Oracle Advanced Security Administrator's Guide
Release 8.1.6
A76932-01

Library
Product
Contents
Index

Prev Next

18
Using Oracle Wallet Manager

Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle clients and servers. Oracle Wallet Manager is used to create wallets that can be later opened by using either the Oracle Enterprise Login Assistant or the Oracle Wallet Manager.

See Also:

Chapter 19, for information on how to open and close wallets for secure SSL communications by using Oracle Enterprise Login Assistant. 

The topics are covered in the following sections:

Overview

Public-key cryptography requires entities, that want to communicate in a secure manner, to possess certain security credentials. This collection of security credentials is stored in a wallet.

Security credentials consist of a public/private key pair, a "user" certificate, a certificate chain, and "trusted" certificates. Each entity that participates in a public key system must have a public/private key pair. The public key for an entity is published in a user certificate so, for example, other entities that want to send it secure information can encrypt that information with the recipient entity's public key. Another use for a public key is for an entity that receives a communication to validate the sender's organizational affiliation--this is the most typical application in Oracle environments today. Oracle Wallet Manager generates public/private key pairs for clients and servers.

A certificate authority (CA) issues public key certificates. A certificate contains a unique serial number assigned to it by the CA, an algorithm identifier that identifies which algorithm was used to sign that certificate, the name of the CA that issued that certificate, a pair of dates between which the certificate is valid, the certificate user's name, the entity's public key, and the CA's signature.

A trusted certificate, sometimes known as a root key certificate, typically belongs to a third party entity that is trusted to issue certificates. It is obtained in a secure manner and, operationally, does not need to be validated for its authenticity each time it is accessed. A client or a server uses a trusted certificate to validate that an entity is who it claims to be by verifying that entity's certificate. Typically, certificate authorities you trust issue the user certificates. Oracle provides several default trusted certificates, so users do not have to install their own. These trusted certificates also enable servers to perform SSL authentication to clients who have wallets containing only trusted certificates.

Clients and servers use these credentials to access secure services, such as SSL, using public key cryptography. A wallet also represents a storage facility that is location and type transparent once it is opened.

Oracle Wallet Manager is a stand alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:

Security Concepts

General security concepts and their associated definitions are as follows:

Table 18-1 Security Concepts and Definitions
Concept  Definition 

Authentication 

The recipient of an authenticated message can be certain of the message's origin (its sender). Authentication reduces the possibility that another person has impersonated the sender of the message. 

Authorization 

The set of privileges available to an authenticated entity. 

Certificate 

An ITU x.509 v3 standard data structure that securely binds an identity to a public key. A certificate is created when an entity's public key is signed by a trusted identity: a certificate authority. This certificate ensures that the entity's information is correct and that the public key actually belongs to that entity. 

Certificate Authority 

An application that creates public key certificates with a high level of assurance and trust in this function. 

Confidentiality 

A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext). 

Cryptography 

The act of writing and deciphering secret code resulting in secure messages. 

Decryption 

The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext). 

Digital Signature 

A digital signature is created when a public key algorithm is used to sign the sender's message with the sender's private key. The digital signature assures that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender. 

Encryption 

The process of disguising the contents of a message (plaintext) and rendering it unreadable (ciphertext) to anyone but the intended recipient. 

Identity 

A user who is certified as being the entity it claims to be. 

Integrity 

The guarantee that the contents of the message received were not altered from the contents of the original message sent. 

Non-repudiation 

Undeniable proof of the origin, delivery, submission, or transmission of a message. 

Public-Key
Encryption 

The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using the recipient's private key.

When public-key encryption is used with symmetric key encryption, DES for example, only the DES key is encrypted with the recipient's public key. The message itself is encrypted with a DES key: this is more efficient. 

Public/Private Key Pair 

A mathematically related set of two numbers where one is called the private key and the other is called the public key. The two numbers are related, but it is mathematically infeasible to derive the private key from the public key. Public keys are typically made widely available, while private keys are available only to their owners.

Data encrypted with a public key can only be decrypted with its associated private key and vice versa. Data encrypted with a public key cannot be decrypted with the same public key. 

Trusted Certificate 

A trusted certificate, sometimes known as a root key certificate, is a third party identity that is trusted. The trust is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust issue user certificates.

If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified. 

Wallet 

A wallet is a data structure used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. 

Wallet Resource Locator 

A wallet resource locator (WRL) provides all the necessary information to locate the wallet. It is a path to an operating system directory which contains a particular wallet. 

WRL 

See Wallet Resource Locator. 

X.509 

The public key certificate can be created in various data formats. The X.509 v3 format from ITU is a widely used format. 

Using Oracle Wallet Manager with Oracle Application Server

When using the Oracle Application Server (OAS), you must install the Oracle Wallet Manager on a primary node and on each remote node in a multi-node configuration. After you install the product on each node you must then copy the wallet from the primary node to each of the remote nodes.

Starting Oracle Wallet Manager

Refer to your platform-specific documentation for instructions on how to start Oracle Wallet Manager.

Managing Wallets

This section gives you detailed instructions on how to create a new wallet and perform associated wallet management tasks such as generating certificate requests, exporting certificate requests, and importing certificates into wallets.

This section covers topics in the following subsections:

Creating a New Wallet

Create a new wallet as follows:

  1. Click Wallet > New from the menu bar.

    The New Wallet dialog box is displayed.

  2. Read the recommended guidelines for creating a password, then enter a password in the Wallet Password field.

  3. Re-enter that password in the Confirm Password field.

  4. Click OK to continue.

  5. An Alert displays, informs you that a new empty wallet has been created, and prompts you to decide whether you want to create a certificate request: see "Creating a Certificate Request".

    If you Click Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in its left pane. The certificate has a status of Empty, and the wallet displays its default trusted certificates.

  6. Click Wallet > Save In System Default to save the new wallet.

    If you do not have permission to save the wallet in the System Default, you can save it to another location.

    A message at the bottom of the window informs you that the wallet was successfully saved.

    Note:

    Because an Oracle wallet contains a user's credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong password for the wallet. If a malicious user guesses the password to a user's wallet, then the malicious user could access all the databases that the user can access.

    Oracle Corporation recommends that you choose a password that is not too short, is not easily guessed, and has some complexity (such as including a symbol or numeric character). A reasonably strong password has at least six characters, and contains at least one symbol or number (so that it is not a word that can be found in the dictionary), for example, gol8fer. Also, it is prudent security practice for users to change their passwords periodically, such as once a month, or once a quarter.  

Opening an Existing Wallet

Open a wallet that already exists in the file system directory as follows:

    1. Click Wallet > Open from the menu bar.

      The Select Directory dialog box displays.

    2. Navigate to the correct directory location in which the wallet is located.

    3. Click to select the directory.

    4. Click OK.

      The Open Wallet dialog box displays.

    5. Enter the wallet password in the Wallet Password field.

    6. Click OK.

    7. A message at the bottom of the window displays the message "Wallet opened successfully".

    8. You are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left pane.

Closing a Wallet

Close an open wallet as follows.

    1. Click Wallet > Close to close the open wallet in the currently selected directory.

    2. A message at the bottom of the window confirms that the wallet is closed.

Saving Changes

Save your changes to the current open wallet as follows.

    1. Click Wallet > Save to save changes to the current open wallet.

    2. A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.

Saving the Open Wallet to a New Location

Use the Save As option to save the current open wallet to a new directory location.

    1. Click Wallet > Save As.

      The Select Directory dialog box displays.

    2. Select the directory location in which to save the wallet.

    3. Click OK.

      Note:

      You will get the following message if a wallet already exists in the selected directory: "A wallet already exists in the selected path. Do you want to overwrite it?". Click Yes to overwrite the existing wallet, or click No to save the wallet to another directory. 

    4. A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.

Saving in System Default

Use the Save in System Default menu option to save the current open wallet to the system default directory location. This will make the current open wallet the wallet that will be used by SSL.

    1. Click Wallet > Save in System Default.

    2. A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location.

Deleting the Wallet

Delete the current open wallet as follows:

    1. Click Wallet > Delete.

    2. The Delete Wallet dialog box appears.

    3. Review the displayed wallet location to verify you are deleting the correct wallet.

    4. Enter the wallet password.

    5. Click OK.

    6. A dialog panel appears to inform you that the wallet was successfully deleted.

      Note:

      Any open wallet in an application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use using Oracle Wallet Manager will not immediately affect system operation. 

Changing the Password

A password change becomes effective immediately. The wallet is saved to the currently selected directory encrypted with the new password.

Change the password on the current open wallet as follows:

    1. Click Wallet > Change Password.

      The Change Wallet Password dialog box appears.

    2. Enter the existing wallet password.

    3. Enter the new password. Remember to follow the password guidelines.

    4. Re-enter the new password.

    5. Click OK.

      A message at the bottom of the window informs you that the password was successfully changed.

Using Auto Login

The Oracle Wallet Manager Auto Login feature opens a copy of the wallet and enables PKI-based access to secure services as long as the wallet in the specified directory is open in memory.

You need to enable Auto Login if you want single sign-on to multiple Oracle databases.

Enabling Auto Login

Enable Auto Login as follows:

    1. Click Wallet from the menu bar.

    2. Click the check box next to the Auto Login menu item.

    3. A message at the bottom of the window displays "Autologin enabled."

Disabling Auto Login

Disable Auto Login as follows:

    1. Click Wallet from the menu bar.

    2. Click the check box next to the Auto Login menu item.

    3. A message at the bottom of the window displays "Autologin disabled."

Managing Certificates

Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section explains how to manage both kinds of certificate, and does so in the following subsections:

Managing User Certificates

Managing user certificates involves performing the following tasks:

Creating a Certificate Request

The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you can not edit an existing certificate request, so only store a correctly filled out certificate request in a wallet.

Create a PKCS #10 certificate request as follows:

    1. Click Operations > Create Certificate Request.

      The Create Certificate Request dialog box displays.

    2. Enter the following information:

      Table 18-2 Create a Certificate Request Fields and Definitions

      Field Name  Description 

      Common Name 

      Mandatory--Enter the name of the user's or service's identity. Enter a user's name in First name Last name format. 

      Organizational Unit 

      Optional--Enter the name of the identity's organizational unit: for example, Finance. 

      Organization 

      Optional--Enter the name of the identity's organization, for example, XYZ Corp. 

      Locality/City 

      Optional--Enter the name of the locality or city in which the identity resides. 

      State/Province 

      Optional--Enter the full name of the state or province in which the identity resides.

      Recommendation--Enter the full state name, because some certificate authorities do not accept two-letter abbreviations. 

      Country 

      Mandatory--Click the drop down list to view a list of country abbreviations. Click to select the country in which the organization is located. 

      Key Size 

      Click the drop down box to view a list of key sizes to use when creating the public/private key pair. 

      Advanced 

      Click Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality. 

    3. Click OK. An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can now either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message that you send to a certificate authority, or you can export the certificate request to a file.

    4. Click OK. You are returned to the Oracle Wallet Manager main window. The status of the certificate is changed to Requested.

Exporting a User Certificate Request

You save the certificate request in a file system directory when you elect to export a certificate request.

    1. Click Operations > Export Certificate Request from the menu bar.

      The Export Certificate Request dialog box appears.

    2. Enter the file system directory in which to save your certificate request, or navigate the directory structure under Folders.

    3. Enter the name of the file to which you want to save your certificate request in the Enter File Name field.

    4. Click OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

Importing the User Certificate into the Wallet

You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.

Pasting the certificate

To paste the certificate:

    1. Copy the certificate text from the e-mail or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.

    2. Click Operations > Import User Certificate from the menu bar.

      The Import Certificate dialog box appears.

    3. Click the Paste the Certificate radio button, and click OK.

      An Import Certificate dialog box appears with the following message: "Please provide a base64 format certificate and paste it below."

    4. Paste the certificate into the dialog box, and click OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status changes to Ready.

Selecting a File that Contains the Certificate

To select the file:

    1. Click Operations > Import User Certificate from the menu bar.

    2. Click the Select a file... certificate radio button, and click OK.

      The Import Certificate dialog box appears.

    3. Enter the path or folder name of the certificate location.

    4. Click to select the name of the certificate file (for example, cert.txt).

    5. Click OK. A message at the bottom of the window displays to inform you that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status is changes to Ready.

Removing a User Certificate from a Wallet

    1. Click Operations > Remove User Certificate.

      A dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.

    2. Click Yes. You are returned to the Oracle Wallet Manager main panel, and the certificate will display a status of Requested.

Managing Trusted Certificates

A trusted certificate is the certificate of the issuer of the certificate you requested. Managing trusted certificates consists of performing the tasks discussed in the following sections:

Importing a Trusted Certificate

You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.

Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust when you create a new wallet.

Pasting the Trusted Certificate

To paste the trusted certificate:

    1. Click Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears.

    2. Click the Paste the Certificate radio button, and click OK. An Import Trusted Certificate dialog panel appears with the following message: "Please provide a base64 format certificate and paste it below".

    3. Copy the trusted certificate from the body of the e-mail you received that also contained the user certificate. Include the lines Begin Certificate and End Certificate.

    4. Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.

    5. Click OK.

      You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree.

Selecting a File that Contains the Trusted Certificate

To select the file:

    1. Click Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel displays.

    2. Enter the path or folder name of the trusted certificate location.

    3. Select the name of the trusted certificate file, for example, cert.txt.

    4. Click OK. A message at the bottom of the window displays to inform you that the trusted certificate was successfully imported into the wallet.

    5. Click OK to dismiss the dialog panel. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree.

Removing a Trusted Certificate

Remove a trusted certificate from a wallet as follows:

    1. Select the trusted certificate listed in the Trusted Certificates tree.

    2. Click Operations > Remove Trusted Certificate from the menu bar.

      A dialog panel displays and warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.

    3. Click Yes. The selected trusted certificate is removed from the Trusted Certificates tree.

      Warning:

      Certificates that are signed by a trusted certificate are no longer verifiable when you remove that trusted certificate from your wallet.

      Also, you cannot remove a trusted certificate if it has been used to sign a user certificate that is still present in the wallet. To remove such a trusted certificate, you must first remove the certificates that it has signed. 

Exporting a Trusted Certificate

Export a trusted certificate to another file system location as follows:

    1. Click Operations > Export Trusted Certificate.

      The Export Trusted Certificate dialog box appears.

    2. Enter the file system directory in which to save your trusted certificate, or click Browse to display the directory structure.

    3. Enter the name of the file to which you want to save your trusted certificate.

    4. Click OK. You are returned to the Oracle Wallet Manager main window.

Exporting All Trusted Certificates

Export all of your trusted certificates to another file system location as follows:

    1. Click Operations > Export All Trusted Certificates. The Export Trusted Certificate dialog box appears.

    2. Enter the file system directory in which to save your trusted certificates, or click Browse to display the directory structure.

    3. Enter the name of the file to which you want to save your trusted certificates.

    4. Click OK. You are returned to the Oracle Wallet Manager main window

Exporting a Wallet

Export a wallet to text-based PKI formats. Individual components will be formatted according to the following standards:

Component  Encoding Standard 

Certificate chains 

X509v3 

Trusted certificates 

X509v3 

Private keys 

PKCS5 

Prev Next
Oracle
Copyright © 1999 Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index