From cd9ec9dda76feac9ff27a350bf5fc967ba1bc6a8 Mon Sep 17 00:00:00 2001 From: vatsrahul Date: Fri, 28 Jul 2023 10:40:09 +0000 Subject: [PATCH] custom location for certs --- OracleDatabase/SingleInstance/README.md | 46 +++++++++++-------- .../dockerfiles/19.3.0/configTcps.sh | 15 +++--- .../dockerfiles/21.3.0/configTcps.sh | 15 +++--- .../dockerfiles/23.2.0/configTcps.sh | 15 +++--- 4 files changed, 50 insertions(+), 41 deletions(-) diff --git a/OracleDatabase/SingleInstance/README.md b/OracleDatabase/SingleInstance/README.md index b8dcdf75f9..7f0536e2c6 100644 --- a/OracleDatabase/SingleInstance/README.md +++ b/OracleDatabase/SingleInstance/README.md @@ -140,6 +140,9 @@ To run your Oracle Database image use the `docker run` command as follows: -e ENABLE_TCPS: To enable TCPS connections for Oracle Database. Supported by Oracle Database 19.3 onwards. + -e TCPS_CERTS_LOCATION: + To provide location of user certificates in container to enable tcps connection + Supported by Oracle Database 19.3 onwards. -v /opt/oracle/oradata The data volume to use for the database. Has to be writable by the Unix "oracle" (uid: 54321) user inside the container! @@ -214,16 +217,34 @@ In case this parameter is set `true` and passed to `docker run` command while re There are two ways to enable TCPS connections for the database: 1. Enable TCPS while creating the database. + + * Using Self Signed certificates + * Use the `-e ENABLE_TCPS=true` option with the `docker run` command. A listener endpoint will be created at the container port 2484 for TCPS. + * Using your own certificates + * Use the `-e ENABLE_TCPS=true` and `-e TCPS_CERTS_LOCATION=` option with the `docker run` command. Also mount a local host directory at `TCPS_CERTS_LOCATION` in container using `-v` option. + * Keep your Certificate and Key files in `cert.crt` and `client.key` respectively in this local host directory. + * `cert.cert` file needs to have Root/Intermediate certificate followed by client certificate at the end. + 2. Enable TCPS after the database is created. -To enable TCPS connections while creating the database, use the `-e ENABLE_TCPS=true` option with the `docker run` command. A listener endpoint will be created at the container port 2484 for TCPS. + * Using Self Signed certificates + * docker exec /opt/oracle/configTcps.sh + * Using your own certificates + * Keep your Certificate and Key files in `cert.crt` and `client.key` respectively. + * `cert.cert` file needs to have Root/Intermediate certificate followed by client certificate at the end. + * Either place both files in a host directory mounted in container or directly copy both files in container. + * `TCPS_CERTS_LOCATION` is container directory where certs are copied or mounted at. -To enable TCPS connections after the database is created, please use the following sample command: + docker cp cert.crt : + docker cp client.key : + or + cp {cert.crt,client.key} - # Creates Listener for TCPS at container port 2484 - docker exec /opt/oracle/configTcps.sh + 5. Run following command to set up tcps connection using these certificates + + podman exec -it env TCPS_CERTS_LOCATION= /opt/oracle/configTcps.sh -Similarly, to disable TCPS connections for the database, please use the following command: +To disable TCPS connections for the database, please use the following command: # Disable TCPS in the database docker exec /opt/oracle/configTcps.sh disable @@ -233,21 +254,6 @@ To configure wallet password, please use the following command: # Setup TCPS for port 16002 and pass wallet password as argument docker exec /opt/oracle/configTcps.sh 16002 localhost -To use custom certificates instead of self-signed cerificates: - -* Create a folder called `certs`, put your Certificate and Key files in this folder, the files needs to be named `cert.crt` and `client.key`. -* `cert.cert` file needs to have Root/Intermediate certificate followed by client certificate at the end. - - mkdir -p certs/ - cp cert_file.crt certs/cert.crt - cp client_key_file.key certs/client.key - -* Place this folder `certs` in host directory which is mounted at /opt/oracle/oradata/ in the container. Now, enabling tcps while running container will use these certs for tcps connection. -* If container is already running, use following commands to copy `certs` directory into mounted host directory and then run configTcps.sh script as shown. - - cp /certs/ - docker exec /opt/oracle/configTcps.sh - **NOTE**: * Only database server authentication is supported (no mTLS). diff --git a/OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh b/OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh index 55843c8648..09154274f7 100644 --- a/OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh +++ b/OracleDatabase/SingleInstance/dockerfiles/19.3.0/configTcps.sh @@ -146,17 +146,18 @@ PKCS12_PWD=$(openssl rand -hex 8) # Client wallet location CLIENT_WALLET_LOC="${ORACLE_BASE}/oradata/clientWallet/${ORACLE_SID}" -# Client Cert location -CLIENT_CERT_LOCATON="${ORACLE_BASE}"/oradata/certs/cert.crt # certificate file - -# Client key location -CLIENT_KEY_LOCATON="${ORACLE_BASE}"/oradata/certs/client.key # client key - # Default CUSTOM_CERT value CUSTOM_CERTS=false -if [[ -f $CLIENT_CERT_LOCATON && -f $CLIENT_KEY_LOCATON ]]; then +if [[ -z $TCPS_CERTS_LOCATION ]]; then + CUSTOM_CERTS=false +else CUSTOM_CERTS=true + # Client Cert location + CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file + + # Client key location + CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key fi # Disable TCPS control flow diff --git a/OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh b/OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh index c2f42c0ebd..e0c09b852c 100644 --- a/OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh +++ b/OracleDatabase/SingleInstance/dockerfiles/21.3.0/configTcps.sh @@ -150,17 +150,18 @@ PKCS12_PWD=$(openssl rand -hex 8) # Client wallet location CLIENT_WALLET_LOC="${ORACLE_BASE}/oradata/clientWallet/${ORACLE_SID}" -# Client Cert location -CLIENT_CERT_LOCATON="${ORACLE_BASE}"/oradata/certs/cert.crt # certificate file - -# Client key location -CLIENT_KEY_LOCATON="${ORACLE_BASE}"/oradata/certs/client.key # client key - # Default CUSTOM_CERT value CUSTOM_CERTS=false -if [[ -f $CLIENT_CERT_LOCATON && -f $CLIENT_KEY_LOCATON ]]; then +if [[ -z $TCPS_CERTS_LOCATION ]]; then + CUSTOM_CERTS=false +else CUSTOM_CERTS=true + # Client Cert location + CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file + + # Client key location + CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key fi # Disable TCPS control flow diff --git a/OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh b/OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh index 1b86b62c3e..8e5ad43254 100644 --- a/OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh +++ b/OracleDatabase/SingleInstance/dockerfiles/23.2.0/configTcps.sh @@ -150,17 +150,18 @@ PKCS12_PWD=$(openssl rand -hex 8) # Client wallet location CLIENT_WALLET_LOC="${ORACLE_BASE}/oradata/clientWallet/${ORACLE_SID}" -# Client Cert location -CLIENT_CERT_LOCATON="${ORACLE_BASE}"/oradata/certs/cert.crt # certificate file - -# Client key location -CLIENT_KEY_LOCATON="${ORACLE_BASE}"/oradata/certs/client.key # client key - # Default CUSTOM_CERT value CUSTOM_CERTS=false -if [[ -f $CLIENT_CERT_LOCATON && -f $CLIENT_KEY_LOCATON ]]; then +if [[ -z $TCPS_CERTS_LOCATION ]]; then + CUSTOM_CERTS=false +else CUSTOM_CERTS=true + # Client Cert location + CLIENT_CERT_LOCATON="${TCPS_CERTS_LOCATION}"/cert.crt # certificate file + + # Client key location + CLIENT_KEY_LOCATON="${TCPS_CERTS_LOCATION}"/client.key # client key fi # Disable TCPS control flow