Thanks for the question, Kevin.

Asked: October 19, 2000 - 12:33 pm UTC

Last updated: February 15, 2016 - 12:41 am UTC

Version: 8.1.6

Viewed 10K+ times! This question is

You Asked

Yes. I have Java Server Option.
When I access informations on Web site, they told about Cookie. But I know that Cookie is a view of Client at Server side.
I want to know the solution that process as far as Client of Web Browser.Regards.

Thanks for the reply about UTL_HTTP.
To use a PL/SQL program that is stored in Web Server, I make a another PL/SQL Program.
Through UTL_HTTP.reguest('</code> HTTP://abc.xxx.com/...' <code>, I can contact the Web server successfully. But after that, Web server did not provide any reply. I got NULL response.
I guess this problem as follows:
Because when I issue the URL on Web browser, Web server asked Userid and Password for authentification process. Therefore, when I issue UTL_HTTP, Web server ask the same Authentification process.
I want to ask you that "How to pass the user-name and password on PL/SQL program?"
Thanks.

and Tom said...

grab

</code> http://asktom.oracle.com/~tkyte/utl_http2.tar <code>

you would use install.sql to install it via sqlplus. the OWNER of this code MUST have been granted the javasyspriv in order to run this.

the file utlhttp2.pkh is commented. As well - utlhttp_test.sql has lots of examples.

This is a better utl_http that supports cookies, extended error handling, blobs, clobs, and AUTHENTICATION.

Rating

(40 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

What does this have to do with SSL (the title)?

Michael O'Neill, September 04, 2002 - 10:42 am UTC

I am searching for examples of using utl_http with SSL (https) and this posting didn't relate to SSL. Even the utl_http2 package provided by link did not have any SSL support either.

September 04, 2002 - 3:15 pm UTC

Well, I don't make up the titles -- you guys do. (and given that a search for

utl_http ssl

returns 2 hits -- i seriously doubt you wasted very much time eh?)

They obviously confused SSL with basic authentication....

However -- if you have my book "Expert one on one Oracle" -- I show how to do SSL with UTL_HTTP from step 1 to step N... There are some steps (and believe me, it took a bit of "discovery" to figure it out). I extracted the relevant text here but the screen shots are of course "missing" (motivation to buy the book!)

Using SSL with UTL_HTTP

UTL_HTTP also supports using SSL (Secure Sockets Layer). If you are not familiar with SSL and what it is used for, you can find a brief description at </code> http://www.rsasecurity.com/rsalabs/faq/5-1-2.html

Both the REQUEST and REQUEST_PIECES functions in UTL_HTTP support the retrieval of URLS that are protected by SSL however the documentation on doing so is sparse at best. SSL support is provided by using the last two parameters to the UTL_HTTP.request and UTL_HTTP.request_pieces procedures. These parameters are the wallet_path and wallet_password.

Oracle uses the wallet as a metaphor for how a person stores their security credentials just like you would keep your drivers license and credit cards in your wallet for identification purposes, the Oracle wallet stores the credentials needed by the SSL protocol. The wallet_path is the directory where your wallet is stored on the database server machine. This wallet is password protected to prevent someone from using your credentials. That is the purpose of the wallet_password parameter, it is used to access the wallet. The password prevents people from copying the wallet directory and trying to impersonate you, as they will be unable to open and access the wallet. This is analogous to using a PIN for using an ATM machine. If someone steals your bank card, they need to have your PIN to get to your accounts.

The wallet, or the concept of a wallet is used not only by the Oracle database, but also in Web browsers. The important aspect is that when you connect to a site, e.g., www.amazon.com, how do you know that it is really Amazon.com? You have to get their certificate. Their certificate is digitally signed by someone that someone is called a Certificate Authority or CA. How does my browser or database know to trust the CA that signed that certificate? For example, I could create a certificate for Amazon.com and sign it from hackerAttackers.com. My browser and database should not accept this certificate even though it is a legitimate X.509 certificate.

The answer to this trust issue is the wallet stores a set of trusted certificates. A trusted certificate is a certificate from a CA that you trust. The Oracle wallet comes with some common trusted certificates. You also have the ability to add certificates as necessary. Your browser does the same thing. If you ever connect to a site where your browser does not have the CA in its wallet, you will get a pop-up window that notifies you of this as well as a wizard that allows you to proceed or abort your connection.

Lets see some examples of how to use SSL. First, we need to create a new wallet. You can invoke the owm (Oracle Wallet Manager) program on UNIX, or launch it from the Windows start menu on Windows. The screen you receive to do this will look like this:

All you need to do is click on the green plus icon located on the left hand side of the display. It will prompt you for a password for this wallet you are making up the password at this point so enter whatever password you would like. You may get a warning about a directory not existing at this point if you do, you should simply ignore it. It is the expected behavior if you have never created a wallet before. OWM at this point will ask you:

You do not need to create a certificate request. The certificate request is so you can get a certificate for yourself. This would be used in SSL v.3 where the server needs the identification of the client. Most Web sites do not authenticate users via certificates, but rather username and password. This is because an e-commerce site doesnt care who is buying from them as long as they get the money. But you care that you are sending the money (and credit card information) to the correct entity, so we use SSL v.2 to identify the server e.g., Amazon.com, and to provide all the encryption of data. So, click NO in response to this and save the wallet by clicking on the yellow floppy disk icon and we are ready to go.

Lets go to Amazon.com first. Amazons certificate was signed by Secure Server Certificate Authority, RSA Data Security, Inc. This is one of the defaults in the Oracle wallet.

tkyte@TKYTE816> declare
2 l_output long;
3
4 l_url varchar2(255) default
5 '

https://www.amazon.com/exec/obidos/flex-sign-in/';

  6
  7     l_wallet_path varchar2(255) default
  8           'file:C:\Documents and Settings\Thomas Kyte\ORACLE\WALLETS';
  9
 10
 11  begin
 12    l_output := utl_http.request
 13               ( url             => l_url,
 14                 proxy           => 'www-proxy.us.oracle.com',
 15                 wallet_path     => l_wallet_path,
 16                 wallet_password => 'oracle'
 17               );
 18    dbms_output.put_line(trim(substr(l_output,1,255)));
 19  end;
 20  /



<html>
<head>
<title>Amazon.com Error Page</title>
</head>
<body bgcolor="#FFFFFF"
link="#003399" alink="#FF9933" vlink="#996633" text="#000000">
<a name="top"><!--Top of
Page--></a>
<table border=0 width=100% cellspacing=0 cellpadding=0>
<tr

PL/SQL procedure successfully completed.

What?  An Error Page?  Dont worry, this is accurate - try it in your browser. The reason is that there is no session information being passed. The point is that the connection worked, we just retrieved an SSL protected document.

Lets try another site. How about E*Trade?

tkyte@TKYTE816> declare
  2     l_output long;
  3
  4     l_url varchar2(255) default
  5           '

https://trading.etrade.com/cgi-bin/gx.cgi/AppLogic%2bHome';

  6
  7     l_wallet_path varchar2(255) default
  8           'file:C:\Documents and Settings\Thomas Kyte\ORACLE\WALLETS';
  9
 10
 11  begin
 12    l_output := utl_http.request
 13               ( url             => l_url,
 14                 proxy           => 'www-proxy.us.oracle.com',
 15                 wallet_path     => l_wallet_path,
 16                 wallet_password => 'oracle'
 17               );
 18    dbms_output.put_line(trim(substr(l_output,1,255)));
 19  end;
 20  /
declare
*
ERROR at line 1:
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "SYS.UTL_HTTP", line 174
ORA-06512: at line 12

That apparently does not work. E*Trade has a certificate signed by www.verisign.com/CPS Incorp.by Ref, which is not a default trusted certificate. In order to access this page, well have to add that certificate to our Oracle wallet - assuming of course that we trust Verisign!  Here is the trick. Go to the site (

https://trading.etrade.com/cgi-bin/gx.cgi/AppLogic%2bHome

with Microsoft Internet Explorer. Double-click the lock icon on the bottom right corner of the window. This will pop-up a window that looks similar to this one:

Select the Certification Path tab on the top of this screen. This lists the certificate you are viewing i.e., the one for E*Trade (trading.etrade.com), as well as who issued the certificate. We need to add the person who signed the certificate (the issuer) to our trusted certificates in the Oracle wallet. The issuer is www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD as depicted by the tree-like hierarchy.

Click the View Certificate button while the www.verisign.com/CPS Incorp. by Ref. is highlighted. This shows information for the issuers certificate. Click the Details tab and you should see:

Now we need to Click the Copy to File button. Save the file locally as a Base-64 encoded X.509 (CER) file. The following screen shows the selection you should make, you can name the file anything you choose and save it anywhere. Well be importing it in a moment, just remember where you save it to:

Now we can import this into our Oracle Wallet. Open the wallet in OWM and right click on the Trusted Certificates this will present you with a popup menu that has Import Trusted Certificate:

You will select that option and in the next dialog that comes up, choose Select a file that contains the certificate

Use the standard file open dialog that comes up to choose the certificate you just saved. Your screen should now look something like this:

Now, save the wallet using the yellow floppy disk icon and lets try our example again:

tkyte@TKYTE816> declare
2 l_output long;
3
4 l_url varchar2(255) default
5 '

https://trading.etrade.com/cgi-bin/gx.cgi/AppLogic%2bHome'; <code>
6
7 l_wallet_path varchar2(255) default
8 'file:C:\Documents and Settings\Thomas Kyte\ORACLE\WALLETS';
9
10
11 begin
12 l_output := utl_http.request
13 ( url => l_url,
14 proxy => 'www-proxy.us.oracle.com',
15 wallet_path => l_wallet_path,
16 wallet_password => 'oracle'
17 );
18 dbms_output.put_line(trim(substr(l_output,1,255)));
19 end;
20 /
<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<TITLE>E*TRADE</TITLE>
<SCRIPT LANGUAGE="Javascript"
TYPE="text/javascript">
<!--

function mac_comment(){
var
agt=navigator.userAgent.toLowerCase();
var is_mac

PL/SQL procedure successfully completed.

This time we are successful. Now we know how to use and extend the Oracle wallet to do secure HTTPS.

utl_http and Proxy authetication

Jeff Yuan, September 12, 2002 - 11:38 am UTC

Tom,

Thank you for the comments on this topic and the chapters on utl_http and utl_tcp in your wonderful book. I get a question on how to use Proxy userid and password to pass the authetication. When I called your packages, I get "Access is Denied" error, same as utl_http.request does. I am using 9iR2. I searched Oracle documents and Metalink, and did not get a solution. Could you please help me on this?

Regards,

Jeff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jyuan@TMP9> select http_pkg.request('</code> http://www.oracle.com/',

'walbar-proxy:8080') from dual;

HTTP_PKG.REQUEST('

HTTP://WWW.ORACLE.COM/','WALBAR-PROXY:8080'

------------------------------------------
Error: Access is Denied.

jyuan@TMP9> DECLARE
  2 c utl_tcp.connection; -- TCP/IP connection to the web server
  3 n number;
  4 buffer varchar2(255);
  5 BEGIN
  6 -- c := utl_tcp.open_connection('proxy-server', 80);
  7 c := utl_tcp.open_connection('walbar-proxy', 8080);
  8 n := utl_tcp.write_line(c, 'GET

http://www.oracle.com/ <code>
HTTP/1.0');
9 n := utl_tcp.write_line(c);
10 BEGIN
11 LOOP
12 n:=utl_tcp.read_text( c, buffer, 255 );
13 dbms_output.put_line( buffer );
14 END LOOP;
15 EXCEPTION
16 WHEN utl_tcp.end_of_input THEN
17 NULL; -- end of input
18 end;
19 utl_tcp.close_connection(c);
20 END;
21 /
HTTP/1.0 407 Proxy authentication required Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic
realm="170.777.115.5" Content-Length: 24 Content-Type: text/html
Error:
Access is Denied.

PL/SQL procedure successfully completed.

September 12, 2002 - 3:45 pm UTC

Your PROXY server requires a username and password.

I did not program that in my package (i didn't have a firewall that required one, so I couldn't test it)

You'll have to dig out what the correct header would be and send it along.

Trying it with 9iR2

Jack Wells, April 11, 2003 - 8:15 pm UTC

I want to compare the performance of utl_http2 with the newly revamped one in 9iR2 (9.2.0.3). Even though I'm granting all (i mean ALL) privileges to the target user as SYS I'm getting java errors. Any idea?

My grants:
BEGIN
dbms_java.grant_permission ('WWW', 'java.net.SocketPermission', 'hostname', 'resolve');
COMMIT;
dbms_java.grant_permission ('WWW', 'java.util.PropertyPermission', '*', 'read,write');
COMMIT;
dbms_java.grant_permission ('WWW', 'java.io.FilePermission', '/tmp', 'read');
COMMIT;
END;

Other (pre-9i, non-necessary but reaching attempt):

grant javasyspriv to user;
grant javauserpriv to user;
grant javadebugpriv to user;

Results when running @@jsock.java:
0/0 jsock:10: Class socket not found.
0/0 jsock:10: Incompatible type for new. Can't convert <error>[] to
socket[].

0/0 jsock:10: Class socket not found.
0/0 jsock:12: Class string not found.
0/0 jsock:13: Class java.io.ioexception not found in throws.
0/0 jsock:20: Class socket not found.
0/0 jsock:28: Class java.io.ioexception not found in throws.
0/0 jsock:30: Class socket not found in void java_send_data(int,
byte[]).

0/0 jsock:35: Class java.io.ioexception not found in throws.
0/0 jsock:38: Class socket not found in void java_recv_data(int,
byte[][], int[]).

0/0 jsock:41: Class string not found.
0/0 jsock:42: Class java.io.ioexception not found in throws.
0/0 jsock:44: Class datainputstream not found.
0/0 jsock:44: Class datainputstream not found.
0/0 jsock:50: Class java.io.ioexception not found in throws.
0/0 jsock:54: Class socket not found in void java_disconnect(int).
0/0 jsock:55: Class socket not found in void java_disconnect(int).
0/0 jsock:60: Class java.io.ioexception not found in throws.
0/0 jsock:62: Class socket not found in int java_peek_sock(int).
0/0 jsock:65: Class string not found.
0/0 jsock:66: Class java.net.unknownhostexception not found in
throws.

0/0 jsock:68: Undefined variable or class name: inetaddress
0/0 jsock:71: Class string not found.
0/0 jsock:73: Class date not found.
0/0 jsock:73: Class date not found.
0/0 jsock:74: Class dateformat not found.
0/0 jsock:74: Class simpledateformat not found.
0/0 jsock:81: Class string not found.
0/0 jsock:83: Class date not found.
0/0 jsock:83: Class date not found.
0/0 jsock:84: Class dateformat not found.
0/0 jsock:84: Class simpledateformat not found.
0/0 jsock:90: Class string not found.
0/0 jsock:92: Class base64encoder not found.
0/0 jsock:92: Class base64encoder not found.
0/0 Info: 35 errors

April 13, 2003 - 8:05 pm UTC

looks alot like java ain't installed in that database?

How can I work it out in HTTPS POST

Gordon Hou, June 16, 2003 - 10:41 am UTC

I need to transmit an xml (in CLOB) via HTTPS protocol. I can't find POST function/procedure in UTL_HTTP. I'm wondering if your utl_http2 works for me?

June 16, 2003 - 10:52 am UTC

sorry, I don't do "https" (fairly complex protocol)...

you'll have to load some java packages in there.

</code> http://asktom.oracle.com/~mbpierma/SSL_Java_DB.html <code>

has a "for example"

UTL_HTTP2 not handling attachments

Dr. Luca Toldo, October 22, 2003 - 8:43 am UTC

The UTL_HTTP2 package that Tom povides is very nice however it is incomplete.
Infact, it does not handle the "file upload" case.
Namely, if one (like myself) needs to do a POST with "Content-type=multipart/form-data" from an 8.1.7 Oracle machine, this package is not capable of doing so
since does not handle the case appropriately.

Great!

Andy, December 13, 2003 - 3:18 pm UTC

In the followup to this is the only place I have found on the Web that shows how to use utl_http with https, wallets etc.

Tom, you mention your book here, I will buying it.

UTL_HTTP2 sockettype errors

A Reader, March 08, 2004 - 9:34 pm UTC

Hi Tom:

Some questions on utl_http.
1) Re: UTL_HTTP coverage in Appendix A of your book
Has anything changed with 9.2.0 release since this chapter was written?
2) Does UTL_HTTP2 work under 10g?
3) I ran into an error in installing UTL_HTTP2. I have executed the install scripts against a number of 9iR2 instances and the errors are consistent. Has anyone reported this issue? Any idea why? Thanks.

sys@ORACLE9201> @install
Java created.
CorrelationType
Type created.
CorrelationArrayType
Type created.
CorrelatedArray Spec
Type created.
CorrelatedArray Body
Type body created.
No errors.
Package created.
No errors.
Package body created.
Type created.
No errors.
Warning: Type Body created with compilation errors.
Errors for TYPE BODY SOCKETTYPE:
LINE/COL ERROR
-----------------------------------------------------------------
92/63 PLS-00593: default value of parameter "P_PORTNO" in
body must match that of spec

SQL*Plus: Release 9.2.0.1.0 - Production on Mon Mar 8 17:11:14 2004

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Enter password:

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

sys@ORACLE9201> begin
2 print (utl_http2.request('</code> http://www.amazon.com/' <code>);
3 end;
4 /
begin
*
ERROR at line 1:
ORA-04068: existing state of packages has been discarded
ORA-04063: stored procedure "SYS.SOCKETTYPE" has errors
ORA-06508: PL/SQL: could not find program unit being called
ORA-06512: at "SYS.UTL_HTTP2", line 184
ORA-06512: at "SYS.UTL_HTTP2", line 212
ORA-06512: at "SYS.UTL_HTTP2", line 19
ORA-06512: at line 2

It seems to be choking on this:
member procedure initiate_connection( p_hostname in varchar2, p_portno in number default 119)

Any help would be very much appreciated. Thanks.

March 09, 2004 - 10:59 am UTC

1) absolutely, utl_http in 9i does what my utl_http2 in 8i did

2) i haven't tried it as utl_http has more than sufficient capabilities in the 9i/10g line

3)
LINE/COL ERROR
-----------------------------------------------------------------
92/63 PLS-00593: default value of parameter "P_PORTNO" in
body must match that of spec

should be the give away -- apparently i have a bug in my code that was acceptable in 8i but not 9i. look at the spec of that type - see what default I used there and make sure I'm using the same (or any) in the body.

THANKS a lot, Tom!!!

A Reader, March 09, 2004 - 2:43 pm UTC

broken url

eric, December 17, 2004 - 12:40 pm UTC

Can you correct the URL:
</code> http://asktom.oracle.com/~mbpierma/SSL_Java_DB.html <code>
to something that is valid?
I would really like to read about this due to a similar requirement.

December 17, 2004 - 2:51 pm UTC

I'll ask them to restore that directory -- might take a bit.

ignore last request

eric, December 17, 2004 - 11:34 pm UTC

Here's some very useful information that might be worth passing on to others:

from: Oracle Application Server 10g mapviewer B10559-01
</code> http://www.tju.cn/docs/oas90400/web.904/b10559/vis_xmla.htm

Example 3-10 is a sample PL/SQL program that sends an XML request to the MapViewer server. This example works only on Oracle Database release 9.0.1 and higher. 

a discussion here on pl/sql 9i new features:

http://www.oracle.com/technology/tech/pl_sql/pdf/PLSQL_9i_New_Features_Doc.pdf


An article that also appears on OTN pl/sql samples as a B2B scenario/this hyperlink is the article appearing on otn in 4 pages on o'reilly:
HTTP Communication from Within the Oracle Database

http://www.oreillynet.com/pub/a/network/2003/03/04/feuerstein.html?page=1


A nice description of utl_http in the application developer's guide:
APPLICATION DEVELOPER'S GUIDE FUNDAMENTALS, CHAPTER 13:

https://cwisdb.cc.kuleuven.ac.be/ora10doc/appdev.101/b10795/adfns_we.htm <code>

Good

pulkit, December 23, 2004 - 8:14 am UTC

HI,

I tried your examples but while running them i got an Oracle error ORA-28783: Invalid parameter.

Please let me know what entries do i need to make in the sqlnet.ora file to run the procedures.

December 23, 2004 - 11:26 am UTC

do you have the necessary additional software installed.

Good

Pulkit, December 27, 2004 - 3:55 am UTC

HI,

My requirement is to uplaod a XML file through HTTP Or HTTPS from Oracle.

How can this be done.

December 27, 2004 - 10:12 am UTC

</code> http://docs.oracle.com/docs/cd/B10501_01/appdev.920/a96620/xdb03usg.htm#1042708 <code>

Missing link...

Raj Kathamuthu, September 12, 2005 - 10:20 am UTC

Tom,
FYI - I found a link (</code> http://asktom.oracle.com/~tkyte/utl_http2.tar <code> that needs to updated...

Regards,
Raj K

September 12, 2005 - 10:30 am UTC

it is back.

Interesting, but...

J, October 21, 2005 - 1:22 am UTC

Hi,

I read your book and I am impressed with the information mentioned in there. However, I have a unique situation where in I want to Post data over to a website, using SSL. I understand that I can't post data using standard UTL_HTTP package, but the custom package (HTTP_PKG) that you'd described in your book can handle this. However, HTTP_PKG doesn't handle SSL.

Can you please help me out here -- I want to be able to schedule a job in our DB that will call UTL_HTTP(SSL) and post data to customer's website at a regular interval. I am using 9.2.0.5 DB.

October 21, 2005 - 8:16 am UTC

see the utl_http documentation in the supplied packages guide, it was majorly re-written in 9i.

Secure Socket Layer (SSL)

Dawar Naqvi, March 30, 2006 - 1:34 pm UTC

Tom,

How to set up Enterprise Manager 10g Database Control so that user can connect securely to the Database Control console using Secure Socket Layer (SSL)

i.e: HTTPS

Dawar

March 31, 2006 - 11:36 am UTC

please utilize support for installation and configuration stuff

281402.1 - Enter Enterprise Manager Root & Enter Agent Registration passwords

Dawar, April 02, 2006 - 3:36 pm UTC

Tom,

Per Note: 281402.1 - How to Secure and Unsecure the DB Control Application in 10.1, I have run

>emctl secure dbconsole but it did not work.

Reason is that I never assigned/Created
Enterprise Manager Root Password and the Agent Registration password.

example:

[oracle@lnx01 dbs]$ emctl secure dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.1.0.2.0
Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
</code> http://lnx01:5500/em/console/aboutApplication <code>
Enter Enterprise Manager Root Password :
Enter Agent Registration password :
Enter a Hostname for this OMS : hostname
Checking Repository... Done.
Checking Repository for an existing Enterprise Manager Root Key... Done.
Fetching Root Certificate from the Repository... Done.
Generating Registration Password Verifier in the Repository... Failed.

---------------------------------------

so my question how do I create create Enterprise Manager Root & Enter Agent Registration passwords.

Support does not have answer for this yet.

Regards,
Dawar

httpuritype with SSL?

Kurt Look, May 05, 2006 - 8:16 pm UTC

With your help, I can use UTL_HTTP with SSL. Is it possible to use the code below with SSL? We've been trying and not finding any indication that we can.

We're using Oracle 9.2.

Kurt

function GetBlob(InURL varchar2) return blob
is
TheBlob blob;
TheURL httpuritype;
begin

DBMS_LOB.createtemporary(TheBlob, FALSE);

TheURL := httpuritype.createuri(InURL); -- [dbmsuri.sql]
TheBlob := TheURL.GetBlob();

return (TheBlob);

end GetBlob;

Getting an intermittant Error

Scott, November 20, 2006 - 11:47 am UTC

Tom,
I followed your steps exactly from Expert One-On-One in order to get a PL/SQL window to authorize.net (for credit card and check processing). It works, however I am receiving an ORA-28868 error 2 out of every 10 tries. I am not sure what is causing this, and I can't find anything in searches that is relevant to my problem. I have copied the correct certificate, and I am beyond the patch where this problem occurs. Running 9.2.0.1.0 on Windows 2000

SQLWKS> declare
2> req varchar2(400);
3> resp utl_http.resp;
4> value long; --VARCHAR2(1024);
5> URL VARCHAR2(32767);
6> l_wallet_path varchar2(255) := 'file:C:\Documents and Settings\Administrator\ORACLE\WALLETS';
7> BEGIN
8> url := '</code> https://transact.authorize.net/gateway/transact.dll?';

     9>   url := url || 'x_login=*************&';
    10>   url := url || 'x_tran_key=**********&';
    11>   url := url || 'x_version=3.1&';
    12>   url := url || 'x_test_request=TRUE&';
    13>   url := url || 'x_method=CC&';
    14>   url := url || 'x_type=AUTH_CAPTURE&';
    15>   url := url || 'x_amount=19.99&';
    16>   url := url || 'x_delim_data=TRUE&';
    17>   url := url || 'x_delim_char=,&';
    18>   url := url || 'x_relay_response=FALSE&';
    19>   --CC Info
    20>   
    21>   url := url || 'x_card_num=4007000000027&';
    22>   url := url || 'x_exp_date=1106&';
    23>   url := url || 'x_description=TEST&' ; 
    24>   url := url || 'x_trans_id=24601&';
    25>   
    26>  
    27>  
    28>   req := utl_http.request(url,NULL,l_wallet_path,'wallet9i');
    29>  
    30>    dbms_output.put_line(REQ);
    31>  
    32>  
    33>   
    34>   END;
    35> 
    36> 
Statement processed.
1,1,1,(TESTMODE) This transaction has been approved.,000000,P,0,,TEST,19.99,CC,auth_capture,,,,,,,,,,,,,,,,,,,,,,,,,,33FF68EF07CBBFC17884C9A5E2923F99,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
SQLWKS> declare
     2>   req varchar2(400);
     3>   resp utl_http.resp;
     4>   value long; --VARCHAR2(1024);
     5>   URL VARCHAR2(32767);
     6>   l_wallet_path varchar2(255) := 'file:C:\Documents and Settings\Administrator\ORACLE\WALLETS';
     7> BEGIN
     8>   url := '

https://transact.authorize.net/gateway/transact.dll?'; <code>
9> url := url || 'x_login=*********&';
10> url := url || 'x_tran_key=**********&';
11> url := url || 'x_version=3.1&';
12> url := url || 'x_test_request=TRUE&';
13> url := url || 'x_method=CC&';
14> url := url || 'x_type=AUTH_CAPTURE&';
15> url := url || 'x_amount=19.99&';
16> url := url || 'x_delim_data=TRUE&';
17> url := url || 'x_delim_char=,&';
18> url := url || 'x_relay_response=FALSE&';
19> --CC Info
20>
21> url := url || 'x_card_num=4007000000027&';
22> url := url || 'x_exp_date=1106&';
23> url := url || 'x_description=TEST&' ;
24> url := url || 'x_trans_id=24601&';
25>
26>
27>
28> req := utl_http.request(url,NULL,l_wallet_path,'wallet9i');
29>
30> dbms_output.put_line(REQ);
31>
32>
33>
34> END;
35>
36>
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1556
ORA-28868: certificate chain check failed
ORA-06512: at line 28

Any help or suggestions would be appreciated.

Thanks,
Scott

November 20, 2006 - 1:47 pm UTC

you'll need to work with support on this one.

CC Number in above

Scott, November 20, 2006 - 12:04 pm UTC

Tom,
I realize I left the Credit Card Number in the code. It is a test CC number from authorize.net, nothing to worry about.

-Scott

Had a feeling you were going to say that

Scott, November 20, 2006 - 1:51 pm UTC

Tom,
I had created a SR with Metalink, but you tend to be faster than them :). Was hoping you could help, but when this is solved, I'll post the resolution on here in case anyone else has this problem.

Thanks,
Scott

Does HTTP_UTL supports client side SSL certificate

Vytenis Umbrasas, December 07, 2006 - 10:12 am UTC

Hi,

We use HTTP_UTL with HTTPS connection using certificate installed on server ( web-servise) side. The server's SSL certificate is installed in Oracle Wallet Manager as Trusted Certificate. It works OK.

Is it possible to use client side certificate for SSL connection?

It means: is it possible to issue certificate-request, then install user certificate to Oracle Wallet Manager and use this certificate for HTTPS SSL connections where Web-server requires client certificate?

Trying to do this we've got an error and I'm wondering is it possible at all.

Thank You

Vytenis

December 07, 2006 - 1:10 pm UTC

the client is not doing the connection, the database is.

if you want the client to do this, you would not be using the database at all - the database would be a "man in the middle" otherwise - something explicitly forbidden.

Does HTTP_UTL supports client SSL certificates

Vytenis Umbrasas, December 14, 2006 - 5:30 am UTC

Hi,

I'll describe problem more clear.

Suppose we have Web-Server with SSL v.3 protocol
configured to require client certificates.
( For example
on Appache web server parameter: SSLVerifyClient require
on TomCat web server : clientAuth TRUE ) .

During SSL negotiations such web server requires from the client ( in our case database) to send client certificate to web server.

Is it possible connect to web service on such web server using
Oracle database HTTP_UTL packet ?

Thank You,

Vytenis

December 15, 2006 - 8:15 am UTC

that would be "a man in the middle" - the answer is most certainly (and THANKFULLY) no. It would defeat the purpose here, the purpose being strong identification.

What would happen if you could give your certificate to me (i can now be sure who you are - that is good) and I could give your certificate to someone else and claim to be you (that, that would be BAD, you should not be happy with me at that point)

Re: Does HTTP_UTL supports client SSL certificates

wren337, January 23, 2007 - 4:36 pm UTC

Hi Tom;

HTTPS / TLS supports certificates on both sides of the connection - the server has a cert, and also the client supplies a cert (google for "client certificates" and SSL). So the server can be sure of the client identity. The scenario the poster above is describing is valid and something I'm researching as well. We're looking at using a web service that requires a client certificate, but at this point it looks like Oracle UTL_HTTP doesn't support client certificates.

thanks
Nathan

SSL

A reader, October 01, 2007 - 12:11 pm UTC

Tom:

Do you have detailed steps on what you need to setup SSL for the login page of an application if you have an oracle web application using mod_plsql?

Also, how long you think it takes?

Thanks

October 03, 2007 - 4:13 pm UTC

http://docs.oracle.com/docs/cd/B32110_01/web.1013/b28948/ssl.htm#CHDCCEJE

SSl

A reader, January 11, 2008 - 9:34 pm UTC

Tom:

If you have a web application using mod_plsql and you want to go from unsecure to secure communication. Do you usually change the setup in the DAD in the app server or nothing changes at the DAD and it is only used for connecting web server to database.

January 14, 2008 - 3:20 pm UTC

you need to change nothing for the DAD, that just describes how to connect to a database. You would setup the web/app server to support https

ssl

A reader, January 15, 2008 - 9:09 pm UTC

Tom:

I assume then the SSL is the connection between browser and web server (port). The DAD comes into play after that when web server talks to the MOD_PLSQL and it wont be over SSL.

correct.

January 16, 2008 - 3:17 pm UTC

yes, https is a protocol between web browser and web server.

Question on Oracle Wallet

A reader, January 22, 2008 - 3:12 pm UTC

Background:
We need to develop a web service program in Oracle 10g. The web service will be accessing sensitive data that will need to be encrypted. The client would like us to use x.509 security certificate.

Questions:

1. Is it possible to use x.509 security with Oracle 10g?

2. Can a SOAP call or UTL_DBWS package be used with the x.509 security and Oracle 10g?
2a. If the answer to 2 is "No", do you have any other software suggestions that can be used with x.509 security?

3. Is Oracle Wallet Manager required for x.509 security?

4. Is Oracle Application Server necessary for x.509 security?
4a. If the answer to 4 is "Yes", then does Oracle Wallet Manager come with Oracle Application Server?
4b. What is the approximate cost of the Oracle Application Server?

5. Is jdeveloper free software provided by Oracle?

Thanks,
Ashok

January 22, 2008 - 6:33 pm UTC

1) define what you mean by that.

2) are you just wanting to do ssl?

3) see #1

4) see #1

5) yes.

Ashok k rathi, January 23, 2008 - 8:28 am UTC

1.I am trying to call a web service which is hosted by other dvision of my company . I don't have a Oracle Application server or Oracle Wallet manager . But this other division of the company wants us to use x.509 certificate while calling .Is there any way I can do without Oracle wallet Manager ? I am able to call web service using utl_dbws package and SOAP over the UTL_HTTP .

2.If we do need oracle wallet manager what is the cost involve in that . We currently have Oracle EE 10g version 2

3.What is the cost involve if we want to but Oracle Application Server ?

Thanks
Ashok

January 23, 2008 - 1:51 pm UTC

1) ask them to define what they want this x509 certificate for.

You need to register the certificates, we need a way to manage them - access them - store them - retrieve them. That is the wallet, you'll be using that yes.

2) you have it

3) talk to your sales contact for pricing information.

A reader, May 20, 2010 - 3:25 am UTC

The link
http://asktom.oracle.com/~tkyte/utl_http2.tar
is broken. Can you correct it ?

Thank you.

May 24, 2010 - 11:29 am UTC

way out of date, no longer needed, the supplied packages do it and more now. You don't need it.

is license needed for Oracle wallet

Alex, June 02, 2010 - 5:12 am UTC

Hi Tom
I tested your utl_http and wallet approach , but do I need license to use Oracle wallet in this case ?

Thanks.
Alex

June 08, 2010 - 9:40 am UTC

not for what you are doing, no

http://docs.oracle.com/docs/cd/B19306_01/license.102/b14199/editions.htm#sthref32

oracle wallet manager permissions

Melissa, January 05, 2011 - 3:29 pm UTC

I created my wallet but no one else can open the wallet even if i provide them the password. Is there a way to change that? Or is everyone required to have their own wallet?

January 05, 2011 - 3:35 pm UTC

A little more context here - what for/how are you using the wallet . In this web page - we used the wallet from the database itself - everyone that needed to could access it.

Previous wallet manager comment

Melissa, January 05, 2011 - 4:14 pm UTC

I created the wallet to create a SSL ODBC Connection for a third party tool. I want other administrators to have access to the wallet for maintenance purposes. They can connect via SQLPLUS using the wallet and ODBC. But they cannot open the wallet themselves. When they type in the password it says its wrong.

January 06, 2011 - 7:05 am UTC

As long as I have access to the wallet, I've been able to open it - by default - I cannot write it (permissions) but if I open them up (not suggested) I can.

It would likely be best to have this wallet owned by an account and managed by that account - a "wallet account". And give access to that wallet account only to individuals that should have it using sudo or something similar.

ssl

sam, March 16, 2013 - 7:37 pm UTC

Tom:

How can I configure mod_plsql DAD so it runs all web pages for mod_plsql "myapp" application via HTTPS (443)? Right now the stored procedures can all be run on 80 and 443.

WOuld you use mod_rewrite as below or enforce using a directory tag.

$ cat .htaccess
Options FollowSymLinks
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(myapp/.*) https://your_server.com/$1

You can apply an SSL requirement to a directory with SSLRequireSSL but that is for files on apache

<Directory /path/to/files/accessible/only/by/https>
SSLRequireSSL
</Directory>

SSL

A reader, April 25, 2013 - 4:58 pm UTC

Tom:

You dont have any hints/ideas on the above question making a pl/sql web application only accessbile using SSL without blocking port 80 or default OHS port 7777 (HTTP)?

April 25, 2013 - 7:55 pm UTC

the mod rewrite would work great, that is very typical. redirect a non-ssl request to a ssl address.

SSL cerificate

sam, April 30, 2013 - 11:35 pm UTC

Tom:

I am trying to install a wildcard SSL certificate and key to an oracle 11g web server so I added the following two lines to "SSL.conf" of the Apache 2.2 web server. I keep getting an error when I start the server. Do you know why and what is the fix for this?

<VirtualHost *:443>
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /home/oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/manual/ssl/server.crt
SSLCertificateKeyFile /home/oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/manual/ssl/serverkey.pem

--------
Start process
--------
/home/oracle/Middleware/Oracle_WT1/ohs/bin/apachectl startssl: execing httpd
Syntax error on line 56 of /home/oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/ssl.conf:
Invalid command 'SSLCertificateFile', perhaps misspelled or defined by a module not included in the server configuration

SSL

A reader, May 07, 2013 - 3:55 pm UTC

Tom:

I figured out a few things on the above question and i am changing it a bit. It seems oracle has its own SSL module instead of the default mod_ssl pache uses.

According to this link I have to create a WALLET and point that in the SSL.conf file

http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/

So my question is that I have a PFX file that has a wildcard certificate for the company domain. I extracted the certificate and private key from this and now trying to create a wallet using oracle wallet manager.

Do I have to create a CSR for this owm tool since i already have the certificate?

OWM needs a Root certificate and trustworthy certificate which I am not clear about. It did not allow me to import the certificate file until i created a CSR and even i imported that certificate (without using CSR) I got SSL handshake errors. DO you know how properly to create this SSL ceriticate using OWM?

[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error

wallet

A reader, May 09, 2013 - 6:59 pm UTC

Tom:

Any ideas about how to create a wallet from a PFX file (my above question) for OHS?

Can we use SSL and Wallet in Oracle 11.2.0.2 Standard Edition to do what you described?

Harv, June 13, 2013 - 4:41 pm UTC

Can we use SSL and Wallet in Oracle 11.2.0.2 Standard Edition to do what you described?

June 18, 2013 - 3:24 pm UTC

http://docs.oracle.com/cd/E11882_01/license.112/e10594/editions.htm#sthref187

Oracle Wallet Manager is an application that wallet owners can use to manage and edit Oracle Wallets. Oracle Wallets can be deployed on clients, middle tiers, and database servers free of charge. However, the following features that use an Oracle Wallet in turn require licensing of the Oracle Advanced Security Option: PKI credentials for authentication to Oracle Database, network encryption (SSL/TLS) to the Oracle database from middle tiers and database clients, and transparent data encryption master keys.

this does not fall into any of those categories that would require ASO (advanced security option)

Vikas Sharma, September 22, 2013 - 8:47 am UTC

Hi Tom,

After going through the complete thread. I am still not clear that if there is anyway to use https:// ie SSL request without oracle wallet?

Thanks.

ORA-28759: failure to open file

Praveen Ray, February 14, 2016 - 12:16 pm UTC

Hi,

I did exactly what you have mentioned in the Expert One on One to access website starting with " https://" Months earlier it was working fine but suddenly it stopped working and I thought of deleting and creating the wallet once all over again. It's not working now anymore:

ORA-28759: failure to open file

February 15, 2016 - 12:41 am UTC

Take a look here at a common cause for the error

https://community.oracle.com/thread/2317808?tstart=0

Also, make sure the format for specifying where the wallet file is located has been done correctly, eg

http://stackoverflow.com/questions/26697841/oracle-error-ora-28759-failure-to-open-file-when-requesting-utl-http-package

or alternatively, try this resource from a start-to-finish demo

https://oracle-base.com/articles/misc/utl_http-and-ssl

More to Explore

CLOB/BLOB/etc

Complete documentation on Securefiles and Large Objects here

SSL

Breadcrumb

Question and Answer

You Asked

and Tom said...

Rating

Comments

What does this have to do with SSL (the title)?

utl_http and Proxy authetication

Trying it with 9iR2

How can I work it out in HTTPS POST

UTL_HTTP2 not handling attachments

Great!

UTL_HTTP2 sockettype errors

THANKS a lot, Tom!!!

broken url

ignore last request

Good

Good

Missing link...

Interesting, but...

Secure Socket Layer (SSL)

281402.1 - Enter Enterprise Manager Root & Enter Agent Registration passwords

httpuritype with SSL?

Getting an intermittant Error

CC Number in above

Had a feeling you were going to say that

Does HTTP_UTL supports client side SSL certificate

Does HTTP_UTL supports client SSL certificates

Re: Does HTTP_UTL supports client SSL certificates

SSL

SSl

ssl

Question on Oracle Wallet

is license needed for Oracle wallet

oracle wallet manager permissions

Previous wallet manager comment

ssl

SSL

SSL cerificate

SSL

wallet

Can we use SSL and Wallet in Oracle 11.2.0.2 Standard Edition to do what you described?

ORA-28759: failure to open file

More to Explore

CLOB/BLOB/etc