Release 9.0.1
Part Number A90150-01
 Home |
 Book List |
 Contents |
 Index |  Master Index |  Feedback |
| Oracle Advanced Security Administrator's Guide Release 9.0.1 Part Number A90150-01 |
|
Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle clients and servers. The wallets it creates are opened by using either Oracle Enterprise Login Assistant or Oracle Wallet Manager.
This chapter describes Oracle Wallet Manager, and contains the following topics:
|
See Also:
Chapter 17, Using Oracle Enterprise Login Assistant, for information about how to open and close wallets for secure SSL communications using Oracle Enterprise Login Assistant |
Traditional private-key or symmetric-key cryptography requires that entities desiring to establish secure communications possess a single secret key known only to them. Harriet and Dick, for example, could agree to shift each letter in their private messages by two character positions (A becomes C, B becomes E, and so on) to encrypt the message text. Using this method, a HELLO message from Harriet to Dick would read JGNNP. The actual encryption methods in current use are much more complex and significantly more secure, but an underlying problem remains--sending messages encrypted with a single key requires prior, secure distribution of the key to each participating party. Otherwise, a malicious third party might obtain the key, intercept communications, and compromise security. Public-key cryptography addresses this problem, by providing a secure method for key distribution.
Public-key cryptography requires a party to possess a public/private key pair. The private key is kept secret and is known only to that party. The public key, as the name implies, is freely available. To send a secret message to this party requires that a third party sender encrypt the message with the public key. Such a message can only be decrypted by a party holding the associated private key.
For example, when Dick wants to send a secure message to Harriet, he first asks Harriet for her public key (or obtains it from another, public source). Harriet gives Dick the public key, but Tom, a malicious eavesdropper, also obtains the public key. Nevertheless, when Dick sends Harriet a message encrypted with her public key, Tom cannot decrypt it; the message can only be decrypted with Harriet's private key.
Public-key algorithms thus guarantee the secrecy of a message, but they don't guarantee secure communications because they don't verify the identities of the communicating parties. In order to establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its public key for a legitimate key.
If Tom, for example, is able to substitute his public key for Harriet's public key and send it to Dick, Dick might then send a message to Harriet encrypted with Tom's public key--believing he was using Harriet's public key. Tom could then decrypt a subsequent intercepted message from Dick using his private key, re-encrypt it with Harriet's public key and re-transmit it to Harriet. Harriet could then decrypt the incoming message using her private key, and never know that it had been intercepted by Tom--the man-in-the-middle.
In order to avoid such a man-in-the-middle attack, it is necessary to verify the owner of the public key, a process called authentication. Authentication can be accomplished through a certificate authority (CA).
A CA is a third party that is trusted by both of the parties attempting secure communication. The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).
The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known, and does not have to be authenticated each time it is accessed. Such CA public keys are stored in an Oracle wallet.
Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:
Oracle Wallet Manager stores private keys associated with X.509 certificates, requiring strong encryption. Accordingly, Release 9.0.1 replaces DES encryption with 3-key Triple-DES--a substantially stronger encryption algorithm.
Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows System Registry (for Windows 95/98/ME/NT 4.0/2000), or in a Windows file management system. Storing your wallets in the registry provides the following benefits:
Oracle Wallet Manager is a stand-alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:
Oracle Wallet Manager is backward-compatible to Release 8.1.5.
Oracle Wallet Manager stores X.509 certificates and private keys in industry-standard, PKCS #12 format. This makes the Oracle wallet structure interoperable with supported third party PKI applications, and provides wallet portability across operating systems.
Oracle Wallet Manager can import and support the following PKCS #12-format wallets, subject to product-specific procedures and limitations:
To import a third-party wallet:
For UNIX and Windows NT, the file name is ewallet.p12.
For other platforms, see the platform-specific documentation.
See Also: Importing a Trusted Certificate.
|
Notes:
|
Oracle Wallet Manager can export its own wallets to third party environments. To export a wallet:
ewallet.p12 on UNIX and NT platforms).
Oracle wallet tools (Oracle Wallet Manager, Enterprise Login Assistant) support multiple certificates for each wallet, supporting the following Oracle PKI certificate usages:
Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usages--but the same certificate cannot be used for all such usages (See: Tables 16-2 and 16-3 for legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates. More than one certificate cannot be installed in the same wallet at the same time.
Oracle Wallet Manager uses X.509 V3 extension KeyUsage to define Oracle PKI certificate usages (Table 16-1):
| Value | Usage |
|---|---|
|
0 |
digitalSignature |
|
1 |
nonRepudiation |
|
2 |
keyEncipherment |
|
3 |
dataEncipherment |
|
4 |
keyAgreement |
|
5 |
keyCertSign |
|
6 |
cRLSign |
|
7 |
encipherOnly |
|
8 |
decipherOnly |
When installing a certificate (user certificate, trusted certificate), Oracle Wallet Manager uses Tables 16-2 and 16-3 to map the KeyUsage extension values to Oracle PKI certificate usages:
| KeyUsage Value | Critical?Foot 1 | Usage |
|---|---|---|
|
none |
na |
Certificate is importable for SSL or S/MIME encryption use. |
|
0 alone, or any combination including 0 but excluding 5 and 2 |
na |
Accept certificate for S/MIME signature or code-signing use. |
|
1 alone |
Yes |
Not importable. |
|
No |
Accept certificate for S/MIME signature or code-signing use. |
|
|
2 alone, or 2 + any combination excluding 5 |
na |
Accept certificate for SSL or S/MIME encryption use. |
|
5 alone, or any combination including 5 |
na |
Accept certificate for CA certificate signing use. |
|
Any settings not listed above |
Yes |
Not importable. |
|
No |
Certificate is importable for SSL or S/MIME encryption use. |
|
1
If the KeyUsage extension is critical, the certificate cannot be used for other purposes. |
|
KeyUsage Value |
Critical?Foot 1 | Usage |
|---|---|---|
|
none |
na |
Importable. |
|
Any combination excluding 5 |
Yes |
Not importable. |
|
No |
Importable. |
|
|
5 alone, or any combination including 5 |
na |
Importable. |
|
1
If the KeyUsage extension is critical, the certificate cannot be used for other purposes. |
You should obtain certificates from the certificate authority with the correct KeyUsage value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Tables 16-2 and 16-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.
For example: For SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.
Oracle Wallet Manager can upload wallets to--and retrieve them from--an LDAP-compliant directory.
Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication--while providing centralized wallet management throughout the wallet life cycle. To prevent accidental over-write of functional wallets, only wallets containing an installed certificate can be uploaded.
Oracle Wallet Manager requires that enterprise users are already defined and configured in the LDAP directory, to be able to upload or download wallets. If a directory contains Oracle8i (or prior) users, they are automatically upgraded to use the wallet upload/download feature--upon first use.
Oracle Wallet Manager downloads a user wallet using a simple password based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage.
If an SSL certificate is not present in the wallet, password-based authentication is used.
This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:
To start Oracle Wallet Manager:
Start-->Programs-->Oracle-<ORACLE_HOME_NAME>-->Network Administration-->Wallet Manager
owm at the command line.
Create a new wallet as follows:
Wallet > New from the menu bar; the New Wallet dialog box appears.
Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.
Oracle Wallet Manager requires that you choose a password that is at least eight characters long, and contains a mix of alphabetic and numeric or special characters.
Example: gol8fer*
It is also a prudent security practice for users to change their passwords periodically, such as once a month or once a quarter.
Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again?
If you choose Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of Empty, and the wallet displays its default trusted certificates.
Wallet > Save In System Default to save the new wallet.
If you do not have permission to save the wallet in the system default, you can save it to another location.
A message at the bottom of the window informs you that the wallet was successfully saved.
Open a wallet that already exists in the file system directory as follows:
Wallet opened successfully appears at the bottom of the window, and you are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left window pane.
To close an open wallet in the currently selected directory:
Wallet > Close.
Wallet closed successfully appears at the bottom of the window, to confirm that the wallet is closed.
To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if a SSL certificate is contained in the target wallet. Otherwise, it lets you enter the directory password. Note that both Oracle Wallet Manager and Enterprise Login Assistant can upload and download wallets interchangeably.
To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the Upload option, unless the target wallet is currently open and contains at least one user certificate.
To upload a wallet:
Wallet>Upload into the Directory Service. If the currently open wallet has not been saved, a dialog box appears with the following message:
Wallet needs to be saved before uploading.
Choose Yes to proceed.
SSL. If at least one certificate has SSL key usage, a dialog box prompts for the server and the port. Enter the server and port information associated with the LDAP directory and choose OK. Oracle Wallet Manager attempts connection to the LDAP directory server using SSL.
Upload wallet failed
Otherwise, the following message appears:
Wallet uploaded successfully.
SSL, a dialog box prompts for the user distinguished name (DN) and the LDAP server and port information. Enter this information and choose OK. Oracle Wallet Manager attempts connection to the LDAP directory server using Simple Password Authentication mode, assuming that the wallet password is the same as the directory password.
When a wallet is downloaded from an LDAP directory, it is resident in working memory; it is not saved to the file system unless you expressly save it--using any of the Save options described in the following sections.
To download a wallet from an LDAP directory:
Wallet>Download from the Directory Service.
Download wallet failed
An opened wallet already exists in memory. Do you wish to overwrite it with the downloaded wallet?
Choose OK to open the downloaded wallet.
Open downloaded wallet failed
Otherwise the status:
Wallet downloaded successfully
is displayed at the bottom of the window.
To save your changes to the current open wallet:
Wallet > Save.
Use the Save As option to save the current open wallet to a new directory location:
The following message appears if a wallet already exists in the selected directory:
A wallet already exists in the selected path. Do you want to overwrite it?.
Choose Yes to overwrite the existing wallet, or No to save the wallet to another directory.
A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.
Use the Save in System Default menu option to save the current open wallet to the system default directory location.
Wallet > Save in System Default.
|
Note: Certain Oracle applications are not able to use the wallet if it is not in the system default location. |
To delete the current open wallet:
A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.To change the password for the current open wallet:
Wallet > Change Password; the Change Wallet Password dialog box appears.
A message at the bottom of the window confirms that the password was successfully changed.
The Oracle Wallet Manager Auto Login feature opens a copy of the wallet and enables PKI-based access to secure services--as long as the wallet in the specified directory remains open in memory.
You must enable Auto Login if you want single sign-on access to multiple Oracle databases (disabled by default).
To enable Auto Login:
To disable Auto Login:
Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section describes how to manage both certificate types, in the following subsections:
Managing user certificates involves the following tasks:
You can use this task to add multiple certificate requests. Note that when creating multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request--which you can then edit.
The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request; store only a correctly filled out certificate request in a wallet.
To create a PKCS #10 certificate request:
Operations > Add Certificate Request; the Add Certificate Request dialog box appears.
Table 16-4 Certificate Request: Fields and Descriptions
| Field Name | Description |
|---|---|
|
Common Name |
Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format. |
|
Organizational Unit |
Optional. Enter the name of the identity's organizational unit. Example: Finance. |
|
Organization |
Optional.Enter the name of the identity's organization. Example: XYZ Corp. |
|
Locality/City |
Optional. Enter the name of the locality or city in which the identity resides. |
|
State/Province |
Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two-letter abbreviations. |
|
Country |
Mandatory. Choose the drop-down list to view a list of country abbreviations. Select the country in which the organization is located. |
|
Key Size |
Mandatory. Choose the drop-down box to view a list of key sizes to use when creating the public/private key pair. See Table 16-5 to evaluate key size. |
|
Advanced |
Optional. Choose |
| Key Size | Relative Security Level |
|---|---|
|
512 |
Not regarded as secure. |
|
768 |
Provides some security. |
|
1024 |
Secure. |
Requested.
You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.
To paste the certificate:
Begin Certificate and End Certificate.
Operations > Import User Certificate from the menu bar; the Import Certificate dialog box appears.
Paste the Certificate button, and choose OK; an Import Certificate dialog box appears with the following message:
Please provide a base64 format certificate and paste it below.
Ready.
To select the file:
Operations > Import User Certificate from the menu bar.
Select a file... certificate button, and choose OK; the Import Certificate dialog box appears.
cert.txt).
Ready.
Operations > Remove User Certificate; a dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.
Requested.
To remove a certificate request:
Save the certificate in a file system directory when you elect to export a certificate:
Operations > Export User Certificate from the menu bar; the Export Certificate dialog box appears.
Save the certificate request in a file system directory when you elect to export a certificate request:
Operations > Export Certificate Request from the menu bar; the Export Certificate Request dialog box appears.
Managing trusted certificates includes the following tasks:
You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.
Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.
To paste the trusted certificate:
Operations > Import Trusted Certificate from the menu bar; the Import Trusted Certificate dialog panel appears.
Paste the Certificate button, and choose OK. An Import Trusted Certificate dialog panel appears with the following message:
Please provide a base64 format certificate and paste it below.
Begin Certificate and End Certificate.
To select the file:
Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears.
cert.txt).
To remove a trusted certificate from a wallet:
Operations > Remove Trusted Certificate from the menu bar.
A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.
To export a trusted certificate to another file system location:
Operations > Export Trusted Certificate; the Export Trusted Certificate dialog box appears.
To export all of your trusted certificates to another file system location:
Operations > Export All Trusted Certificates. The Export Trusted Certificate dialog box appears.
You can export a wallet to text-based PKI formats. Individual components are formatted according to the following standards (Table 16-6). Within the wallet, only those certificates with key usage SSL are exported with the wallet.
| Component | Encoding Standard |
|---|---|
|
Certificate chains |
X509v3 |
|
Trusted certificates |
X509v3 |
|
Private keys |
PKCS #8 |
|
 Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|