"ORA-29024: Certificate validation failure" when calling https-site with utl_http

Problem when using UTL_HTTP for HTTPS-sites

When using the UTL_HTTP-package for accessing https-sites you might get the error

ORA-29024: Certificate validation failure – message

SQL> select utl_http.request ('https://www.ssllabs.com/ssltest');
select utl_http.request ('https://www.ssllabs.com/ssltest') from dual
       *
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-29024: Certificate validation failure
ORA-06512: at line 1

To avoid this you need to configure an Oracle Wallet :

Retrieve the certificate from the site. In Chrome click on the lock-icon :

A popup-screen will appear. Click on the Connection-tab and then on ‘Certificate information’

On the certificate-screen select the Details-tab and click on the ‘Copy to File…’ button

The ‘Certificate Export Wizard’ will start up. Click ‘Next’

Select ‘Cryptographic Message Syntax .. – PKCS #7’. The format might depend on the site you are accessing. 

Select where to store the certificate and click ‘Next’. 

Copy the certificate-file to the server hosting the Oracle database.

Next we need to create a wallet :

orapki wallet create -wallet /u01/app/oracle/admin/DB1/wallet -pwd Password -auto_login

and add the certificate to the wallet :

oracle [ /u01/app/oracle/admin/DB1/wallet ]$ orapki wallet add -wallet /u01/app/oracle/admin/DB1/wallet -trusted_cert -cert /tmp/ssllabs.p7b -pwd Password

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

oracle [ /u01/app/oracle/admin/DB1/wallet ]$

Now we can test if the we can access the site :

SQL>  select utl_http.request ('https://www.ssllabs.com/ssltest',NULL,'file:/u01/app/oracle/admin/DB1/wallet','Password') from dual;

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>

<head>

        <title>Qualys SSL Labs - Projects / SSL Server Test</title>

 …

SQL>

And it works :-)

Configure hugepages on linux for Oracle

Introduction

Due to some performance issues with our Oracle RAC 11gR2 cluster running on OUL 5 we decided  to increase the physical memory of both nodes in our cluster from 24G to 96G each. The memory of our main production database was also increase from 14G to 48G per instance. Since we did not want to run into issues with regards to memory pages (default 4KB) we also introduced hugepages.

Steps

1 – After installing the memory in the server and rebooting check if all memory is visible from the OS

root [ ~ ]# dmidecode -t 17 | grep Size

        Size: 16384 MB

        Size: 16384 MB

        Size: 16384 MB

        Size: 16384 MB

        Size: 16384 MB

        Size: 16384 MB

        Size: No Module Installed

        Size: No Module Installed

        Size: No Module Installed

        Size: No Module Installed

        Size: No Module Installed

        Size: No Module Installed

2 – Next we need to figure out how much HugePages we need to reserve. To do this we have to check what the size is of a Hugepage. This is by default 2048 kB :

oracle [ ~ ]$ grep Hugepagesize /proc/meminfo

Hugepagesize:     2048 kB

oracle [ ~ ]$

We want to assign 48 Gig to our Oracle instance PRODDB2

ð  (48G * 1024) * 1024 è 50331648 (size in kB)

ð  50331648 / 2048  è 24576 (minimum nr of hugepages we need to configure)

The number of hugepages the os needs to reserve has to be configured in /etc/sysctl.conf

# HugePages

vm.nr_hugepages=24580

We configured 4 more hugepages then required….just in case

Next reload the /etc/sysctl.conf file using sysctl -p

sysctl –p

Check if the amount of hugepages is actually configured :

root [ ~ ]# grep Huge /proc/meminfo

HugePages_Total: 24580

HugePages_Free:  24580

HugePages_Rsvd:      0

Hugepagesize:     2048 kB

That's it ...now we can use HugePages.

How to create a physical standby database

Assumptions

This document has been tested on OUL 5 with Oracle 11.2.0.2 and 11.2.0.3
The Primary database PRIMARY_DB is in archivelog-mode and force-logging is enabled. This database is running on node1.
The Physical standby database is STANDBY_DB and runs on node2

Configuration

On Primary database

Set following parameters :

ALTER SYSTEM SET log_archive_config='DG_CONFIG=(PRIMARY_DB,STANDBY_DB)'; ALTER SYSTEM SET log_archive_dest_1='LOCATION=+ORA_FRA_DG1 VALID_FOR=(ALL_LOGFILES,ALL_ROLES) DB_UNIQUE_NAME=PRIMARY_DB'; ALTER SYSTEM SET log_archive_dest_2='SERVICE=STANDBY_DB NOAFFIRM ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=STANDBY_DB' SCOPE=MEMORY; ALTER SYSTEM SET log_archive_dest_state_1='ENABLE'; ALTER SYSTEM SET fal_server='STANDBY_DB'; ALTER SYSTEM SET fal_client='PRIMARY_DB'; ALTER SYSTEM SET standby_file_management='AUTO' SCOPE=MEMORY;

Make sure that all required entries are present in the tnsnames.ora file on BOTH servers :

PRIMARY_DB =   (DESCRIPTION =     (ADDRESS_LIST =       (ADDRESS = (COMMUNITY = tcp.world)(PROTOCOL = TCP)(Host = node1)(Port = 1521))     )     (CONNECT_DATA =       (SERVICE_NAME = PRIMARY_DB)     )   ) STANDBY_DB =   (DESCRIPTION =     (ADDRESS_LIST =       (ADDRESS = (COMMUNITY = tcp.world)(PROTOCOL = TCP)(Host = node2)(Port = 1521))     )     (CONNECT_DATA =       (SERVICE_NAME = STANDBY_DB )     )   )

Check connectivity using tnsping. Also make sure that the the tnsnames in the GRID-home has all required entries.

Put following entries in the listener.ora and restart the listener. The listener.ora on standby_server should have following 2 blocks. The second block is required for the dgmrl :

(SID_DESC =  (GLOBAL_DBNAME = STANDBY_DB )  (ORACLE_HOME = /u01/app/oracle/product/11.2.0.3/db_1)  (SID_NAME = FLEETTST_STBY) ) (SID_DESC =  (GLOBAL_DBNAME = STANDBY_DB_DGMGRL)  (ORACLE_HOME = /u01/app/oracle/product/11.2.0.3/db_1)  (SID_NAME = FLEETTST_STBY) )

Reload the listener on the standby server