I am trying to connect to a Amazon RDS instance via the Oracle.ManagedDataAccess Nuget package using a SSL certificate.
I can connect successfully via SQL*Plus using a wallet generated using orapki. Wallet generated by following the AWS instructions
I want do the same via Oracle.ManagedDataAccessin C# and I am trying to use the same wallet.
My C# looks like this:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Oracle.ManagedDataAccess.Client;
namespace OracleDataAccess
{
class Program
{
static void Main(string[] args)
{
var connectionString = @"USER ID=***;PASSWORD=***;DATA SOURCE=(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = ***) (PORT = 2484)))(CONNECT_DATA = (SID = ***)) (SECURITY = (SSL_SERVER_CERT_DN = C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=***)))";
var connection = new OracleConnection(connectionString);
connection.Open();
}
}
}
My app.config has the location to my wallet:
<oracle.manageddataaccess.client>
<version number="*">
<settings>
<setting name = "WALLET_LOCATION" value="(SOURCE=(METHOD =FILE)(METHOD_DATA=(DIRECTORY=C:\ssl_wallet))) "/>
</settings>
</version>
</oracle.manageddataaccess.client>
I get an OracleException on Open():
Oracle.ManagedDataAccess.Client.OracleException: 'Network Transport: SSL failure in parsing wallet location'
With an inner exception:
TCPS: Invalid SSL Wallet (Magic)
It definitely finds and can access the wallet file because if you change the location to something invalid you get a different inner exception e.g.:
DirectoryNotFoundException: Could not find a part of the path 'C:\ssl_wallet2\cwallet.sso'.
I can't find anything obvious to suggest why that wallet should be invalid as it has been used by SQL*Plus to connect to the same server successfully.
Invalid SSL Wallet (Magic) doesn't yield anything relevant that I can find. Is there anything that I am missing in this approach?
Edit:
Your stacktrace may contain:
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) at OracleInternal.Network.TcpsTransportAdapter.Negotiate(ConnectionOption conOption) at OracleInternal.Network.OracleCommunication.DoConnect(String tnsDescriptor) at OracleInternal.Network.OracleCommunication.Connect(String tnsDescriptor, Boolean doNAHandshake, String IName, ConnectionOption CO) at OracleInternal.ServiceObjects.OracleConnectionImpl.Connect(ConnectionString cs, Boolean bOpenEndUserSession, OracleConnection connRefForCriteria, String instanceName)System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089Array may not be empty or null. Parameter name: rawData at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) at OracleInternal.Network.TcpsTransportAdapter.Negotiate(ConnectionOption conOption
Turns out that the wallet file generated by orapki isn't appropriate here.
The solution is to use the Windows Certificate Store instead to hold the RDS Certificate Authority instead.
In this case you download the PKCS7 file for RDS from AWS and import that into your Trusted Root Certification Authorities in Windows.
Then you change your app.config to set your wallet location to be the Microsoft Certificate Store like this:
<oracle.manageddataaccess.client>
<version number="*">
<settings>
<setting name = "WALLET_LOCATION" value="(SOURCE=(METHOD =MCS)) "/>
</settings>
</version>
</oracle.manageddataaccess.client>
And then everything works as expected.
来源:https://stackoverflow.com/questions/52220070/oracle-manageddataaccess-to-aws-rds-db-tcps-invalid-ssl-wallet-magic