ORA-29024: Certificate validation failure - Apex and HTTPS

4
votes

Let me explain what is happening:

  • Database: Oracle 19c
  • Apex: 19.1.0.00.15
  • ORDS standalone is 19.1.0.r0921545

I did the tasks to configure an Apex Social Sign In to Microsoft AAD without almost any issue:

  • I created the authentication method in Apex.
  • I register my application and get the web credentials in Azure.
  • I created a wallet in my database with the root CA Microsoft certificates and configured the instance settings to usee that wallet.
  • My wallet in the database server contains the property auto_login to avoid using passwords.
  • I created the ACEs entries to allow connection to the login.microsoftonline.com in the port 443
  • Although it is not important for the purpose of the question itself and the error that is producing, just comment that I configured the wallet settings in the internal workspace in order to provide access to the wallet to the apex applications.

For some weeks the process was working fine, I was having a perfect Single Sing on mechanism for all my apex applications in the different workspaces. However, since some days ago, I am getting always the same error:

ORA-29024: Certificate validation failure

After some digging I realise that someone has configured a PROXY for outgoing traffic. Before even trying in Apex, I tried in SQL using APEX_WEB_SERVICE

Request with proxy settings to login.microsoftonline.com

select apex_web_service.make_rest_request(
    p_url         => 'https://login.microsoftonline.com',
    p_http_method => 'GET',
    p_wallet_path => 'file:/home/oracle/wallet',
    p_wallet_pwd => 'MyPassword' ,
    p_proxy_override => 'http://myproxy:myport'
  7  ) from dual;
ERROR:
ORA-29273: HTTP request failed
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1035
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 934
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1580
ORA-06512: at "APEX_190100.WWV_FLOW_WEBSERVICES_API", line 408
ORA-06512: at line 1

Request without proxy settings, just to see if I can get there

SQL> select apex_web_service.make_rest_request(
  2      p_url         => 'https://login.microsoftonline.com',
  3      p_http_method => 'GET',
  4      p_wallet_path => 'file:/home/oracle/wallet'
  5* ) from dual
SQL> /
ERROR:
ORA-29273: HTTP request failed
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1035
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 934
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1580
ORA-06512: at "APEX_190100.WWV_FLOW_WEBSERVICES_API", line 408
ORA-06512: at line 1

Request to google using Proxy settings

select apex_web_service.make_rest_request(
    p_url         => 'https://google.com',
    p_http_method => 'GET',
    p_wallet_path => 'file:/home/oracle/wallet',
    p_wallet_pwd => 'MyPassword' ,
  6      p_proxy_override => 'http://myproxy:myport'
  7  ) from dual ;
ERROR:
ORA-29273: HTTP request failed
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1035
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 934
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1580
ORA-06512: at "APEX_190100.WWV_FLOW_WEBSERVICES_API", line 408
ORA-06512: at line 1

Request to google without proxy settings

SQL> select apex_web_service.make_rest_request(
  2      p_url         => 'https://google.com',
  3      p_http_method => 'GET',
  4      p_wallet_path => 'file:/home/oracle/wallet'
  5* ) from dual
SQL> /
ERROR:
ORA-29273: HTTP request failed
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1035
ORA-12535: TNS:operation timed out
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 934
ORA-06512: at "APEX_190100.WWV_FLOW_WEB_SERVICES", line 1580
ORA-06512: at "APEX_190100.WWV_FLOW_WEBSERVICES_API", line 408
ORA-06512: at line 1

My questions are the following:

  • It is a network problem or a proxy issue regarding inbound/outbound traffic ? I can reach Microsoft but not Google in the port 443 when I don't specify proxy.
  • Why am I getting invalid certificate when it has nothing to do with the certificates ?
  • How can I setup my APEX to use authentication on Azure or any other provider for that matter when I have a proxy in the middle ?
  • As I use ORDS standalone, am I allow to keep using it or I need a reverse proxy with Tomcat ?

I tried to configure the ACE to use HTTP_PROXY in the ports by running

begin
  sys.dbms_network_acl_admin.append_host_ace(
    host        => 'myproxyserver'
   ,lower_port  => 8080
   ,upper_port  => 8080
   ,ace         => xs$ace_type(
      privilege_list     => xs$name_list('http_proxy')
     ,granted            => true
     ,principal_name     => 'MY_PRINCIPAL'
     ,principal_type     => XS_ACL.PTYPE_DB
    )
  );
end;
/

Even I grant to the ACE privileges over the wallet

SET SERVEROUTPUT ON
BEGIN
  DBMS_NETWORK_ACL_ADMIN.APPEND_WALLET_ACE
  (
    WALLET_PATH => 'file:/home/oracle/wallet',
    ACE => XS$ACE_TYPE(
                        PRIVILEGE_LIST => XS$NAME_LIST('use_passwords','use_client_certificates'),
                        PRINCIPAL_NAME => 'MY_PRINCIPAL',
                        PRINCIPAL_TYPE => XS_ACL.PTYPE_DB
                      )
  );
EXCEPTION WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE('Error while configuring ACL for wallet: '|| SQLERRM);
END;
/

but I am still getting the same error all over.

Any help would be appreciated! Thank you

3
oracleoracle-apex

3 Answers

0
votes

I had issue like this, it seems Oracle SSL library has some bugs. Finally I implemented some Java Source for OJVM, please read my answer here: https://stackoverflow.com/a/60152830/11272044

0
votes

Thank you to all who post answers, but finally, after struggling for a while, I found the root cause. Actually Oracle was right after all, as Microsoft has changed the way the authentication is handled, either you are using Oauth2 or OpenID, when you use Office365 and Azure Active Directory.

In this case, my organisation is using Office 365 and at the beginning was enough with importing the PKI certificates from :

https://www.microsoft.com/pki/mscorp/cps/default.htm

After a change done in Azure Active Directory (AAD), you now need also the Global Sign certificates from office.com

I hope it clarifies to other users who got in the same problem trying to authenticate with Azure Active Directory using Apex Social sign in.

You can download the certificates directly from office365.com

enter image description here

After adding the new two certificates to the wallet, you can now enter without issues:

select apex_web_service.make_rest_request(
    p_url         => 'https://login.microsoftonline.com',
    p_http_method => 'GET',
  4      p_wallet_path => 'file:/home/oracle/wallet' ) from dual ;

APEX_WEB_SERVICE.MAKE_REST_REQUEST(P_URL=>'HTTPS://LOGIN.MICROSOFTONLINE.COM',P_
--------------------------------------------------------------------------------


<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYP


SQL>
-1
votes

In my understanding,you will need to do following(in addition to what you did) :

  1. login to Apex as administrator
  2. From settings, go to 'Wallet'
  3. Add Wallet path(absolute path with prefix 'file://' and password you used for creating wallet

Now, your problem should be solved.