Oracle.ManagedDataAccess to AWS RDS DB - TCPS: Invalid SSL Wallet (Magic)

Question

I am trying to connect to a Amazon RDS instance via the Oracle.ManagedDataAccess Nuget package using a SSL certificate.

I can connect successfully via SQL*Plus using a wallet generated using orapki. Wallet generated by following the AWS instructions

I want do the same via Oracle.ManagedDataAccessin C# and I am trying to use the same wallet.

My C# looks like this:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Oracle.ManagedDataAccess.Client;

namespace OracleDataAccess
{
    class Program
    {
        static void Main(string[] args)
        {
            var connectionString = @"USER ID=***;PASSWORD=***;DATA SOURCE=(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = ***) (PORT = 2484)))(CONNECT_DATA = (SID = ***))   (SECURITY = (SSL_SERVER_CERT_DN = C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=***)))";
            var connection = new OracleConnection(connectionString);
            connection.Open();
        }
    }
}

My app.config has the location to my wallet:

<oracle.manageddataaccess.client>
    <version number="*">
      <settings>
        <setting name = "WALLET_LOCATION" value="(SOURCE=(METHOD =FILE)(METHOD_DATA=(DIRECTORY=C:\ssl_wallet))) "/>
      </settings>
    </version>
</oracle.manageddataaccess.client>

I get an OracleException on Open():

Oracle.ManagedDataAccess.Client.OracleException: 'Network Transport: SSL failure in parsing wallet location'

With an inner exception:

TCPS: Invalid SSL Wallet (Magic)

It definitely finds and can access the wallet file because if you change the location to something invalid you get a different inner exception e.g.:

DirectoryNotFoundException: Could not find a part of the path 'C:\ssl_wallet2\cwallet.sso'.

I can't find anything obvious to suggest why that wallet should be invalid as it has been used by SQL*Plus to connect to the same server successfully.

Invalid SSL Wallet (Magic) doesn't yield anything relevant that I can find. Is there anything that I am missing in this approach?

Edit:

Your stacktrace may contain:

at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) at OracleInternal.Network.TcpsTransportAdapter.Negotiate(ConnectionOption conOption) at OracleInternal.Network.OracleCommunication.DoConnect(String tnsDescriptor) at OracleInternal.Network.OracleCommunication.Connect(String tnsDescriptor, Boolean doNAHandshake, String IName, ConnectionOption CO) at OracleInternal.ServiceObjects.OracleConnectionImpl.Connect(ConnectionString cs, Boolean bOpenEndUserSession, OracleConnection connRefForCriteria, String instanceName)System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089Array may not be empty or null. Parameter name: rawData at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) at OracleInternal.Network.TcpsTransportAdapter.Negotiate(ConnectionOption conOption

What happens if you try and install the Certificate (for the RDS server) into the Windows Store, and not do it via a config file? — askrich, Sep 07 '18 at 10:52

score 2 · Answer 1 · answered Sep 07 '18 at 11:04

Turns out that the wallet file generated by orapki isn't appropriate here.

The solution is to use the Windows Certificate Store instead to hold the RDS Certificate Authority instead.

In this case you download the PKCS7 file for RDS from AWS and import that into your Trusted Root Certification Authorities in Windows.

Then you change your app.config to set your wallet location to be the Microsoft Certificate Store like this:

<oracle.manageddataaccess.client>
    <version number="*">
      <settings>
        <setting name = "WALLET_LOCATION" value="(SOURCE=(METHOD =MCS)) "/>
      </settings>
    </version>
</oracle.manageddataaccess.client>

And then everything works as expected.

Related: https://stackoverflow.com/questions/44639641/ssl-wallet-error-trying-to-access-oracle-db-from-ssrs/58315159 — Jeremy Thompson, Oct 10 '19 at 03:45

Oracle.ManagedDataAccess to AWS RDS DB - TCPS: Invalid SSL Wallet (Magic)

1 Answers1

Linked