Solved

ORA-28868: certificate chain check failed

Posted on 2004-10-06
11
2,763 Views
Last Modified: 2010-10-05
Trying to SQLPLUS through SSL results in one of two errors:

1.  ORA-28868: certificate chain check failed
2.  ORA-28862: SSL connection failed

Facts:

a.  This is a 9.2.0.5 database.
b.  The error is happening both in 9.2 and 8.1.7 clients.
c.  TNSPING is successful.
d.  LISTENER log shows connection made (even though SQLPLUS errors out).
e.  Certificates installed successfully (seem to be) and obtained today from http://www.thawte.com
f.  Wallets installed successfully (NOT using any directories with spaces).
g.  We've cruised METALINK and found this is happening with many people, but no one has reported any real solution.

Has anyone encountered a similar error, or does anyone have any thoughts?
0
Comment
Question by:dsacker
  • 5
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
seazodiac earned 100 total points
ID: 12245078
This is from metalink:
I think it's mentioned some places to kick around (esp. item 2 and 3, you did not import certificate as trusted certificate or signatures are not verified)

Cause:      The check of the certificate list presented by the remote process        
failed. This could be caused by a number of problems including:
1.  the expiration of one of the certificates;
2. a certificate  authority in a certificate was not recognized as a trust point;
3.  the signature in a certificate could not be verified.  


Action:      Make sure that: 1. all of the certificates installed in your        
wallet are current; 2. all of the necessary certificates are        
loaded into your wallet; 3. all of the certificates have valid        
signatures.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248614
Indeed, all of the necessary certificates are loaded. There are two of us working in tandem on this, and we both got our certificates yesterday from Thawte. They are all logged and all have valid signatures.

In fact, this very METALINK set of suggestions were one of the first items we ruled out early yesterday.

Objectivity would mean we probably should still rule out that those certificates obtained from THAWTE may be the culprit, even though they passed completely through Wallet Manager and Net Manager on the client side. On the server side we used Wallet Manager and manually edited the .ora files.

However, in thinking out loud, on the server side I will make copies of the .ora files and will use Net Manager there just to see if it produces any differences. However, we went through the METALINK pages that show the direct results from Net Manager, and indeed we are able to TNSPING, but not TCPS connect via SQLPLUS.

So, a few questions:

1.  Where did you get your certificates from?
2.  Did you rely solely on Net Manager on the server side to set up your .ora files, or did you add the SSL particulars yourself?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248657
we got it from verisign.

we copy and paste certificate into the server config file...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248705
That's exactly where THAWTE grabs it as well. And we pasted it similarly. I know that because when the signature was presented on the webpage, I viewed the source. It presents it in a frame which when opened directly shows that it comes from verisign.

If you have an opportunity, please look at www.thawte.com, grab a temporary certificate, and see if anything raises a red flag about the process, the signature, etc.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:seazodiac
ID: 12248757
This is no small task, I think you should file an TAR with OSS.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12249068
You're gonna like this one. Our company brought in an Oracle OID expert, who spent two weeks and left us with a mess. He opened a TAR, and got no resolution from Oracle, so he soft-closed it.

We've achieved the same results in 2 days of head-banging that he achieved in two weeks. In fact, we got a little farther.

You're right. This is no small task. And as of this posting, Oracle has no rabbit in their hat for a product that is sold to work. :)

Question:

1.  Are you successfully using SSL for your OID/LDAP environment?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12249215
yep...
but not my work, it's set up before I even came...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12258198
We also have OID already set up, but 9.0.1.2 ... and not SSL.

What version is your OID?
0
 
LVL 20

Author Comment

by:dsacker
ID: 12463691
Please award all 100 points to seazodiac for the discussion, resulting in the advice to open a TAR with OSS (in hopes of finding a solution there).

Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Truncate is a DDL Command where as Delete is a DML Command. Both will delete data from table, but what is the difference between these below statements truncate table <table_name> ?? delete from <table_name> ?? The first command cannot be …
This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
This video shows information on the Oracle Data Dictionary, starting with the Oracle documentation, explaining the different types of Data Dictionary views available by group and permissions as well as giving examples on how to retrieve data from th…
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now