We face a blocker that, we can connect to Oracle DB with tls using sqlplus command from Vault server, but with the same connection parameters, we are failed to connect for certificate validation failed error.
Below is the version information
Hashicorp Vault v1.13.2
Instant client v19.19
Sqlplus v19.19
Oracle v19.17.0.0.0
Vault Oracle plugin v0.8.2
Here is the sqlplus command detail which success to connect to our oracle server :
sqlplus @(description=(address=(protocol=tcps)(host= )(port=1522))(connect_data=(server=dedicated)(service_name=)))
and also define a TNS_ADMIN env variable which point to a folder contain ora file which content as below, and the file is own by the vault launch user with 600 permission:
$ cat sqlnet.ora
SSL_CLIENT_AUTHENTICATION=FALSE
SSL_VERSION=1.0
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA=(DIRECTORY=/home/npcehvltad0001/tls_cert/tls_cert_nonprod)))
And for Hashicorp Vault, we have try below connection URL but still get the same error as certificate validation failed
actually we are using another user name and a customize config path to launch vault server. So we don’t have this directory (/etc/vault/wallets/) and vault user
below connection string have been test with and without TNS_ADMIN env variable definition
{{username}}/{{password}}@(description=(address=(protocol=tcps)(host= )(port=1522))(connect_data=(server=dedicated)(service_name=)))
This is totally the same with the sqlplus
{{username}}/{{password}}@(description=(address=(protocol=tcps)(host=)(port=1522))(connect_data= (service_name=))(SECURITY=(SSL_SERVER_CERT_DN=“CN=ORADB”))(MY_WALLET_DIRECTORY=/home/npcehvltad0001/tls_cert/tls_cert_nonprod/))
{{username}}/{{password}}@(description=(address=(protocol=tcps)(host=)(port=1522))(connect_data=(server=dedicated)(service_name=))(SECURITY=(SSL_SERVER_CERT_DN=“CN=ORADB”))(MY_WALLET_DIRECTORY=/home/npcehvltad0001/tls_cert/tls_cert_nonprod/))
Base on item 2, Add more specific option in the connect_data part