Using Oracle/IAS with Certificates

Using Oracle/IAS with PKI

Oracle IAS is a rebranded version of Apache with some PL/SQL modules. Oracle implements secure connections via SSL using the standard Apache module, mod_ssl. This module can then be configured to authenticate via certificates, as well as using SSL to secure the connection.

The first step in implementing authentication via certificates with a web server for Oracle, is to set up the web server as described in the "Server Setup" section of the document Web Page Access Control Using PKI.

Once that is done, the configuration file for the PL/SQL module must be modified so that it passes the appropriate authentication environment variables along.

Modify $ORACLE_HOME/Apache/modplsql/cfg/wdbsvr.app

Add the following line (or join with a currently existing cgi_env_list):

cgi_env_list = SSL_CLIENT_S_DN_CN,SSL_CLIENT_S_DN_O,SSL_CLIENT_S_DN_OU,SSL_CLIENT_VERIFY,REMOTE_PORT

PL/SQL code to authenticate a user via SSL.

Once the server has been configured for SSL, PL/SQL code similar to the code below can be used to verify whether a certificate exchange has occured by checking the CGI environment variables. In Dartmouth, we check the DN in the cert to get the user's cannonical name, and then get the O field to use it as a Kerberos-style "Realm."

ssl_client_verify := OWA_UTIL.GET_CGI_ENV('SSL_CLIENT_VERIFY');
	
if ssl_client_verify = 'SUCCESS' then
	dnd_name := OWA_UTIL.GET_CGI_ENV('SSL_CLIENT_S_DN_CN'); -- cert common name
	realm := OWA_UTIL.GET_CGI_ENV('SSL_CLIENT_S_DN_O'); -- cert organization not kerberos realm
	end if;

Known Issues

Some distributions of IAS do not have the Makefile that is needed for the creation of the links to make mod_ssl work properly. Just copy the Makefile from another installation of mod_ssl, and edit the path pointing to OpenSSL.

Back to PKI Lab Home

Dartmouth College PKI Lab
Last update: 17 June 2003