Solved

ORA-28868: certificate chain check failed

Posted on 2004-10-06
11
2,805 Views
Last Modified: 2010-10-05
Trying to SQLPLUS through SSL results in one of two errors:

1.  ORA-28868: certificate chain check failed
2.  ORA-28862: SSL connection failed

Facts:

a.  This is a 9.2.0.5 database.
b.  The error is happening both in 9.2 and 8.1.7 clients.
c.  TNSPING is successful.
d.  LISTENER log shows connection made (even though SQLPLUS errors out).
e.  Certificates installed successfully (seem to be) and obtained today from http://www.thawte.com
f.  Wallets installed successfully (NOT using any directories with spaces).
g.  We've cruised METALINK and found this is happening with many people, but no one has reported any real solution.

Has anyone encountered a similar error, or does anyone have any thoughts?
0
Comment
Question by:dsacker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 23

Accepted Solution

by:
seazodiac earned 100 total points
ID: 12245078
This is from metalink:
I think it's mentioned some places to kick around (esp. item 2 and 3, you did not import certificate as trusted certificate or signatures are not verified)

Cause:      The check of the certificate list presented by the remote process        
failed. This could be caused by a number of problems including:
1.  the expiration of one of the certificates;
2. a certificate  authority in a certificate was not recognized as a trust point;
3.  the signature in a certificate could not be verified.  


Action:      Make sure that: 1. all of the certificates installed in your        
wallet are current; 2. all of the necessary certificates are        
loaded into your wallet; 3. all of the certificates have valid        
signatures.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12248614
Indeed, all of the necessary certificates are loaded. There are two of us working in tandem on this, and we both got our certificates yesterday from Thawte. They are all logged and all have valid signatures.

In fact, this very METALINK set of suggestions were one of the first items we ruled out early yesterday.

Objectivity would mean we probably should still rule out that those certificates obtained from THAWTE may be the culprit, even though they passed completely through Wallet Manager and Net Manager on the client side. On the server side we used Wallet Manager and manually edited the .ora files.

However, in thinking out loud, on the server side I will make copies of the .ora files and will use Net Manager there just to see if it produces any differences. However, we went through the METALINK pages that show the direct results from Net Manager, and indeed we are able to TNSPING, but not TCPS connect via SQLPLUS.

So, a few questions:

1.  Where did you get your certificates from?
2.  Did you rely solely on Net Manager on the server side to set up your .ora files, or did you add the SSL particulars yourself?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248657
we got it from verisign.

we copy and paste certificate into the server config file...
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 20

Author Comment

by:dsacker
ID: 12248705
That's exactly where THAWTE grabs it as well. And we pasted it similarly. I know that because when the signature was presented on the webpage, I viewed the source. It presents it in a frame which when opened directly shows that it comes from verisign.

If you have an opportunity, please look at www.thawte.com, grab a temporary certificate, and see if anything raises a red flag about the process, the signature, etc.
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12248757
This is no small task, I think you should file an TAR with OSS.
0
 
LVL 20

Author Comment

by:dsacker
ID: 12249068
You're gonna like this one. Our company brought in an Oracle OID expert, who spent two weeks and left us with a mess. He opened a TAR, and got no resolution from Oracle, so he soft-closed it.

We've achieved the same results in 2 days of head-banging that he achieved in two weeks. In fact, we got a little farther.

You're right. This is no small task. And as of this posting, Oracle has no rabbit in their hat for a product that is sold to work. :)

Question:

1.  Are you successfully using SSL for your OID/LDAP environment?
0
 
LVL 23

Expert Comment

by:seazodiac
ID: 12249215
yep...
but not my work, it's set up before I even came...
0
 
LVL 20

Author Comment

by:dsacker
ID: 12258198
We also have OID already set up, but 9.0.1.2 ... and not SSL.

What version is your OID?
0
 
LVL 20

Author Comment

by:dsacker
ID: 12463691
Please award all 100 points to seazodiac for the discussion, resulting in the advice to open a TAR with OSS (in hopes of finding a solution there).

Thank you.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article started out as an Experts-Exchange question, which then grew into a quick tip to go along with an IOUG presentation for the Collaborate confernce and then later grew again into a full blown article with expanded functionality and legacy…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question