Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ORA-28868: certificate chain check failed

Posted on 2004-10-06
11
Medium Priority
?
2,831 Views
Last Modified: 2010-10-05
Trying to SQLPLUS through SSL results in one of two errors:

1.  ORA-28868: certificate chain check failed
2.  ORA-28862: SSL connection failed

Facts:

a.  This is a 9.2.0.5 database.
b.  The error is happening both in 9.2 and 8.1.7 clients.
c.  TNSPING is successful.
d.  LISTENER log shows connection made (even though SQLPLUS errors out).
e.  Certificates installed successfully (seem to be) and obtained today from http://www.thawte.com
f.  Wallets installed successfully (NOT using any directories with spaces).
g.  We've cruised METALINK and found this is happening with many people, but no one has reported any real solution.

Has anyone encountered a similar error, or does anyone have any thoughts?
0
Comment
Question by:dsacker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
seazodiac earned 400 total points
ID: 12245078
This is from metalink:
I think it's mentioned some places to kick around (esp. item 2 and 3, you did not import certificate as trusted certificate or signatures are not verified)

Cause:      The check of the certificate list presented by the remote process        
failed. This could be caused by a number of problems including:
1.  the expiration of one of the certificates;
2. a certificate  authority in a certificate was not recognized as a trust point;
3.  the signature in a certificate could not be verified.  


Action:      Make sure that: 1. all of the certificates installed in your        
wallet are current; 2. all of the necessary certificates are        
loaded into your wallet; 3. all of the certificates have valid        
signatures.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248614
Indeed, all of the necessary certificates are loaded. There are two of us working in tandem on this, and we both got our certificates yesterday from Thawte. They are all logged and all have valid signatures.

In fact, this very METALINK set of suggestions were one of the first items we ruled out early yesterday.

Objectivity would mean we probably should still rule out that those certificates obtained from THAWTE may be the culprit, even though they passed completely through Wallet Manager and Net Manager on the client side. On the server side we used Wallet Manager and manually edited the .ora files.

However, in thinking out loud, on the server side I will make copies of the .ora files and will use Net Manager there just to see if it produces any differences. However, we went through the METALINK pages that show the direct results from Net Manager, and indeed we are able to TNSPING, but not TCPS connect via SQLPLUS.

So, a few questions:

1.  Where did you get your certificates from?
2.  Did you rely solely on Net Manager on the server side to set up your .ora files, or did you add the SSL particulars yourself?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248657
we got it from verisign.

we copy and paste certificate into the server config file...
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 20

Author Comment

by:dsacker
ID: 12248705
That's exactly where THAWTE grabs it as well. And we pasted it similarly. I know that because when the signature was presented on the webpage, I viewed the source. It presents it in a frame which when opened directly shows that it comes from verisign.

If you have an opportunity, please look at www.thawte.com, grab a temporary certificate, and see if anything raises a red flag about the process, the signature, etc.
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248757
This is no small task, I think you should file an TAR with OSS.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12249068
You're gonna like this one. Our company brought in an Oracle OID expert, who spent two weeks and left us with a mess. He opened a TAR, and got no resolution from Oracle, so he soft-closed it.

We've achieved the same results in 2 days of head-banging that he achieved in two weeks. In fact, we got a little farther.

You're right. This is no small task. And as of this posting, Oracle has no rabbit in their hat for a product that is sold to work. :)

Question:

1.  Are you successfully using SSL for your OID/LDAP environment?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12249215
yep...
but not my work, it's set up before I even came...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12258198
We also have OID already set up, but 9.0.1.2 ... and not SSL.

What version is your OID?
0
 
LVL 20

Author Comment

by:dsacker
ID: 12463691
Please award all 100 points to seazodiac for the discussion, resulting in the advice to open a TAR with OSS (in hopes of finding a solution there).

Thank you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article started out as an Experts-Exchange question, which then grew into a quick tip to go along with an IOUG presentation for the Collaborate confernce and then later grew again into a full blown article with expanded functionality and legacy…
Cursors in Oracle: A cursor is used to process individual rows returned by database system for a query. In oracle every SQL statement executed by the oracle server has a private area. This area contains information about the SQL statement and the…
Via a live example, show how to take different types of Oracle backups using RMAN.
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question