Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ORA-28868: certificate chain check failed

Posted on 2004-10-06
11
Medium Priority
?
2,846 Views
Last Modified: 2010-10-05
Trying to SQLPLUS through SSL results in one of two errors:

1.  ORA-28868: certificate chain check failed
2.  ORA-28862: SSL connection failed

Facts:

a.  This is a 9.2.0.5 database.
b.  The error is happening both in 9.2 and 8.1.7 clients.
c.  TNSPING is successful.
d.  LISTENER log shows connection made (even though SQLPLUS errors out).
e.  Certificates installed successfully (seem to be) and obtained today from http://www.thawte.com
f.  Wallets installed successfully (NOT using any directories with spaces).
g.  We've cruised METALINK and found this is happening with many people, but no one has reported any real solution.

Has anyone encountered a similar error, or does anyone have any thoughts?
0
Comment
Question by:dsacker
  • 5
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
seazodiac earned 400 total points
ID: 12245078
This is from metalink:
I think it's mentioned some places to kick around (esp. item 2 and 3, you did not import certificate as trusted certificate or signatures are not verified)

Cause:      The check of the certificate list presented by the remote process        
failed. This could be caused by a number of problems including:
1.  the expiration of one of the certificates;
2. a certificate  authority in a certificate was not recognized as a trust point;
3.  the signature in a certificate could not be verified.  


Action:      Make sure that: 1. all of the certificates installed in your        
wallet are current; 2. all of the necessary certificates are        
loaded into your wallet; 3. all of the certificates have valid        
signatures.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248614
Indeed, all of the necessary certificates are loaded. There are two of us working in tandem on this, and we both got our certificates yesterday from Thawte. They are all logged and all have valid signatures.

In fact, this very METALINK set of suggestions were one of the first items we ruled out early yesterday.

Objectivity would mean we probably should still rule out that those certificates obtained from THAWTE may be the culprit, even though they passed completely through Wallet Manager and Net Manager on the client side. On the server side we used Wallet Manager and manually edited the .ora files.

However, in thinking out loud, on the server side I will make copies of the .ora files and will use Net Manager there just to see if it produces any differences. However, we went through the METALINK pages that show the direct results from Net Manager, and indeed we are able to TNSPING, but not TCPS connect via SQLPLUS.

So, a few questions:

1.  Where did you get your certificates from?
2.  Did you rely solely on Net Manager on the server side to set up your .ora files, or did you add the SSL particulars yourself?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248657
we got it from verisign.

we copy and paste certificate into the server config file...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Author Comment

by:dsacker
ID: 12248705
That's exactly where THAWTE grabs it as well. And we pasted it similarly. I know that because when the signature was presented on the webpage, I viewed the source. It presents it in a frame which when opened directly shows that it comes from verisign.

If you have an opportunity, please look at www.thawte.com, grab a temporary certificate, and see if anything raises a red flag about the process, the signature, etc.
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248757
This is no small task, I think you should file an TAR with OSS.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12249068
You're gonna like this one. Our company brought in an Oracle OID expert, who spent two weeks and left us with a mess. He opened a TAR, and got no resolution from Oracle, so he soft-closed it.

We've achieved the same results in 2 days of head-banging that he achieved in two weeks. In fact, we got a little farther.

You're right. This is no small task. And as of this posting, Oracle has no rabbit in their hat for a product that is sold to work. :)

Question:

1.  Are you successfully using SSL for your OID/LDAP environment?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12249215
yep...
but not my work, it's set up before I even came...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12258198
We also have OID already set up, but 9.0.1.2 ... and not SSL.

What version is your OID?
0
 
LVL 20

Author Comment

by:dsacker
ID: 12463691
Please award all 100 points to seazodiac for the discussion, resulting in the advice to open a TAR with OSS (in hopes of finding a solution there).

Thank you.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working with Network Access Control Lists in Oracle 11g (part 1) Part 2: http://www.e-e.com/A_9074.html So, you upgraded to a shiny new 11g database and all of a sudden every program that used UTL_MAIL, UTL_SMTP, UTL_TCP, UTL_HTTP or any oth…
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question