Client Certificate Authentication for Oracle Databases

Summary

Support for x509 client certificate authentication to Oracle databases will be added soon to Tenable vulnerability management and detection products. 

Change

Customers will be able to select a new "Client Certificate" database credential type for Oracle databases. When this credential is equipped with a client certificate, private key and trusted CA certificate it will be used to authenticate vulnerability and compliance scans to Oracle databases. Here is what the new credential type looks like:

In order to use X509 certificates to authenticate to an Oracle database, the database and certificates must be properly configured. Product documentation for this feature is incomplete and difficult to find. The following is a list of requirements, which combined with official documentation, should at least contribute to the correct configuration.

• The trusted certificate in the Oracle Database server's secure wallet must be used to sign the client certificate.
• The distinguished name of the client certificate must match the external name configured for that user in the database. For example, if the user certificate has a distinguished name "CN=Scott", then the following has to be executed on the target server at some point: alter user Scott identified externally as 'CN=Scott';
• The wallet location has to be correctly specified in both sqlnet.ora and listener.ora on the server.
• The TCPS protocol must be supported in the server configuration.
• The sqlnet.ora file on the server must have the following settings:
  • SSL_CLIENT_AUTHENTICATION = TRUE
  • DISABLE_OOB = ON

More information can be found at:  https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070, and

https://docs.oracle.com/database/121/DBSEG/authentication.htm#DBSEG003

If Oracle client certificates from a client-side Oracle secure wallet are used, they must be extracted individually into PEM encoded files. The following OpenSSL command can be used to unpack a wallet into PEM form: openssl pkcs12 -in ewallet.p12 -out certs.crt At this point the individual client certificate, private key and CA certificate must be individually copied out of certs.crt into individual files using a text editor. These files can then be used to populate the Tenable database credential.

Note

Some versions of Nessus do not support encrypted private keys. It may be necessary to decrypt your private key using openssl before uploading it to the new database credential. Rest assured, Tenable will never transmit your private key and will always store private keys in an encrypted format.

Impact

Customers will be able to use X509 client certificates in Tenable vulnerability scans to authenticate to target databases.

Affected Components

Nessus Professional, T.sc, T.io and other Nessus based products such as Nessus Manager.

Target Release Date

19 Jan 2022 - Nessus and Tenable.io