The Oracle Wallet Manager
Oracle Wallet Manager is a password protected stand-alone Java application tool used to maintain security credentials and store SSL related information such as authentication and signing credentials, private keys, certificates, and trusted certificates.
OWM uses Public Key Cryptographic Standards (PKCS) #12 specification for the Wallet format and PKCS #10 for certificate requests.
Oracle Wallet Manager stores X.509 v3 certificates and private keys in industry-standard PKCS #12 formats, and generates certificate requests according to the PKCS #10 specification. This makes the Oracle Wallet structure interoperable with supported third party PKI applications, and provides Wallet portability across operating systems. Additionally, Oracle Wallet Manager Wallets can be enabled to store credentials on hardware security modules that use APIs compliant with the PKCS #11 specification.
The OWM creates Wallets, generates certificate requests, accesses Public Key interface-based services, saves credentials into cryptographic hardware such as smart cards, uploads and unloads Wallets to LDAP directories, and imports Wallets in PKCS #12 format.
In a Windows environment, Oracle Wallet Manager can be accessed from the start menu. The following screenshot shows the Oracle Wallet Manager Properties:
In a Unix like environment, OWM can be accessed directly from the command line with the owm shell script located at $ORACLE_HOME/bin/owm, it requires a graphical environment so it can be launched.
Creating the Oracle Wallet
If this is the first time the Wallet has been opened, then a Wallet file does not yet exist. A Wallet is physically created in a specified directory. The user can declare the path where the Oracle Wallet file should be created.
The user may either specify a default location or declare a particular directory. A file named ewallet.p12 will be created in the specified location.
Enabling Auto Login
The Oracle Wallet Manager Auto Login feature creates an obfuscated copy of the Wallet and enables PKI-based access to the services without a password. When this feature is enabled, only the user who created the Wallet will have access to it.
By default, Single Sign-On (SSO) access to a different database is disabled. The auto login feature must be enabled in order for you to have access to multiple databases using SSO.
Checking and unchecking the Auto Login option will enable and disable this feature.
mkwallet, the CLI OWM version
Besides the Java client, there is a command line interface version of the Wallet, which can be accessed by means of the mkwallet utility. This can also be used to generate a Wallet and have it configured in Auto Login mode. This is a fully featured tool that allows you to create Wallets, and to view and modify their content.
The options provided by the mkwallet tool are shown in the following table:
| Option | Meaning |
| -R rootPwd rootWrl DN keySize expDate | Create the root Wallet |
| -e pwd wrl | Create an empty Wallet |
| -r pwd wrl DN keySize certReqLoc | Create a certificate request, add it to Wallet and export it to certReqLoc |
| -c rootPwd rootWrl certReqLoc certLoc | Create a certificate for a certificate request |
| -i pwd wrl certLoc NZDST_CERTIFICATE | NZDST_CLEAR_PTP | Install a certificate | trusted point |
| -d pwd wrl DN | Delete a certificate with matching DN |
| -s pwd wrl | Store sso Wallet |
| -p pwd wrl | Dump the content of Wallet |
| -q certLoc | Dump the content of the certificate |
| -Lg pwd wrl crlLoc nextUpdate | Generate CRL |
| -La pwd wrl crlLoc certtoRevoke | Revoke certificate |
| -Ld crlLoc | Display CRL |
| -Lv crlLoc cacert | Verify CRL signature |
| -Ls crlLoc cert | Check certificate revocation status |
| -Ll oidHostname oidPortNumber cacert | Fetch CRL from LDAP directory |
| -Lc cert | Fetch CRL from CRLDP in cert |
| -Lb b64CrlLoc derCrlLoc | Convert CRL from B64 to DER format |
| -Pw pwd wrl pkcs11Lib tokenPassphrase | Create an empty Wallet. Store PKCS11 info in it. |
| -Pq pwd wrl DN keysize certreqLoc | Create cert request. Generate key pair on pkcs11 device. |
| -Pl pwd wrl | Test pkcs11 device login using Wallet containing PKCS11 info. |
| -Px pwd wrl pkcs11Lib
tokenPassphrase |
Create a Wallet with pkcs11 info from a software Wallet. |
Managing Wallets with orapki
A CLI-based tool, orapki, is used to manage Public Key Infrastructure components such as Wallets and revocation lists. This tool eases the procedures related to PKI management and maintenance by allowing the user to include it in batch scripts.
This tool can be used to create and view signed certificates for testing purposes, create Oracle Wallets, add and remove certificate and certificate requests, and manage Certification Revocation Lists (CRLs)—renaming them and managing them against the Oracle Internet Directory.
The syntax for this tool is:
orapki module command -parameter <value>
module can have these values:
- wallet: Oracle Wallet
- crl: Certificate Revocation List
- cert: The PKI Certificate
To create a Wallet you can issue this command:
orapki wallet create -wallet <Path to Wallet>
To create a Wallet with the auto login feature enabled, you can issue the command:
orapki wallet create -wallet <Path to Wallet> -autologin
To add a certificate request to the Wallet you can use the command:
orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048>
To add a user certificate to an Oracle Wallet:
orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_location>
The options and values available for the orapki tool depend on the module to be configured:
| orapki Action | Description and Syntax |
| orapki cert create | Creates a signed certificate for testing purposes.
orapki cert create [-wallet <wallet_location>] -request <certificate_request_location> -cert <certificate_location> -validity <number_of_days> [-summary] |
| orapki cert display | Displays details of a specific certificate.
orapki cert display -cert <certificate_location> [-summary|-complete] |
| orapki crl delete | Deletes CRLs from Oracle Internet Directory.
orapki crl delete -issuer <issuer_name> -ldap <hostname: ssl_port> -user <username> [-wallet <wallet_location>] [-summary] |
| orapki crl diskplay | Displays specific CRLs that are stored in Oracle Internet Directory.
orapki crl display -crl <crl_location> [-wallet <wallet_location>] [-summary|-complete] |
| orapki crl hash | Generates a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.
orapki crl hash -crl <crl_filename|URL> [-wallet <wallet_location>] [-symlink|-copy] <crl_directory> [-summary] |
| orapki crl list | Displays a list of CRLs stored in Oracle Internet Directory.
orapki crl list -ldap <hostname:ssl_port> |
| orapki crl upload | Uploads CRLs to the CRL subtree in Oracle Internet Directory.
orapki crl upload -crl <crl_location> -ldap <hostname:ssl_port> -user <username> [-wallet <wallet_location>] [-summary] |
| orapki wallet add | Add certificate requests and certificates to an Oracle Wallet.
orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048> |
| orapki wallet create | Creates an Oracle Wallet or to set auto login on for an Oracle Wallet.
orapki wallet create -wallet <wallet_location> [-auto_login] |
| orapki wallet display | Displays the certificate requests, user certificates, and trusted certificates in an Oracle Wallet.
orapki wallet display -wallet <wallet_location> |
| orapki wallet export | Export certificate requests and certificates from an Oracle Wallet.
orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert <certificate_filename> |
Oracle Wallet Manager CSR generation
Oracle Wallet Manager generates a certificate request in PKCS #10 format. This certificate request can be sent to a certificate authority of your choice. The procedure to generate this certificate request is as follows:
From the main menu choose the Operations menu and then select the Add Certificate Request submenu. As shown in the following screenshot, a form will be displayed where you can capture specific information.
The parameters used to request a certificate are described next:
Common Name: This parameter is mandatory. This is the user’s name or entity’s name. If you are using a user’s name, then enter it using the first name, last name format.
Organization Unit: This is the name of the identity’s organization unit. It could be the name of the department where the entity belongs (optional parameter).
Organization: This is the company’s name (optional).
Location/City: The location and the city where the entity resides (optional).
State/Province: This is the full name of the state where the entity resides. Do not use abbreviations (optional).
Country: This parameter is mandatory. It specifies the country where the entity is located.
Key Size: This parameter is mandatory. It defines the key size used when a public/private key pair is created. The key size can be as little as 512 bytes and up to 4096 bytes.
Advanced: When the parameters are introduced a Distinguished Name (DN) is assembled. If you want to customize this DN, then you can use the advanced DN configuration mode.
Once the Certificate Request form has been completed, a PKCS#10 format certificate request is generated. The information that appears between the BEGIN and END keywords must be used to request a certificate to a Certificate Authority (CA); there are several well known certificate authorities, and depending on the usage you plan for your certificate, you could address the request to a known CA (from the browser perspective) so when an end user accesses your site it doesn’t get warned about the site’s identity. If the certificate will be targeted at a local community who doesn’t mind about the certificate warning, then you may generate your own certificate or ask a CA to issue a certificate for you. For demonstration purposes, we used the Oracle Certificate Authority (OCA) included with the Oracle Application Server. OCA will provide the Certificate Authority capabilities to your site and it can issue standard certificates, suitable for the intranet users. If you are planning to use OCA then you should review the license agreements to determine if you are allowed to use it.