Oracle® Application Server 10g Security Guide 10g (9.0.4) Part Number Part No. B10377-01 |
|
Security administrators use Oracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by the Oracle database, Oracle Application Server, and the Oracle Identity Management infrastructure.
This appendix describes Oracle Wallet Manager, and contains the following topics:
Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform basic tasks such as creating wallets, generating certificate requests, and opening wallets to access PKI-based services. In addition, Oracle Wallet Manager can be used to upload wallets to and download them from an LDAP directory. Oracle Wallet Manager can also be used to import third-party PKCS #12-format wallets, and export Oracle wallets to a third-party environment.
Oracle Wallet Manager provides the following features:
Oracle wallets are password protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:
Oracle Wallet Manager stores private keys associated with X.509 certificates, requiring strong encryption, and uses Triple-DES encryption--a substantially stronger encryption algorithm.
Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows system registry or in a Windows file management system. Storing your wallets in the registry provides the following benefits:
Oracle Wallet Manager is backward-compatible to Release 8.1.5.
RSA Laboratories, a division of RSA Security, Inc., has developed, in cooperation with representatives from industry, academia, and government, a family of basic cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards have been developed to establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet.
Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. This makes the Oracle wallet structure interoperable with supported third-party PKI applications, and provides wallet portability across operating systems.
See Also:
|
Oracle Wallet Manager allows you to store multiple certificates for each wallet, supporting the following Oracle PKI certificate usages:
Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usages, but the same certificate cannot be used for all such usages (See Table A-2 and Table A-3 for legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates; however, more than one certificate for each certificate request cannot be installed in the same wallet at the same time.
Oracle Wallet Manager uses the X.509 Version 3 KeyUsage
extension to define Oracle PKI certificate usages (Table A-1):
Value | Usage |
---|---|
0 |
digitalSignature |
1 |
nonRepudiation |
2 |
keyEncipherment |
3 |
dataEncipherment |
4 |
keyAgreement |
5 |
keyCertSign |
6 |
cRLSign |
7 |
encipherOnly |
8 |
decipherOnly |
When installing a certificate (user certificate or trusted certificate), Oracle Wallet Manager maps the KeyUsage
extension values to Oracle PKI certificate usages, as specified in Table A-2 and Table A-3.
KeyUsage Value | Critical?Foot 1 | Usage |
---|---|---|
none |
na |
Certificate is importable for SSL or S/MIME encryption use. |
0 alone, or any combination including 0 but excluding 5 and 2 |
na |
Accept certificate for S/MIME signature or code-signing use. |
1 alone |
Yes |
Not importable. |
1 alone |
No |
Accept certificate for S/MIME signature or code-signing use. |
2 alone, or 2 + any combination excluding 5 |
na |
Accept certificate for SSL or S/MIME encryption use. |
5 alone, or any combination including 5 |
na |
Accept certificate for CA certificate signing use. |
Any settings not listed previously |
Yes |
Not importable. |
No |
Certificate is importable for SSL or S/MIME encryption use. |
1
If the KeyUsage extension is critical, the certificate cannot be used for other purposes. |
KeyUsage Value |
Critical?Foot 1 | Usage |
---|---|---|
none |
na |
Importable. |
Any combination excluding 5 |
Yes |
Not importable. |
No |
Importable. |
|
5 alone, or any combination including 5 |
na |
Importable. |
1
If the KeyUsage extension is critical, the certificate cannot be used for other purposes. |
You should obtain certificates from the certificate authority with the correct KeyUsage
value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table A-2 and Table A-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.
For example: For SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.
Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. To prevent accidental over-write of functional wallets, only wallets containing an installed certificate can be uploaded.
Enterprise users must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download wallets for a user. If a directory contains Oracle8i (or prior) users, they are automatically upgraded to use the wallet upload and download feature on first use.
Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, password-based authentication is used.
See Also:
|
To start Oracle Wallet Manager:
>
Programs >
Oracle-HOME_NAME >
Network Administration >
Wallet Manager
owm
.
This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:
Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.
Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters.
To create a PKCS #12 wallet that stores credentials in a directory on your file system, perform the following tasks:
>
New from the menu bar. The New Wallet dialog box appears.
Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again?
If you choose No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.
If you do not have permission to save the wallet in the system default, you can save it to another location. This location must be used in the SSL configuration for clients and servers.
A message at the bottom of the window confirms that the wallet was successfully saved.
On Windows platforms, if you are using Oracle Application Server Web Cache in a standalone environment, you must take special actions to enable wallets to open.
Oracle Application Server Web Cache attempts to open wallets at startup. On Windows, wallets are protected so that only the user that created them can open and use them. In a standalone environment, the Oracle Application Server Web Cache admin and cache processes are Windows services. By default, Oracle Application Server services, including Oracle Application Server Web Cache, are associated with the local system account, which does not have permission to open wallets.
To enable Oracle Application Server Web Cache to open wallets at startup:
On Windows NT, additionally grant the wallet administrator the right to run Oracle Application Server Web Cache as a service:
The User Manager window appears.
The User Rights Policy dialog box appears.
If Users does not exist, create it:
The User Manager window reappears.
Open a wallet that already exists in the file system directory as follows:
>
Open from the menu bar. The Select Directory dialog box appears.
You are returned to the main window and a message appears at the bottom of the window indicating the wallet was opened successfully. The wallet's certificate and its trusted certificates are displayed in the left window pane.
To close an open wallet in the currently selected directory:
Choose Wallet >
Close.
A message appears at the bottom of the window to confirm that the wallet is closed.
Third-party wallets are those where the certificate requests have been generated without using Oracle Wallet Manager. Oracle Wallet Manager can import and support the following PKCS #12-format wallets, subject to procedures and limitations specific to the program you use:
To import a third-party wallet, perform the following tasks:
For UNIX and Windows, the appropriate file name is ewallet.p12
.
For other operating systems, see the Oracle documentation for that specific operating system.
Note: Because browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to import trusted certificates. |
Oracle Wallet Manager can export its own wallets to third-party environments.
To export a wallet to third-party environments:
ewallet.p12
on UNIX and Windows platforms).
You can export a wallet to a text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are formatted according to the standards listed in Table A-5. Within the wallet, only those certificates with SSL key usage are exported with the wallet.
To export a wallet to text-based PKI format:
Table A-5 PKI Wallet Encoding Standards
Component | Encoding Standard |
---|---|
Certificate chains |
X509v3 |
Trusted certificates |
X509v3 |
Private keys |
PKCS #8 |
To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate. Otherwise, it lets you enter the directory password.
To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the upload option unless the target wallet is currently open and contains at least one user certificate.
To upload a wallet:
>
Upload Into The Directory Service.... If the currently open wallet has not been saved, a dialog box appears with the following message:
Wallet needs to be saved before uploading.
Choose Yes to proceed.
SSL
key usage. Depending on whether a certificate with SSL
key usage is found in the wallet, one of the following results occur:
If the connection fails, a dialog box prompts for the directory password of the specified DN. Oracle Wallet Manager attempts connection to the LDAP directory server using this password and displays a warning message if the attempt fails. Otherwise, Oracle Wallet Manager displays a status message at the bottom of the window indicating that the upload was successful.
When a wallet is downloaded from an LDAP directory, it is resident in working memory. It is not saved to the file system unless you expressly save it using any of the Save options described in the following sections.
To download a wallet from an LDAP directory:
>
Download From The Directory Service....
Depending on whether the downloading operation succeeds or not, one of the following results occurs:
If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully.
To save your changes to the current open wallet:
Choose Wallet >
Save.
A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.
To save open wallets to a new location, use the Save As... menu option:
>
Save As.... The Select Directory dialog box appears.
The following message appears if a wallet already exists in the selected location:
A wallet already exists in the selected path. Do you want to overwrite it?
Choose Yes to overwrite the existing wallet, or No to save the wallet to another location.
A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.
To save wallets in the default directory location, use the Save In System Default menu option:
Choose Wallet >
Save In System Default.
A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location as follows for UNIX and Windows platforms:
ORACLE_HOME
/admin/
ORACLE_SID
\
ORACLE_HOME\rdbms\admin
To delete the current open wallet:
A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.
Note: If you are using a wallet with auto login enabled, you must regenerate the auto login wallet after changing the password. See "Using Auto Login" |
To change the password for the current open wallet:
>
Change Password. The Change Wallet Password dialog box appears.
A message at the bottom of the window confirms that the password was successfully changed.
See Also:
|
The Oracle Wallet Manager auto login feature creates an obfuscated copy of the wallet and enables PKI-based access to services without a password until the auto login feature is disabled for the wallet. The file system permissions provide the necessary security for auto login wallets. When auto login is enabled for a wallet, it is only available to the operating system user who created that wallet.
You must enable auto login if you want single sign-on access to multiple Oracle databases, which is disabled by default. Sometimes these are called "OracleAS Single Sign-On wallets" because they provide single sign-on capability.
To enable auto login:
To disable auto login:
Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. All certificates are signed data structures that bind a network identity with a corresponding public key. User certificates are used by end entities, including server applications, to validate an end entity's identity in a public key/private key exchange. In comparison, trusted certificates are any certificates that you trust, such as those provided by CAs to validate the user certificates that they issue.
This section describes how to manage both certificate types, in the following subsections:
User certificates can be used by end users, smart cards, or applications, such as Web servers. Server certificates are a type of user certificate. For example, if a CA issues a certificate for a Web server, placing its distinguished name (DN) in the Subject field, then the Web server is the certificate owner, thus the "user" for this user certificate. User certificates do not validate other user certificates, except when they are used as a trusted certificate in a user-centric trust model.
See Also:
Understanding Public-Key Infrastructure, a third-party publication, listed in the Preface under "Related Documentation", for a discussion of user-centric and other trust models. |
Managing user certificates involves the following tasks:
You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit.
The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request. Store only a correctly filled out certificate request in a wallet.
To create a PKCS #10 certificate request:
>
Add Certificate Request. The Add Certificate Request dialog box appears.
Table A-6 Certificate Request: Fields and Descriptions
Field Name | Description |
---|---|
Common Name |
Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format. Example: Eileen.Sanger |
Organizational Unit |
Optional. Enter the name of the identity's organizational unit. Example: Finance. |
Organization |
Optional.Enter the name of the identity's organization. Example: XYZ Corp. |
Locality/City |
Optional. Enter the name of the locality or city in which the identity resides. |
State/Province |
Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two-letter abbreviations. |
Country |
Mandatory. Choose to view a list of country abbreviations. Select the country in which the organization is located. |
Key Size |
Mandatory. Choose to view a list of key sizes to use when creating the public/private key pair. See Table A-7 to evaluate key size. |
Advanced |
Optional. Choose Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality. |
Table A-7 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys.
Key Size | Relative Security Level |
---|---|
512 or 768 |
Not regarded as secure. |
1024 or 2048 |
Secure. |
3072 or 4096 |
Very secure. |
The certificate authority sends you an e-mail notification when your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the certificate authority's e-mail, or import the user certificate from a file.
Begin Certificate
and End Certificate.
>
Import User Certificate.... The Import Certificate dialog box appears.
Please provide a base64 format certificate and paste it below.
The file containing the user certificate should have been saved in BASE64 format.
>
Import User Certificate.... The Import Certificate dialog box appears.
cert.txt
).
To remove a user certificate from a wallet:
>
Remove User Certificate.... A dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.
You must remove a certificate before removing its associated request.
To remove a certificate request:
To save the certificate in a file system directory, export the certificate by using the following steps:
>
Export User Certificate... from the menu bar. The Export Certificate dialog box appears.
To save the certificate request in a file system directory, export the certificate request by using the following steps:
>
Export Certificate Request.... The Export Certificate Request dialog box appears.
Managing trusted certificates includes the following tasks:
You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.
Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.
Begin Certificate
and End Certificate.
>
Import Trusted Certificate... from the menu bar. The Import Trusted Certificate dialog panel appears.
Please provide a base64 format certificate and paste it below.
>
Import Trusted Certificate.... The Import Trusted Certificate dialog panel appears.
cert.txt)
.
You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the certificates it has signed. Also, you cannot verify a certificate after its trusted certificate has been removed from your wallet.
To remove a trusted certificate from a wallet:
>
Remove Trusted Certificate... from the menu bar.
A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.
To export a trusted certificate to another file system location:
>
Export Trusted Certificate.... The Export Trusted Certificate dialog box appears.
To export all of your trusted certificates to another file system location:
>
Export All Trusted Certificates.... The Export Trusted Certificate dialog box appears.
Oracle Wallet Manager can be used to manage certificates issued by OracleAS Certificate Authority like any other credentials that comply with PKCS #12.
To use certificates from OracleAS Certificate Authority:
BEGIN NEW CERTIFICATE REQUEST
and END NEW CERTIFICATE REQUEST
to your system's clipboard.
When the OracleAS Certificate Authority administrator notifies you that your certificate has been issued, download the file to your file system, and import it into Oracle Wallet Manager by using the method described in "Importing the User Certificate into the Wallet".
|
![]() Copyright © 2003 Oracle Corporation. All Rights Reserved. |
|