Trusted Certificates: 
Subject:        CN=0ef8c79a8c4b
[oracle@0ef8c79a8c4b /]$ orapki wallet export -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet -dn "CN=`hostname`" -cert /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet/`hostname`_server.cert
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ ll /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet
total 12
-rw------- 1 oracle oinstall  643 Jul 30 15:39 0ef8c79a8c4b_server.cert
-rw------- 1 oracle oinstall 2477 Jul 30 15:36 cwallet.sso
-rw------- 1 oracle oinstall    0 Jul 30 15:34 cwallet.sso.lck
-rw------- 1 oracle oinstall 2432 Jul 30 15:36 ewallet.p12
-rw------- 1 oracle oinstall    0 Jul 30 15:34 ewallet.p12.lck


Create a folder to store and create a new auto-login wallet for client-side:

[oracle@0ef8c79a8c4b /]$ mkdir /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet
[oracle@0ef8c79a8c4b /]$ orapki wallet create -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet -auto_login -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ orapki wallet add -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet -dn "CN=koacervate" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256 -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ orapki wallet display -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=koacervate
Trusted Certificates: 
Subject:        CN=koacervate
[oracle@0ef8c79a8c4b /]$ orapki wallet export -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet -dn "CN=koacervate" -cert /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet/koacervate_client.cert
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@0ef8c79a8c4b /]$ ll /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet
total 12
-rw------- 1 oracle oinstall 2461 Jul 30 16:13 cwallet.sso
-rw------- 1 oracle oinstall    0 Jul 30 16:12 cwallet.sso.lck
-rw------- 1 oracle oinstall 2416 Jul 30 16:13 ewallet.p12
-rw------- 1 oracle oinstall    0 Jul 30 16:12 ewallet.p12.lck
-rw------- 1 oracle oinstall  634 Jul 30 16:15 koacervate_client.cert


Exchange the certificates between client and server-side:

orapki wallet add -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet -trusted_cert -cert /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet/0ef8c79a8c4b_server.cert -sign_alg sha256 -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

[oracle@0ef8c79a8c4b /]$ orapki wallet add -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet -trusted_cert -cert /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet/koacervate_client.cert -sign_alg sha256 -pwd WalletPassword1
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


Show the certificates after exchange to verify:

[oracle@0ef8c79a8c4b /]$ orapki wallet display -wallet /u01/app/oracle/product/12.2.0/dbhome_1/client_wallet
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=koacervate
Trusted Certificates: 
Subject:        CN=0ef8c79a8c4b
Subject:        CN=koacervate

[oracle@0ef8c79a8c4b /]$ orapki wallet display -wallet /u01/app/oracle/product/12.2.0/dbhome_1/server_wallet
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=0ef8c79a8c4b
Trusted Certificates: 
Subject:        CN=0ef8c79a8c4b
Subject:        CN=koacervate


3) Configure listener.ora, sqlnet.ora, tnsnames.ora in Oracle Database container (server-side). 

Note: In the previous post, we mapped only port 1521/1521 from Oracle Database container to Mac host. But in this post, I want to support both TCP/1521 and TCPS/1525 so I added port 1525/1525 to "ExposedPorts" and "NetworkSettings", I will cover this in another post. And if you want to support both TCP/1521 and TCPS/1525 you can try with a new Oracle Database container with this command:

Dos-Mac:instantclient_18_1 koacervate$ docker run -d -it --name oracle-db -p 1521:1521/tcp -p 1525:1525/tcp -p 5500:5500/tcp  store/oracle/database-enterprise:12.2.0.1

0ef8c79a8c4b30fca3dda74cec5bd91cf03e01518be8d43a4bc241cdd1fbbc41


The original of those files in the container look like as below:

[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB_backup/listener.ora
LISTENER =   (DESCRIPTION_LIST =     (DESCRIPTION =       (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))       (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))     )   ) 
DIAG_ADR_ENABLED = off
SSL_VERSION = 1.0
[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB_backup/sqlnet.ora  
NAME.DIRECTORY_PATH= {TNSNAMES, EZCONNECT, HOSTNAME}
SQLNET.EXPIRE_TIME = 10
SSL_VERSION = 1.0
[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB_backup/tnsnames.ora 
ORCLCDB =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLCDB.localdomain)     )   ) 
ORCLPDB1 =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLPDB1.localdomain)     )   ) 

[oracle@0ef8c79a8c4b /]$

and will be modified as below:

[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/listener.ora
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/12.2.0/dbhome_1/server_wallet)))
LISTENER =
 (DESCRIPTION_LIST =
  (DESCRIPTION =
   (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
  )
  (DESCRIPTION =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 1525))
  )
  (DESCRIPTION =
   (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
  )
 )
ADR_BASE_LISTENER = /u01/app/oracle/product/12.2.0/dbhome_1/log
DIAG_ADR_ENABLED = off
SSL_VERSION = 1.0
[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora  
SQLNET.AUTHENTICATION_SERVICES = (NTS)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/12.2.0/dbhome_1/server_wallet)))
SSL_CLIENT_AUTHENTICATION=TRUE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SECURE_REGISTER_LISTENER = (IPC)
NAME.DIRECTORY_PATH= {TNSNAMES, EZCONNECT, HOSTNAME}
SQLNET.EXPIRE_TIME = 10
SSL_VERSION = 1.0
[oracle@0ef8c79a8c4b /]$ cat /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/tnsnames.ora 
ORCLCDB =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLCDB.localdomain)     )   ) 
ORCLCDB_SSL =
 (DESCRIPTION =
  (ADDRESS_LIST =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 1525))
 )
 (CONNECT_DATA =
  (SERVICE_NAME = ORCLCDB.localdomain)))
ORCLPDB1 =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLPDB1.localdomain)     )   ) 



Now we need to restart lsnrctl service to load the changed above.

[oracle@0ef8c79a8c4b /]$ lsnrctl stop

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 30-JUL-2019 17:02:56

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=0.0.0.0)(PORT=1521)))
The command completed successfully
[oracle@0ef8c79a8c4b /]$ lsnrctl start

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 30-JUL-2019 17:03:02

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/12.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/listener.ora
Log messages written to /u01/app/oracle/product/12.2.0/dbhome_1/log/diag/tnslsnr/0ef8c79a8c4b/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=1525)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=0.0.0.0)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production
Start Date                30-JUL-2019 17:03:02
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/listener.ora
Listener Log File         /u01/app/oracle/product/12.2.0/dbhome_1/log/diag/tnslsnr/0ef8c79a8c4b/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=1525)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services

The command completed successfully

 It's time to verify it works or not from server-side before we continue with client-side.

[oracle@0ef8c79a8c4b /]$ tnsping ORCLCDB_SSL

TNS Ping Utility for Linux: Version 12.2.0.1.0 - Production on 30-JUL-2019 15:57:35

Copyright (c) 1997, 2016, Oracle.  All rights reserved.

Used parameter files:
/u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 1525))) (CONNECT_DATA = (SERVICE_NAME = ORCLCDB.localdomain)))

OK (70 msec)

Nice, we have done in server-side, now we exit the container and move client_wallet (certificates) and sqlnet.ora, tnsnames.ora to your Mac host.

[oracle@0ef8c79a8c4b /]$ exit
exit
Dos-Mac:instantclient_18_1 koacervate$
docker cp Oracle-DB:/u01/app/oracle/product/12.2.0/dbhome_1/client_wallet /Users/koacervate/TOOL/instantclient_18_1/
Dos-Mac:instantclient_18_1 koacervate$ docker cp oracle-db:/u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/sqlnet.ora /Users/koacervate/TOOL/instantclient_18_1/network/admin/

Dos-Mac:instantclient_18_1 koacervate$ docker cp oracle-db:/u01/app/oracle/product/12.2.0/dbhome_1/admin/ORCLCDB/tnsnames.ora /Users/koacervate/TOOL/instantclient_18_1/network/admin/

And we will modify sqlnet.ora, tnsnames.ora for client-side as below:

Dos-Mac:instantclient_18_1 koacervate$ cat /Users/koacervate/TOOL/instantclient_18_1/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (NTS)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/Users/koacervate/TOOL/instantclient_18_1/client_wallet)))
SSL_CLIENT_AUTHENTICATION=TRUE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
SECURE_REGISTER_LISTENER = (IPC)
NAME.DIRECTORY_PATH= {TNSNAMES, EZCONNECT, HOSTNAME}
SQLNET.EXPIRE_TIME = 10
SSL_VERSION = 1.0
Dos-Mac:instantclient_18_1 koacervate$ cat /Users/koacervate/TOOL/instantclient_18_1/network/admin/tnsnames.ora
ORCLCDB =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLCDB.localdomain     )   ) 
ORCLCDB_SSL =
 (DESCRIPTION =
  (ADDRESS_LIST =
   (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost)(PORT = 1525))
 )
 (CONNECT_DATA =
  (SERVICE_NAME = ORCLCDB.localdomain)))
ORCLPDB1 =   (DESCRIPTION =     (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = ORCLPDB1.localdomain)     )   ) 

Dos-Mac:instantclient_18_1 koacervate$

Ok, its time to verify overall of the processes above.

with SQL*Plus:

Dos-Mac:instantclient_18_1 koacervate$ ./sqlplus system/Oradoc_db1@ORCLCDB_SSL

SQL*Plus: Release 18.0.0.0.0 Production on Wed Jul 31 01:53:19 2019
Version 18.1.0.0.0

Copyright (c) 1982, 2018, Oracle.  All rights reserved.

Last Successful login time: Wed Jul 31 2019 01:49:47 +07:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL>

with SQL Developer ...

Error Notes:
ERROR: ORA-12154: TNS:could not resolve the connect identifier specified -> if you are incorrect HOST or SERVICE_NAME in tnsnames.ora.
ERROR: ORA-28860: Fatal SSL error -> if you missing: SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA).
ERROR: ORA-28864: SSL connection closed gracefully -> if you missing: "-sign_alg sha256".

References:
https://database.edorex.ch/blog/database-connection-with-a-certificate/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-to-setting-up-encrypted-communications-channels-in-oracle-database/
- https://oracle-base.com/articles/misc/configure-tcpip-with-ssl-and-tls-for-database-connections
https://rbikblog.wordpress.com/2018/02/21/tcps-listener-configuration-for-oracle-database-12c/

QuickStart: The fastest and easiest way to run an Instance of Oracle Database on Mac OS

Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)