Not able to connect my application to Amazon RDS oracle db over TCPS

Question

Hi All I am trying to connect Oracle Db from my dot net application but I am getting error:

Network Transport: SSL failure in parsing wallet location

I have all the required certificates in my windows certificate store. my connection string is :

 <appSettings>
 <add key="IMConnectionString" value="Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=abc-prod-rds-01.cvi0vpnztsiw.eu-central-1.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SID=abcprod)) (SECURITY = (SSL_SERVER_CERT_DN = C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Amazon RDS,CN=Amazon RDS Root 2019 CA))); Password = *****;  User ID = ****"/>

my configuration in app.config is:

 <oracle.manageddataaccess.client>
<version number="*">
  <settings>
    <setting name="WALLET_LOCATION" value="(SOURCE = (METHOD = MCS))" />
    <setting name="TraceLevel" value="7" />
    <setting name="TraceOption" value="1" />
    <setting name="TraceFileLocation" value="C:\trace" />
  </settings>
  <dataSources>
    <dataSource alias="SampleDataSource" descriptor="(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL))) " />
  </dataSources>
</version>
 </oracle.manageddataaccess.client>

I am making db call like this:

 var queryExecutor = _executor.GetQueryExecutor(item.QueryDatabase);
 DataSet ds = queryExecutor.ExecuteQuery(item);

Please let me know what I am missing?

In ODP.NET traces as well I am getting following traces:

Oracle.ManagedDataAccess.Client.OracleException (0x80004005): Network Transport: SSL failure in parsing wallet location ---> OracleInternal.Network.NetworkException (0xFFFFE700): Network Transport: SSL failure in parsing wallet location

On RDS Server side I can see the following error:

22-JUN-2021 17:58:23 (ADDRESS=(PROTOCOL=tcps)(HOST=46.19.253.127)(PORT=5526)) * 542 TNS-00542: SSL Handshake failed TNS-12560: TNS:protocol adapter error

Answer 1

Just for future reference Answering my own Question.. I used file based wallet instead of MCS and It worked after adding following settings in my app.config file:

 <settings>
    <setting name="WALLET_LOCATION" value="(SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\app\client\ssl_wallet)))" />
    <setting name="TraceLevel" value="7" />
    <setting name="TraceOption" value="1" />
    <setting name="TraceFileLocation" value="D:\trace" />
    <setting name="SSL_CLIENT_AUTHENTICATION" value="FALSE" />
    <setting name="SSL_VERSION" value="1.0" />
    <setting name="SSL_CIPHER_SUITES" value="(SSL_RSA_WITH_AES_256_CBC_SHA)" />
    <setting name="SSL_SERVER_DN_MATCH" value="NO" />
    <setting name="TNS_ADMIN" value="C:\app\client\client_1\ssl_wallet"/>

Answer 2

Sometimes cert renewals by RDS seem to be missed (server side by AWS). This is reported by multiple users and there's some guessing why it's the case, potentially some DB operations at the same time or network issues. Especially on long runnning instances this seems to happen. Can you try to restart RDS Service, as this enforces certificate renewal? Also make sure the client has the correct encryption methods/libs installed and available. This is a common error in Java envs, not too sure how crucial this is on C#/.net Also some versions do not support 1.2 which is nor needed by AWS RDS.

Also make sure TLS 1.2 is really working ok like in this thread

Answer 3

Can you try adjusting the TLS connection to 1.2 (or if 1.2 fails, downgrade to 1.1 etc)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;