8i | 9i | 10g | 11g | 12c | 13c | 18c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Misc » Here

Comments for UTL_HTTP and SSL (HTTPS) using Oracle Wallets


Tony Reed said...

Hi,
the example will not work on Oracle 12.1

According to Oracle Support only the certificate chain should be imported, not the end site certificate.

I.e. In the example you use, only import these:
Builtin Object Token:GTE CyberTrust Global Root
Akamai Subordinate CA

If the third certificate, *.redhat.com, is imported utl_http throws a Certificate validation failure at you.

Tim... said...

Hi.

Yes. I just did a run through to check and I get the same issue as you. I will amend the article to make sure this is clear.

It works fine with just the chain, not the end entry on 11.2 and 12.1.

Cheers

Tim...

Steve said...

when executing:

SET SERVEROUTPUT ON
EXEC UTL_HTTP.set_wallet('file:/wallet2', 'xxxxxxxxx');
EXEC show_html_from_url('https://gb.redhat.com/');

I get ORA-28759: failure to open file.

any ideas?

Thanks

Tim... said...

Hi.

Either you've done the setup incorrectly, or the DB server doesn't have access to the internet.

Difficult to know with the lack of information presented. If you want me to help, please post a question in the forum on this site.

Cheers

Tim...

Anna Rossi said...

Can you please specify the minimum Oracle DB version which can use this methos?

Tim... said...

Hi.

The first sentence says, "Since Oracle 9i Release 2...". :)

Cheers

Tim...

Edward Girard said...

Both links for the "orapki Utility" and "UTL_HTTP" no longer work.

Tim... said...

Hi.

Oracle just love changing their URLs. I've fixed them now. Thanks for the heads up!

Cheers

Tim...

FLAVIO said...

Not working inside a procedure. Only in script.

Tim... said...

Hi.

We use it from procedures all the time. It's probably a permissions thing. Make sure the calling use has all the correct permissions, not via a role. An anonymous block can use permissions from a role. A stored procedure (with invoker rights) can not. I bet that is your issue.

Cheers

Tim...

Conor said...

Thank you for the great tutorial. Do you know if it's possible to check the expiry date of a cert via pl/sql?

Tim... said...

Hi.

You can check from tools like orapki, so you could shell out, call a tool like that and parse the result. Never seen a native PL/SQL way to do it though.

Cheers

Tim...

Peter said...

How to access https site which request username and password ?

Tim... said...

Hi.

I've altered the example to cope with basic authentication, and explained how to deal with digest authentication in a separate section.

Cheers

Tim...

erik said...

In the example of exporting certificates from the browser in order to add them to the wallet (truststore) you only ever need to add the root-CA certificate. That would be the "Baltimore" cert in your example. The server sends the server certificate and any required intermediate CA certificates in the SSL Handshake. The client (UTL_HTTP in this case) only needs to store the root CA certificate.

Tim... said...

Hi.

I've just tested it and you are correct. Has this always been the case? I'm sure in the past I've had issues when the intermediates have been missing...

Cheers

Tim...

Tim... said...

I amended the article and gave you a shout out. :)

Cheers

Tim...

Adam said...

I followed the example with https://gb.redhat.com/ and it worked perfectly. However when I repeated the steps for https://google.co.uk I got ORA-29024: Certificate validation failure. I tried with just the root, and the root plus intermediate, same result.

Tim... said...

Hi.

You must have downloaded and installed the wrong certificates into the wallet. You can't get that error if the certificates are in the wallet and you've opened the wallet correctly in your code.

Cheers

Tim...

Adam said...

I ran through the example again, setting up a new wallet and it worked flawlessly, I then setup an example using https://amazon.co.uk which worked without issue. However trying the example with https://google.co.uk results in the same ORA-29024: Certificate validation failure. Amazon and redhat have the same root authority.
Are there issues with some certificate types?

Tim... said...

Hi.

I've never seen that before. Worst case scenario you have multiple wallets, to manage conflicting calls.

Cheers

Tim...

Jason said...

Starting in 11.2 for UTL_HTTP.SET_WALLET, Oracle changed the need for the password in PL/SQL code. From the documentation, "If the wallet is auto-login enabled, the password may be omitted and should be set to NULL."

I have tested this successfully in 12.1 that you only need to send in the path for the wallet with the call
UTL_HTTP.set_wallet('file:/u01/app/oracle/admin/DB11G/wallet'

Tim... said...

Hi.

Thanks for the input. That had passed me by. :) I've amended the article and given you a shout-out.

Cheers

Tim...

DO NOT ask technical questions here! They will be deleted!

These comments should relate to the contents of a specific article. Constructive criticism is good. Advertising and offensive comments are bad and will be deleted!

If you post personal information (name, email address etc.) you are agreeing to them being stored and displayed. Feel free to remain anonymous.