18
Using Oracle Wallet Manager
Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle clients and servers. Oracle Wallet Manager is used to create wallets that can be later opened by using either the Oracle Enterprise Login Assistant or the Oracle Wallet Manager.
See Also:
Chapter 19, for information on how to open and close wallets for secure SSL communications by using Oracle Enterprise Login Assistant.
|
The topics are covered in the following sections:
Overview
Public-key cryptography requires entities, that want to communicate in a secure manner, to possess certain security credentials. This collection of security credentials is stored in a wallet.
Security credentials consist of a public/private key pair, a "user" certificate, a certificate chain, and "trusted" certificates. Each entity that participates in a public key system must have a public/private key pair. The public key for an entity is published in a user certificate so, for example, other entities that want to send it secure information can encrypt that information with the recipient entity's public key. Another use for a public key is for an entity that receives a communication to validate the sender's organizational affiliation--this is the most typical application in Oracle environments today. Oracle Wallet Manager generates public/private key pairs for clients and servers.
A certificate authority (CA) issues public key certificates. A certificate contains a unique serial number assigned to it by the CA, an algorithm identifier that identifies which algorithm was used to sign that certificate, the name of the CA that issued that certificate, a pair of dates between which the certificate is valid, the certificate user's name, the entity's public key, and the CA's signature.
A trusted certificate, sometimes known as a root key certificate, typically belongs to a third party entity that is trusted to issue certificates. It is obtained in a secure manner and, operationally, does not need to be validated for its authenticity each time it is accessed. A client or a server uses a trusted certificate to validate that an entity is who it claims to be by verifying that entity's certificate. Typically, certificate authorities you trust issue the user certificates. Oracle provides several default trusted certificates, so users do not have to install their own. These trusted certificates also enable servers to perform SSL authentication to clients who have wallets containing only trusted certificates.
Clients and servers use these credentials to access secure services, such as SSL, using public key cryptography. A wallet also represents a storage facility that is location and type transparent once it is opened.
Oracle Wallet Manager is a stand alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:
- Generating a public-private key pair and creating a certificate request for submission to a certificate authority (CA).
- Installing a certificate for the entity.
- Configuring trusted certificates for the entity.
- Opening a wallet to enable access to PKI-based services.
- Creating a wallet that can be later opened by using either the Oracle Enterprise Login Assistant or the Oracle Wallet Manager.
Security Concepts
General security concepts and their associated definitions are as follows:
Table 18-1 Security Concepts and Definitions
Using Oracle Wallet Manager with Oracle Application Server
When using the Oracle Application Server (OAS), you must install the Oracle Wallet Manager on a primary node and on each remote node in a multi-node configuration. After you install the product on each node you must then copy the wallet from the primary node to each of the remote nodes.
Starting Oracle Wallet Manager
Refer to your platform-specific documentation for instructions on how to start Oracle Wallet Manager.
Managing Wallets
This section gives you detailed instructions on how to create a new wallet and perform associated wallet management tasks such as generating certificate requests, exporting certificate requests, and importing certificates into wallets.
This section covers topics in the following subsections:
Creating a New Wallet
Create a new wallet as follows:
- Click Wallet > New from the menu bar.
The New Wallet dialog box is displayed.
- Read the recommended guidelines for creating a password, then enter a password in the Wallet Password field.
- Re-enter that password in the Confirm Password field.
- Click OK to continue.
- An Alert displays, informs you that a new empty wallet has been created, and prompts you to decide whether you want to create a certificate request: see "Creating a Certificate Request".
If you Click Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in its left pane. The certificate has a status of Empty, and the wallet displays its default trusted certificates.
- Click Wallet > Save In System Default to save the new wallet.
If you do not have permission to save the wallet in the System Default, you can save it to another location.
A message at the bottom of the window informs you that the wallet was successfully saved.
Note:
Because an Oracle wallet contains a user's credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong password for the wallet. If a malicious user guesses the password to a user's wallet, then the malicious user could access all the databases that the user can access.
Oracle Corporation recommends that you choose a password that is not too short, is not easily guessed, and has some complexity (such as including a symbol or numeric character). A reasonably strong password has at least six characters, and contains at least one symbol or number (so that it is not a word that can be found in the dictionary), for example, gol8fer . Also, it is prudent security practice for users to change their passwords periodically, such as once a month, or once a quarter.
|
Opening an Existing Wallet
Open a wallet that already exists in the file system directory as follows:
- Click Wallet > Open from the menu bar.
The Select Directory dialog box displays.
- Navigate to the correct directory location in which the wallet is located.
- Click to select the directory.
- Click OK.
The Open Wallet dialog box displays.
- Enter the wallet password in the Wallet Password field.
- Click OK.
- A message at the bottom of the window displays the message "Wallet opened successfully".
- You are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left pane.
Closing a Wallet
Close an open wallet as follows.
- Click Wallet > Close to close the open wallet in the currently selected directory.
- A message at the bottom of the window confirms that the wallet is closed.
Saving Changes
Save your changes to the current open wallet as follows.
- Click Wallet > Save to save changes to the current open wallet.
- A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.
Saving the Open Wallet to a New Location
Use the Save As option to save the current open wallet to a new directory location.
- Click Wallet > Save As.
The Select Directory dialog box displays.
- Select the directory location in which to save the wallet.
- Click OK.
Note:
You will get the following message if a wallet already exists in the selected directory: "A wallet already exists in the selected path. Do you want to overwrite it?". Click Yes to overwrite the existing wallet, or click No to save the wallet to another directory.
|
- A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.
Saving in System Default
Use the Save in System Default menu option to save the current open wallet to the system default directory location. This will make the current open wallet the wallet that will be used by SSL.
- Click Wallet > Save in System Default.
- A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location.
Deleting the Wallet
Delete the current open wallet as follows:
- Click Wallet > Delete.
- The Delete Wallet dialog box appears.
- Review the displayed wallet location to verify you are deleting the correct wallet.
- Enter the wallet password.
- Click OK.
- A dialog panel appears to inform you that the wallet was successfully deleted.
Note:
Any open wallet in an application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use using Oracle Wallet Manager will not immediately affect system operation.
|
Changing the Password
A password change becomes effective immediately. The wallet is saved to the currently selected directory encrypted with the new password.
Change the password on the current open wallet as follows:
- Click Wallet > Change Password.
The Change Wallet Password dialog box appears.
- Enter the existing wallet password.
- Enter the new password. Remember to follow the password guidelines.
- Re-enter the new password.
- Click OK.
A message at the bottom of the window informs you that the password was successfully changed.
Using Auto Login
The Oracle Wallet Manager Auto Login feature opens a copy of the wallet and enables PKI-based access to secure services as long as the wallet in the specified directory is open in memory.
You need to enable Auto Login if you want single sign-on to multiple Oracle databases.
Enabling Auto Login
Enable Auto Login as follows:
- Click Wallet from the menu bar.
- Click the check box next to the Auto Login menu item.
- A message at the bottom of the window displays "Autologin enabled."
Disabling Auto Login
Disable Auto Login as follows:
- Click Wallet from the menu bar.
- Click the check box next to the Auto Login menu item.
- A message at the bottom of the window displays "Autologin disabled."
Managing Certificates
Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section explains how to manage both kinds of certificate, and does so in the following subsections:
Managing User Certificates
Managing user certificates involves performing the following tasks:
Creating a Certificate Request
The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you can not edit an existing certificate request, so only store a correctly filled out certificate request in a wallet.
Create a PKCS #10 certificate request as follows:
- Click Operations > Create Certificate Request.
The Create Certificate Request dialog box displays.
- Enter the following information:
Table 18-2 Create a Certificate Request Fields and Definitions
- Click OK. An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can now either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message that you send to a certificate authority, or you can export the certificate request to a file.
- Click OK. You are returned to the Oracle Wallet Manager main window. The status of the certificate is changed to Requested.
Exporting a User Certificate Request
You save the certificate request in a file system directory when you elect to export a certificate request.
- Click Operations > Export Certificate Request from the menu bar.
The Export Certificate Request dialog box appears.
- Enter the file system directory in which to save your certificate request, or navigate the directory structure under Folders.
- Enter the name of the file to which you want to save your certificate request in the Enter File Name field.
- Click OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.
Importing the User Certificate into the Wallet
You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.
Pasting the certificate
To paste the certificate:
- Copy the certificate text from the e-mail or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.
- Click Operations > Import User Certificate from the menu bar.
The Import Certificate dialog box appears.
- Click the Paste the Certificate radio button, and click OK.
An Import Certificate dialog box appears with the following message: "Please provide a base64 format certificate and paste it below."
- Paste the certificate into the dialog box, and click OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status changes to Ready.
Selecting a File that Contains the Certificate
To select the file:
- Click Operations > Import User Certificate from the menu bar.
- Click the Select a file... certificate radio button, and click OK.
The Import Certificate dialog box appears.
- Enter the path or folder name of the certificate location.
- Click to select the name of the certificate file (for example,
cert.txt
).
- Click OK. A message at the bottom of the window displays to inform you that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status is changes to Ready.
Removing a User Certificate from a Wallet
- Click Operations > Remove User Certificate.
A dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.
- Click Yes. You are returned to the Oracle Wallet Manager main panel, and the certificate will display a status of Requested.
Managing Trusted Certificates
A trusted certificate is the certificate of the issuer of the certificate you requested. Managing trusted certificates consists of performing the tasks discussed in the following sections:
Importing a Trusted Certificate
You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.
Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust when you create a new wallet.
Pasting the Trusted Certificate
To paste the trusted certificate:
- Click Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears.
- Click the Paste the Certificate radio button, and click OK. An Import Trusted Certificate dialog panel appears with the following message: "Please provide a base64 format certificate and paste it below".
- Copy the trusted certificate from the body of the e-mail you received that also contained the user certificate. Include the lines Begin Certificate and End Certificate.
- Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.
- Click OK.
You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree.
Selecting a File that Contains the Trusted Certificate
To select the file:
- Click Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel displays.
- Enter the path or folder name of the trusted certificate location.
- Select the name of the trusted certificate file, for example,
cert.txt
.
- Click OK. A message at the bottom of the window displays to inform you that the trusted certificate was successfully imported into the wallet.
- Click OK to dismiss the dialog panel. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree.
Removing a Trusted Certificate
Remove a trusted certificate from a wallet as follows:
- Select the trusted certificate listed in the Trusted Certificates tree.
- Click Operations > Remove Trusted Certificate from the menu bar.
A dialog panel displays and warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.
- Click Yes. The selected trusted certificate is removed from the Trusted Certificates tree.
Warning:
Certificates that are signed by a trusted certificate are no longer verifiable when you remove that trusted certificate from your wallet.
Also, you cannot remove a trusted certificate if it has been used to sign a user certificate that is still present in the wallet. To remove such a trusted certificate, you must first remove the certificates that it has signed.
|
Exporting a Trusted Certificate
Export a trusted certificate to another file system location as follows:
- Click Operations > Export Trusted Certificate.
The Export Trusted Certificate dialog box appears.
- Enter the file system directory in which to save your trusted certificate, or click Browse to display the directory structure.
- Enter the name of the file to which you want to save your trusted certificate.
- Click OK. You are returned to the Oracle Wallet Manager main window.
Exporting All Trusted Certificates
Export all of your trusted certificates to another file system location as follows:
- Click Operations > Export All Trusted Certificates. The Export Trusted Certificate dialog box appears.
- Enter the file system directory in which to save your trusted certificates, or click Browse to display the directory structure.
- Enter the name of the file to which you want to save your trusted certificates.
- Click OK. You are returned to the Oracle Wallet Manager main window
Exporting a Wallet
Export a wallet to text-based PKI formats. Individual components will be formatted according to the following standards: