Oracle Wallet Manager

0
219
8 min read

 

The Oracle Wallet Manager

Oracle Wallet Manager is a password protected stand-alone Java application tool used to maintain security credentials and store SSL related information such as authentication and signing credentials, private keys, certificates, and trusted certificates.

OWM uses Public Key Cryptographic Standards (PKCS) #12 specification for the Wallet format and PKCS #10 for certificate requests.

Oracle Wallet Manager stores X.509 v3 certificates and private keys in industry-standard PKCS #12 formats, and generates certificate requests according to the PKCS #10 specification. This makes the Oracle Wallet structure interoperable with supported third party PKI applications, and provides Wallet portability across operating systems. Additionally, Oracle Wallet Manager Wallets can be enabled to store credentials on hardware security modules that use APIs compliant with the PKCS #11 specification.

The OWM creates Wallets, generates certificate requests, accesses Public Key interface-based services, saves credentials into cryptographic hardware such as smart cards, uploads and unloads Wallets to LDAP directories, and imports Wallets in PKCS #12 format.

In a Windows environment, Oracle Wallet Manager can be accessed from the start menu. The following screenshot shows the Oracle Wallet Manager Properties:

Oracle Wallet Manager

In a Unix like environment, OWM can be accessed directly from the command line with the owm shell script located at $ORACLE_HOME/bin/owm, it requires a graphical environment so it can be launched.

Oracle Wallet Manager

Creating the Oracle Wallet

If this is the first time the Wallet has been opened, then a Wallet file does not yet exist. A Wallet is physically created in a specified directory. The user can declare the path where the Oracle Wallet file should be created.

Oracle Wallet Manager

The user may either specify a default location or declare a particular directory. A file named ewallet.p12 will be created in the specified location.

Enabling Auto Login

The Oracle Wallet Manager Auto Login feature creates an obfuscated copy of the Wallet and enables PKI-based access to the services without a password. When this feature is enabled, only the user who created the Wallet will have access to it.

By default, Single Sign-On (SSO) access to a different database is disabled. The auto login feature must be enabled in order for you to have access to multiple databases using SSO.

Oracle Wallet Manager

Checking and unchecking the Auto Login option will enable and disable this feature.

mkwallet, the CLI OWM version

Besides the Java client, there is a command line interface version of the Wallet, which can be accessed by means of the mkwallet utility. This can also be used to generate a Wallet and have it configured in Auto Login mode. This is a fully featured tool that allows you to create Wallets, and to view and modify their content.

The options provided by the mkwallet tool are shown in the following table:

 

 

Option

Meaning

-R rootPwd rootWrl DN keySize expDate

Create the root Wallet

-e pwd wrl

Create an empty Wallet

-r pwd wrl DN keySize certReqLoc

Create a certificate request, add it to Wallet and export it to certReqLoc

-c rootPwd rootWrl certReqLoc certLoc

Create a certificate for a certificate request

-i pwd wrl certLoc NZDST_CERTIFICATE | NZDST_CLEAR_PTP

Install a certificate | trusted point

-d pwd wrl DN

Delete a certificate with matching DN

-s pwd wrl

Store sso Wallet

-p pwd wrl

Dump the content of Wallet

-q certLoc

Dump the content of the certificate

-Lg pwd wrl crlLoc nextUpdate

Generate CRL

-La pwd wrl crlLoc certtoRevoke

Revoke certificate

-Ld crlLoc

Display CRL

-Lv crlLoc cacert

Verify CRL signature

-Ls crlLoc cert

Check certificate revocation status

-Ll oidHostname oidPortNumber cacert

Fetch CRL from LDAP directory

-Lc cert

Fetch CRL from CRLDP in cert

-Lb b64CrlLoc derCrlLoc

Convert CRL from B64 to DER format

-Pw pwd wrl pkcs11Lib tokenPassphrase

Create an empty Wallet. Store PKCS11 info in it.

-Pq pwd wrl DN keysize certreqLoc

Create cert request. Generate key pair on pkcs11 device.

-Pl pwd wrl

Test pkcs11 device login using Wallet containing PKCS11 info.

-Px pwd wrl pkcs11Lib

tokenPassphrase

Create a Wallet with pkcs11 info from a software Wallet.

 

Managing Wallets with orapki

A CLI-based tool, orapki, is used to manage Public Key Infrastructure components such as Wallets and revocation lists. This tool eases the procedures related to PKI management and maintenance by allowing the user to include it in batch scripts.

This tool can be used to create and view signed certificates for testing purposes, create Oracle Wallets, add and remove certificate and certificate requests, and manage Certification Revocation Lists (CRLs)—renaming them and managing them against the Oracle Internet Directory.

The syntax for this tool is:

orapki module command -parameter <value>

module can have these values:

  1. wallet: Oracle Wallet
  2. crl: Certificate Revocation List
  3. cert: The PKI Certificate

To create a Wallet you can issue this command:

orapki wallet create -wallet <Path to Wallet>

To create a Wallet with the auto login feature enabled, you can issue the command:

orapki wallet create -wallet <Path to Wallet> -autologin

To add a certificate request to the Wallet you can use the command:

orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048>

To add a user certificate to an Oracle Wallet:

orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_location>

The options and values available for the orapki tool depend on the module to be configured:

orapki Action

Description and Syntax

orapki cert create

Creates a signed certificate for testing purposes.

orapki cert create [-wallet <wallet_location>] -request <certificate_request_location> -cert <certificate_location> -validity <number_of_days> [-summary]

orapki cert display

Displays details of a specific certificate.

orapki cert display -cert <certificate_location> [-summary|-complete]

orapki crl delete

Deletes CRLs from Oracle Internet Directory.

 

orapki crl delete -issuer <issuer_name> -ldap <hostname:

ssl_port> -user <username> [-wallet <wallet_location>]

[-summary]

orapki crl diskplay

Displays specific CRLs that are stored in Oracle Internet Directory.

orapki crl display -crl <crl_location> [-wallet <wallet_location>] [-summary|-complete]

orapki crl hash

Generates a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.

orapki crl hash -crl <crl_filename|URL> [-wallet <wallet_location>] [-symlink|-copy] <crl_directory> [-summary]

orapki crl list

Displays a list of CRLs stored in Oracle Internet Directory.

orapki crl list -ldap <hostname:ssl_port>

orapki crl upload

Uploads CRLs to the CRL subtree in Oracle Internet Directory.

orapki crl upload -crl <crl_location> -ldap <hostname:ssl_port> -user <username> [-wallet <wallet_location>] [-summary]

orapki wallet add

Add certificate requests and certificates to an Oracle Wallet.

orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048>

orapki wallet create

Creates an Oracle Wallet or to set auto login on for an Oracle Wallet.

orapki wallet create -wallet <wallet_location> [-auto_login]

orapki wallet display

Displays the certificate requests, user certificates, and trusted certificates in an Oracle Wallet.

orapki wallet display -wallet <wallet_location>

orapki wallet export

Export certificate requests and certificates from an Oracle Wallet.

orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert

<certificate_filename>

 

Oracle Wallet Manager CSR generation

Oracle Wallet Manager generates a certificate request in PKCS #10 format. This certificate request can be sent to a certificate authority of your choice. The procedure to generate this certificate request is as follows:

Oracle Wallet Manager

From the main menu choose the Operations menu and then select the Add Certificate Request submenu. As shown in the following screenshot, a form will be displayed where you can capture specific information.

Oracle Wallet Manager

The parameters used to request a certificate are described next:

Common Name: This parameter is mandatory. This is the user’s name or entity’s name. If you are using a user’s name, then enter it using the first name, last name format.

Organization Unit: This is the name of the identity’s organization unit. It could be the name of the department where the entity belongs (optional parameter).

Organization: This is the company’s name (optional).

Location/City: The location and the city where the entity resides (optional).

State/Province: This is the full name of the state where the entity resides. Do not use abbreviations (optional).

Country: This parameter is mandatory. It specifies the country where the entity is located.

Key Size: This parameter is mandatory. It defines the key size used when a public/private key pair is created. The key size can be as little as 512 bytes and up to 4096 bytes.

Advanced: When the parameters are introduced a Distinguished Name (DN) is assembled. If you want to customize this DN, then you can use the advanced DN configuration mode.

Oracle Wallet Manager

Once the Certificate Request form has been completed, a PKCS#10 format certificate request is generated. The information that appears between the BEGIN and END keywords must be used to request a certificate to a Certificate Authority (CA); there are several well known certificate authorities, and depending on the usage you plan for your certificate, you could address the request to a known CA (from the browser perspective) so when an end user accesses your site it doesn’t get warned about the site’s identity. If the certificate will be targeted at a local community who doesn’t mind about the certificate warning, then you may generate your own certificate or ask a CA to issue a certificate for you. For demonstration purposes, we used the Oracle Certificate Authority (OCA) included with the Oracle Application Server. OCA will provide the Certificate Authority capabilities to your site and it can issue standard certificates, suitable for the intranet users. If you are planning to use OCA then you should review the license agreements to determine if you are allowed to use it.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here