I need help creating an encrypted listener for my 11gR2 database using a wallet and SHA1 encryption

We are using 11.2.0.4. Since Oracle connections are not encrypted by default and access personally identifiable ( PII ) data in our application we are required to go to an encrypted listener. I am having trouble making it work. We are also using Transparent Data Encryption (TDE). Does any suggestions about what I am doing wrong? I have the output from my connection, listener log file and trace file below.

@ > connect connect system/pwd@MYAPP ERROR: ORA-29080: Message 29080 not found;  product=RDBMS; facility=ORA  <msg time='2018-12-14T11:10:03.640-05:00' org_id='oracle' comp_id='tnslsnr'  type='UNKNOWN' level='16' host_id='MYORACLEVM101.corp.com'  host_addr='10.1.3.209'>  <txt>14-DEC-2018 11:10:03 * &lt;unknown connect data&gt; * 12561  </txt> </msg> <msg time='2018-12-14T11:10:03.641-05:00' org_id='oracle' comp_id='tnslsnr'  type='UNKNOWN' level='16' host_id='MYORACLEVM101.corp.com'  host_addr='10.1.3.209'>  <txt>TNS-12561: TNS:unknown error  </txt> </msg> 2018-12-14 17:11:54.058558 : nstoSetupTimeout:ATO enabled for ctx=0x0x17848c0, val=60000(millisecs) 2018-12-14 17:11:54.059097 : nstoUpdateActive:Active timeout is 0 (see nstotyp) 2018-12-14 17:11:54.059407 : nsopen:opening transport... 2018-12-14 17:11:54.059718 : nttcnp:getting sockname 2018-12-14 17:11:54.060053 : nttcnp:getting peername 2018-12-14 17:11:54.060355 : nttcnr:waiting to accept a connection. 2018-12-14 17:11:54.060645 : nttcnr:getting sockname 2018-12-14 17:11:54.060965 : nttcnr:connected on ipaddr 10.1.3.209 2018-12-14 17:11:54.061271 : nttvlser:valid node check on incoming node 10.1.3.209 2018-12-14 17:11:54.061570 : nttvlser:Accepted Entry: 10.1.3.209 2018-12-14 17:11:54.061885 : nttcon:set TCP_NODELAY on 14 2018-12-14 17:11:54.062184 : ntzAllocate:allocating 304 bytes of memory. 2018-12-14 17:11:54.062511 : nsopen:transport is open 2018-12-14 17:11:54.062818 : ntzcontrol:Command = 1125 2018-12-14 17:11:54.063107 : ntzcontrol:negotiated cipher retrieval failed with error 29031 2018-12-14 17:11:54.063459 : nsnainit:inf->nsinfflg[0]: 0xd inf->nsinfflg[1]: 0xd 2018-12-14 17:11:54.063765 : nsopen:global context check-in (to slot 4) complete 2018-12-14 17:11:54.064066 : nsanswer:deferring connect attempt; at stage 3 2018-12-14 17:11:54.064403 : ntzcontrol:Command = 1123 2018-12-14 17:11:54.064800 : ntzdosecneg:SSL handshake returned "in progress" status 2018-12-14 17:11:54.065124 : ntzcontrol:Command = 1124 2018-12-14 17:11:54.065439 : nsevdansw:exit 2018-12-14 17:11:54.066212 : ntzcontrol:Command = 1123 2018-12-14 17:11:54.068626 : ntzdosecneg:SSL handshake done 2018-12-14 17:11:54.068925 : nsevdansw:exit 2018-12-14 17:11:54.069517 : nscon:doing connect handshake... 2018-12-14 17:11:54.069861 : ntznzosread:read in 238 bytes 2018-12-14 17:11:54.070152 : ntznzosread:no data remaining to be read from SSL buffer. 2018-12-14 17:11:54.070450 : nscon:got NSPTCN packet 2018-12-14 17:11:54.070746 : nsevdansw:exit 2018-12-14 17:11:54.071044 : ntzcontrol:Command = 3 2018-12-14 17:11:54.071367 : ntzcontrol:Command = 7 2018-12-14 17:11:54.071664 : ntzcontrol:unknown command 7 - calling underlying protocol adapter 2018-12-14 17:11:54.071961 : nscon:sending NSPTRD packet 2018-12-14 17:11:54.072299 : nstimarmed:no timer allocated 2018-12-14 17:11:54.072591 : nstoClearTimeout:ATO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.072874 : nstoClearTimeout:STO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.073156 : nstoClearTimeout:RTO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.073450 : nstoClearTimeout:PITO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.073733 : nstoUpdateActive:Active timeout is -1 (see nstotyp) 2018-12-14 17:11:54.074015 : ntzcontrol:Command = 14 2018-12-14 17:11:54.074307 : ntzcontrol:Command = 15 2018-12-14 17:11:54.074615 : nsclose:closing transport 2018-12-14 17:11:54.074929 : nsclose:global context check-out (from slot 4) complete 2018-12-14 17:11:54.075237 : nsgldissolve:Deallocating cxd 0x1784220. 2018-12-14 17:11:54.075793 : nstoSetupTimeout:ATO enabled for ctx=0x0x17848c0, val=60000(millisecs) 2018-12-14 17:11:54.076090 : nstoUpdateActive:Active timeout is 0 (see nstotyp) 2018-12-14 17:11:54.076394 : nsopen:opening transport... 2018-12-14 17:11:54.076709 : nsopen:transport is open 2018-12-14 17:11:54.077031 : nsnainit:inf->nsinfflg[0]: 0xd inf->nsinfflg[1]: 0xd 2018-12-14 17:11:54.077348 : nsopen:global context check-in (to slot 4) complete 2018-12-14 17:11:54.077647 : nsanswer:deferring connect attempt; at stage 5 2018-12-14 17:11:54.077951 : nscon:doing connect handshake... 2018-12-14 17:11:54.078255 : nscon:got NSPTCN packet 2018-12-14 17:11:54.078547 : nsevdansw:exit 2018-12-14 17:11:54.078865 : nscon:sending NSPTAC packet 2018-12-14 17:11:54.079158 : nscon:connect handshake is complete 2018-12-14 17:11:54.079463 : nscon:nsctxinf[0]=0xd, [1]=0xc 2018-12-14 17:11:54.079823 : nsevdansw:exit 2018-12-14 17:11:54.080151 : nsrdr:got NSPTMK packet 2018-12-14 17:11:54.080460 : nsglauthorized:Authenticated user: 504 2018-12-14 17:11:54.080749 : nstoClearTimeout:ATO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.081033 : nstoUpdateActive:Active timeout is -1 (see nstotyp) 2018-12-14 17:11:54.081326 : nstoControlATO:ATO disabled for ctx=0x0x17848c0 2018-12-14 17:11:54.081644 : nsgcsss:ons_subscriber_status=1 2018-12-14 17:11:54.083110 : nsdo:632 bytes to NS buffer 2018-12-14 17:11:54.083437 : nsdo:466 bytes to NS buffer 2018-12-14 17:11:54.083735 : nstimarmed:no timer allocated 2018-12-14 17:11:54.084031 : nsclose:closing transport 2018-12-14 17:11:54.084342 : nsclose:global context check-out (from slot 4) complete 2018-12-14 17:11:54.084648 : nsgldissolve:Deallocating cxd 0x1784220. 

I created the wallet as such:

orapki wallet create -wallet “$ {WALLET_DIRECTORY}” -pwd “$ {LSNRPWD}” -auto_login orapki wallet add -wallet “$ {WALLET_DIRECTORY}” -pwd “$ {LSNRPWD}” -dn “CN=hostname,OU=EM,O=Organization,L=City,ST=State,C=US” -self_signed -keysize 2048 -sign_alg sha256 -validity 730 orapki wallet display -wallet “$ {WALLET_DIRECTORY}” -pwd “$ {LSNRPWD}” orapki wallet export -wallet “$ {WALLET_DIRECTORY}” -pwd “$ {LSNRPWD}” -dn “CN=hostname,OU=EM,O=Organization,L=City,ST=State,C=US” -cert $ {WALLET_DIRECTORY}/hostname-$ {CURR_TIME}-certificate.crt

my listener.ora file:

MYAPP_encrypted_listener_11gR2 = ( DESCRIPTION =  ( address_list =    ( address = (protocol = tcps)(host = MYORACLEVM101.corp.com)(port = 1520))  ))  SID_LIST_MYAPP_encrypted_listener_11gR2 =   (SID_LIST =     (SID_DESC =       (GLOBAL_DBNAME = MYAPP)       (ORACLE_HOME = /home/oracle/app/product/11.2.0.4)       (SID_NAME = MYAPP)     )     (SID_DESC =       (GLOBAL_DBNAME = DB12C)       (ORACLE_HOME = /home/oracle/app/product/12.2.0.1)       (SID_NAME = DB12C)     )   )  ENCRYPTION_WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/oracle/admin/admin/MYAPP/wallet)     )   )  WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/oracle/admin/wallet/11g_encrypted_listener)     )   )  # ADR_BASE_LISTENER = /home/oracle/app INBOUND_CONNECT_TIMEOUT_LISTENER = 180 # ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON  ACCEPT_SHA1_CERTS=TRUE ACCEPT_MD5_CERTS=TRUE # ADD_SSLV3_TO_DEFAULT=TRUE SSL_VERSION=1.0 DIAG_ADR_ENABLED_MYAPP_encrypted_listener_11gR2=on TRACE_LEVEL_MYAPP_encrypted_listener_11gR2=ADMIN TRACE_TIMESTAMP_MYAPP_encrypted_listener_11gR2=true LOG_DIRECTORY_MYAPP_encrypted_listener_11gR2=/home/oracle/app  #This parameter should be false as listener is not going to authenticate the clients. It is the server process that authenticates the clients. SSL_CLIENT_AUTHENTICATION=FALSE 

My SQLNET.ora file:

TCP.VALIDNODE_CHECKING=NO ADMIN_RESTRICTIONS_LISTENER = ON REMOTE_OS_AUTHENT = FALSE ACCEPT_SHA1_CERTS = TRUE ACCEPT_MD5_CERTS = TRUE # ADD_SSLV3_TO_DEFAULT = TRUE SSL_VERSION = 1.0  SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS) # sqlnet.authentication_required = FALSE # sqlnet.fallback_authentication = TRUE  NAMES.DIRECTORY_PATH = (TNSNAMES) SSL_CLIENT_AUTHENTICATION = FALSE  ENCRYPTION_WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/oracle/admin/admin/MYAPP/wallet)     )   )  WALLET_LOCATION =   (SOURCE =     (METHOD = FILE)     (METHOD_DATA =       (DIRECTORY = /home/oracle/admin/wallet/11g_encrypted_listener)     )   )  ADR_BASE = /home/oracle/app  # TNSPING.TRACE_LEVEL = ADMIN # TNSPING.TRACE_DIRECTORY = /home/oracle/app/product/12.2.0.1/network/admin/new_listener/trace_dir 

My TNSNAMES.ora file:

MYAPP_ENCRYPTED =   (DESCRIPTION =     (ADDRESS_LIST =       (ADDRESS = (PROTOCOL = TCPS)(HOST = MYORACLEVM101.corp.com)(PORT = 1520))     )     (CONNECT_DATA =       (SERVER = DEDICATED)       (SERVICE_NAME = MYAPP)     )   ) 

Trace file:

I made a minimalist webapp for public-key encryption. How can these problems with its UI/UX be addressed?

chausies.xyz/encrypt

I probably don’t know the first thing about UI design, so I wanted to get some more expert input. Forgive me if this is an inappropriate question to ask here.

Half of my feedback has people praising the minimal design of the app, and how it’s simple without a hundred options overwhelming them. They use the site quickly and easily without a hitch. The other half of the feedback is people just saying “the UI is shit”, with no one giving anything concrete I could change or fix. So does anyone have any idea about what these people find “shit” about the UI?

Also, one problem in particular that has come up too often is they use the webapp wrong and get confused, even though the exact 3 uses are written explicitly at the top in simple language as the first thing. For example, users will enter both a Password and a Message (probably expecting the Message to be encrypted with the password as the key), but that’s not one of the uses of the app written right at the top. How can I make it any more obvious how to use the app? I’d very much like to avoid making separate tabs for the 3 uses, to keep the app minimal and simple, but am I just wrong to have that sentiment?

Finally, the idea was that the site could be understood and used by a complete layman unaware of cryptography, but seen by a crypto expert and quickly found to be legit. So my last three questions are:

  1. Is the language simple and intuitive enough to be grasped by a layman? If not, how could I improve it? One of the big things you’ll notice I did was to call a public key an ID, a term much more familiar to people.
  2. Is the CAUTION placed optimally? And should it be made more concise?
  3. Is the security jargon placed optimally? The big points I tried to place at the top so even the laymen can feel secure seeing it (the webapp uses only client-side JavaScript, doesn’t interact with any server, and runs perfectly offline). The more technical points that I felt were still necessary to put in a crypto expert’s face, I put at the bottom (the website is fully open source, served by GitHub, and the files are guaranteed to be delivered via TLS from the GitHub repo for the webapp). Finally, the actual in-depth security overview is linked to as a separate webpage, in case a crypto expert wishes to see that. Is this done alright? Is it too much/overwhelming the simplicity of the main webapp?

Lastly, if there are any general pointers about the overall look of the website, and how to make it more pleasant to look at (if that’s what it needs), that would be welcome.

First encryption program

This is the first piece of code that I write that’s not just an exercise but a full program I can actually run.

Features:

  • Generate random letter/number pairs for each “printable” ASCII character
  • Save those pairs in a pickle file
  • Encode/decode any string based on that
  • Basic user interface

I would greatly appreciate any advice, feedback, comment you can give me on it, as I’ve been learning programming by myself for a couple months now. Did I structure it right, is it how a program is supposed to be put together, is it commented well and enough?

Also, I realize it’s probably a weird way of encrypting anything and there’s surely a better/safer/easier way to do encryption but it was mostly an excuse to write the program.

from string import printable,\                    ascii_letters,\                    ascii_lowercase,\                    ascii_uppercase import random import pickle  def generate_code():     # Generates a random number for each printable ASCII character,     # Returns a list of (character, number) tuples for each pair     characters = printable     numbers = random.sample(range(len(characters) + 1000), len(characters))     code = list(zip(characters, numbers))     return code  def encode(string, code):     # Replaces each character of string with its code-number     # and adds a random number of random letters      coded_string = []     # find matching number for each character     for character in string:         for letter, number in code:             if character == letter:                 # add the matching number                 coded_string.append(str(number))                 coded_string.append(''.join(                                         random.sample(                                             ascii_lowercase,                                             random.randint(2,6)                                             )                                         )                                    )# random letters used to separate numbers     for _ in range(random.randrange(len(string))):         coded_string.insert(                             random.randrange(len(coded_string)),                             ''.join(random.sample(                                           ascii_uppercase, random.randint(1, 3)                                           ))                             ) # random uppercase letters randomly inserted     return ''.join(coded_string)  def decode(string, code):      def retrieve_letter(n):         for letter, number in code:             if int(n) == number:                 return letter             else:                 continue         return "No Match found"       decoded_list = []     decoded_string = ''     character = ''     for item in string:         if item.isdigit():             character += item         else:             if character != '':                 decoded_list.append(character)                 character = ''     for n in decoded_list:         decoded_string += retrieve_letter(n)     return decoded_string  def save_code(object):     with open("code.p", "wb") as f:         pickle.dump(object, f)  def load_code():     try:         with open("code.p", "rb") as f:             return pickle.load(f)     except FileNotFoundError:         print("No saved code found.")         return None   def main():      import time      code = generate_code()      print("Welcome to my encryption program!")      while True: #Code selection menu          print("Please select an option:")         print("1: Use saved code")         print("2: Use new code and overwrite saved code")         print("3: Use new code and keep saved code")         prompt = input(">")         if prompt == "1":             if load_code() == None:                 code = generate_code()             else:                 code = load_code()             break         elif prompt == "2":             save_code(code)             break         elif prompt == "3":             break         else:             "This option is not available"             continue      while True: #Main Loop, asks user if he wants to encode/decode          print("Would you like to encrypt a phrase?(Y/N)")          prompt = input(">")         if prompt in ("N", "no", "No", "n"):             print("Press Enter to exit or type in anything to continue:")             prompt = input(">")             if prompt == '':                 print ("Thank you for using the program, good bye!")                 time.sleep(2)                 break         else:             phrase = input("Enter your text here :\n>")             print (f"\nHere is your code : {encode(phrase, code)}\n")          print("Would you like to decrypt a phrase?(Y/N)")          prompt = input(">")         if prompt in ("N", "no", "No", "n"):             print("Press Enter to exit or type in anything to continue:")             prompt = input(">")             if prompt == '':                 print ("Thank you for using the program, good bye!")                 time.sleep(2)                 break         else:             coded_phrase = input("Enter your code here :\n>")             print(f"\nHere is your original text: {decode(coded_phrase, code)}\n")             time.sleep(1)             input("Press Enter to continue")             print("\n")  if __name__ == '__main__':     main()