Solved

ORA-28868: certificate chain check failed

Posted on 2004-10-06
11
2,770 Views
Last Modified: 2010-10-05
Trying to SQLPLUS through SSL results in one of two errors:

1.  ORA-28868: certificate chain check failed
2.  ORA-28862: SSL connection failed

Facts:

a.  This is a 9.2.0.5 database.
b.  The error is happening both in 9.2 and 8.1.7 clients.
c.  TNSPING is successful.
d.  LISTENER log shows connection made (even though SQLPLUS errors out).
e.  Certificates installed successfully (seem to be) and obtained today from http://www.thawte.com
f.  Wallets installed successfully (NOT using any directories with spaces).
g.  We've cruised METALINK and found this is happening with many people, but no one has reported any real solution.

Has anyone encountered a similar error, or does anyone have any thoughts?
0
Comment
Question by:dsacker
  • 5
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
seazodiac earned 100 total points
ID: 12245078
This is from metalink:
I think it's mentioned some places to kick around (esp. item 2 and 3, you did not import certificate as trusted certificate or signatures are not verified)

Cause:      The check of the certificate list presented by the remote process        
failed. This could be caused by a number of problems including:
1.  the expiration of one of the certificates;
2. a certificate  authority in a certificate was not recognized as a trust point;
3.  the signature in a certificate could not be verified.  


Action:      Make sure that: 1. all of the certificates installed in your        
wallet are current; 2. all of the necessary certificates are        
loaded into your wallet; 3. all of the certificates have valid        
signatures.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248614
Indeed, all of the necessary certificates are loaded. There are two of us working in tandem on this, and we both got our certificates yesterday from Thawte. They are all logged and all have valid signatures.

In fact, this very METALINK set of suggestions were one of the first items we ruled out early yesterday.

Objectivity would mean we probably should still rule out that those certificates obtained from THAWTE may be the culprit, even though they passed completely through Wallet Manager and Net Manager on the client side. On the server side we used Wallet Manager and manually edited the .ora files.

However, in thinking out loud, on the server side I will make copies of the .ora files and will use Net Manager there just to see if it produces any differences. However, we went through the METALINK pages that show the direct results from Net Manager, and indeed we are able to TNSPING, but not TCPS connect via SQLPLUS.

So, a few questions:

1.  Where did you get your certificates from?
2.  Did you rely solely on Net Manager on the server side to set up your .ora files, or did you add the SSL particulars yourself?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248657
we got it from verisign.

we copy and paste certificate into the server config file...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 20

Author Comment

by:dsacker
ID: 12248705
That's exactly where THAWTE grabs it as well. And we pasted it similarly. I know that because when the signature was presented on the webpage, I viewed the source. It presents it in a frame which when opened directly shows that it comes from verisign.

If you have an opportunity, please look at www.thawte.com, grab a temporary certificate, and see if anything raises a red flag about the process, the signature, etc.
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248757
This is no small task, I think you should file an TAR with OSS.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12249068
You're gonna like this one. Our company brought in an Oracle OID expert, who spent two weeks and left us with a mess. He opened a TAR, and got no resolution from Oracle, so he soft-closed it.

We've achieved the same results in 2 days of head-banging that he achieved in two weeks. In fact, we got a little farther.

You're right. This is no small task. And as of this posting, Oracle has no rabbit in their hat for a product that is sold to work. :)

Question:

1.  Are you successfully using SSL for your OID/LDAP environment?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12249215
yep...
but not my work, it's set up before I even came...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12258198
We also have OID already set up, but 9.0.1.2 ... and not SSL.

What version is your OID?
0
 
LVL 20

Author Comment

by:dsacker
ID: 12463691
Please award all 100 points to seazodiac for the discussion, resulting in the advice to open a TAR with OSS (in hopes of finding a solution there).

Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Oracle Public Synonyms and Privileges 2 65
Shredding xml into an oracle 11g Database 2 42
clob to char in oracle 3 34
run sql script from putty 4 35
Subquery in Oracle: Sub queries are one of advance queries in oracle. Types of advance queries: •      Sub Queries •      Hierarchical Queries •      Set Operators Sub queries are know as the query called from another query or another subquery. It can …
Working with Network Access Control Lists in Oracle 11g (part 2) Part 1: http://www.e-e.com/A_8429.html Previously, I introduced the basics of network ACL's including how to create, delete and modify entries to allow and deny access.  For many…
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question