What is Oracle Wallet
Oracle wallet is a password-protected container for authentication and signing credentials, including private keys, certificates and other secrets that you need to secure over time.
How to create Oracle wallets
Wallets are created using OWM or orapki utility. To use orapki you can run orapki wallet command (orapki wallet create -wallet )
Password for walet must be strong :
[oracle@orcl]$ orapki wallet create -wallet /u01/app/oracle/product/11.2/db_1/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
[oracle@orcl]$ ls /u01/app/oracle/product/11.2/db_1/wallets/
ewallet.p12
To display the contents of a wallet:
[oracle@orcl wallets]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
[oracle@orcl wallets]$
All of these operations also can be performed by Oracle Wallet Manager (OWM) utility.
Just call owm from command line, then select wallet-> open from wallet manager, select wallets directory and type your password.
To create self-signed root certificate use wallet add command:
[oracle@orcl ~]$ orapki wallet add -wallet $ORACLE_HOME/wallets -dn
"CN=testsecurity Root,O=testsecurity,C=US" -self_signed -validity 365 -keysize 1024
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@orcl ~]$
When you use self_signed keyword your certificate will created immediately because you are acting as the Certificate Authority(CA).
Let’s display self signed certificate from orapki and OWM:
[oracle@orcl ~]$ orapki wallet display -wallet $ORACLE_HOME/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
In OWM you will see the new certificate as shown bellow:
To create and sign certificate request:
[oracle@orcl ~]$ orapki wallet add -wallet $ORACLE_HOME/wallets -dn "CN=test,O=testsecurity,C=US" -keysize 1024
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@orcl ~]$
If look at the contents of the wallet now you’ll see the new certificate request:
[oracle@orcl ~]$ orapki wallet display -wallet $ORACLE_HOME/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
Subject: CN=test,O=testsecurity,C=US
User Certificates:
Subject: CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates:
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Export the certificate request so that you can sign it anywhere:
[oracle@orcl ~]$ orapki wallet export -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -dn "CN=test,O=testsecurity,C=US" -request ./test.req
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@orcl ~]$ ls -l ./test.req
-rw-------. 1 oracle oinstall 584 Jun 28 18:53 ./test.req
Create signed certificate from request:
[oracle@orcl ~]$ orapki cert create -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -request ./test.req -cert ./test.cert -validity 365
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@orcl ~]$ ls -l ./test.cert
-rw-------. 1 oracle oinstall 706 Jun 28 19:28 ./test.cert
Certificate file is created but it is not in any wallet. If you display wallet you will not see the certificate there:
[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
Subject: CN=test,O=testsecurity,C=US
User Certificates:
Subject: CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates:
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
You need to add the certificate into a wallet .Both certificate request and the certificates are text files which you can copy over to any other server:
[oracle@orcl ~]$ cat test.cert
-----BEGIN CERTIFICATE-----
MIIB3zCCAUgCAQAwDQYJKoZIhvcNAQEEBQAwPjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC2RiYXNl
Y3VyaXR5MRkwFwYDVQQDExBkYmFzZWN1cml0eSBSb290MB4XDTE1MDYyODE0MjgwNloXDTE2MDYy
NzE0MjgwNlowMjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC2RiYXNlY3VyaXR5MQ0wCwYDVQQDEwR0
ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvmRabzSLBNcL6GjYK4baLezp3yAq9bGGI
jqAGG4T/XNX0kpIEG3jV9xcrMCiInC56YjZ8FuC1ITmdqqlfn9BxE/ImGJcHLCVJtxXL8GDDqiZK
hgCoT16vOYbIaq4VpQJPwqttaK2JEnlRMUcTkemhMa5NzfmJHmB9p9NI/FG/hwIDAQABMA0GCSqG
SIb3DQEBBAUAA4GBADNUZX4MdP8tPYAxR/dpzQiDAJwrG6ohtSRmLbvRsBHyB86d0pM03yt4bAW5
5QLebXH5VVkzOVaizBDrN/gfL8WJlf/qoMCntGxudOT1Wdn3osGRPOhsT/+q+yBnPribcOCz7N9T
E2aZhJYACULMZfh2n/Jk477/O90CXUfn8mRZ
-----END CERTIFICATE-----
[oracle@orcl ~]$ cat test.req
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBcTCB2wIBADAyMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLZGJhc2VjdXJpdHkxDTALBgNVBAMT
BHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK+ZFpvNIsE1wvoaNgrhtot7OnfICr1s
YYiOoAYbhP9c1fSSkgQbeNX3FyswKIicLnpiNnwW4LUhOZ2qqV+f0HET8iYYlwcsJUm3FcvwYMOq
JkqGAKhPXq85hshqrhWlAk/Cq21orYkSeVExRxOR6aExrk3N+YkeYH2n00j8Ub+HAgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQB+v4nCX/9HhCoqdimfznyVxPeDg6uspLo1uteqxPBkmqSyASWxafob
h+tZaFXY7cDw0VFlycjuot5wCWLqXejMpnAmGiJwi6VgziJt7TUpfJw6k3Ga1uarRCV22OWpNt43
tWvApcY0Z4MJXjFFzCpFFI8teeA146i422Zln0HgWQ==
-----END NEW CERTIFICATE REQUEST-----
[oracle@orcl ~]$
You can add the certificate either as a user certificate or as a trusted certificate. For example , to add the certificate as user certificate:
[oracle@orcl ~]$ orapki wallet add -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -user_cert -cert ./test.cert
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
[oracle@orcl ~]$
Now certificates will show up in the user session:
[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=test,O=testsecurity,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates:
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
[oracle@orcl ~]$
If you want to this certificate to be part of trust hierarchy you can add it as a trusted certificate into the wallet:
[oracle@orcl ~]$ orapki wallet add -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -trusted_cert -cert ./test.cert
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
The certificate will now show up in the trusted certificate section:
[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=test,O=testsecurity,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=testsecurity Root,O=testsecurity,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=test,O=testsecurity,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
[oracle@orcl ~]$
Valeh Agayev's blog 