Support for TLS connection to database with certificate

[fredhaug]

Hi!

We have a database that can only be reached over TLS with a certificate, but it does not seem that there are any configuration options to enable this. Any ideas?

[Yannig]

This exporter use the following lib to connect Oracle: github.com/mattn/go-oci8

Maybe you can have a look at this location to know how to do it.

PR are welcome.

[Yannig]

I think, the driver support wallet. You can have a look right here:
mattn/go-oci8#360 (comment)

[daveram]

Can confirm this exporter works with TLS, using oracle wallet configured externally as part of the oracle client. We're using it for all of our databases

[Yannig]

@daveram Can you confirm that the following instructions are good enough?

$ export WALLET_PATH=/wallet/path/to/use
$ export TNS_ENTRY=tns_entry
$ export DB_USERNAME=db_username
$ export TNS_ADMIN=/tns/admin/path/to/use
# Create wallet
$ mkstore -wrl $WALLET_PATH -create
$ mkstore -wrl $WALLET_PATH -createCredential $TNS_ENTRY $DB_USERNAME
# Update sqlnet.ora
$ echo "
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $WALLET_PATH )))
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
" >> $TNS_ADMIN/sqlnet.ora

[daveram]

Looks good, couple differences in what I have

• In our scenario we actually use client auth so we haven't disabled SSL_CLIENT_AUTHENTICATION, suspect that leaving this enabled will also be the default for most folks trying to use this in prod environments
• I used orapki instead of mkstore but the results are the same

One thing I should also comment on, I was really looking forward to using Easyconnect Plus with Oracle 19c where you don't have to do all the TNS and sqlnet bits, just setting DATA_SOURCE_NAME to
"username/password@tcps://dbhostname:port/service?ssl_server_dn_match=false&wallet_location=wallet_path" but I couldn't get it to work. Worked fine for sqlplus but I think the double-quoting required to make this fit into an environment variable wasn't happy. Tried variations on it including the old-fashioned triple-quote but no luck, always came back with "Unable to connect to oracle:ORA-29003: SSL transport detected mismatched server certificate."

More details on easyconnect plus here with the samples I was pulling from
https://docs.oracle.com/en/database/oracle/oracle-database/19/netag/configuring-naming-methods.html#GUID-36F3A17D-843C-490A-8A23-FB0FE005F8E8

[Yannig]

Documentation now in README.

[DharmeshVyas-oracle]

Can confirm this exporter works with TLS, using oracle wallet configured externally as part of the oracle client. We're using it for all of our databases

Can you please provide more information on how you are using the oracledb_exporter with SSL ?
I am facing issue connecting to my ATP database using oracledb_exporter --> #406 .
Any help will be highly appreciated.