| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.1) Part Number B14489-02 |
|
|
View PDF |
| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.1) Part Number B14489-02 |
|
|
View PDF |
This appendix explains how to obtain and manage security credentials for Oracle Application Server resources. Security administrators can use Oracle Wallet Manager and its command-line utility, orapki, to manage Public Key Infrastructure (PKI) credentials on Oracle clients and servers. These tools create credentials that can be read by Oracle Database, Oracle Application Server, and the Oracle Identity Management infrastructure.
This appendix contains the following topics:
Performing Certificate Validation and CRL Management With the orapki Utility
Interoperability With X.509 Certificates
Note:
If you already have certificates provisioned, then the following sections may provide all the information you need:This section describes Oracle Wallet Manager, a graphical user interface (GUI) tool used to manage PKI certificates. It contains the following topics:
Oracle Wallet Manager is an application used to manage and edit security credentials in Oracle wallets. A wallet is a password-protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication. You can use Oracle Wallet Manager to perform the following tasks:
Create wallets
Generate certificate requests
Open wallets to access PKI-based services
Save credentials to hardware security modules by using APIs, which comply to Public Key Cryptography Standard (PKCS#11) specification
Upload wallets to and download them from an LDAP directory
Import third-party PKCS #12-format wallets to use in an Oracle environment
Export Oracle wallets to third-party environments
The following sections describe the features of Oracle Wallet Manager:
Oracle wallets are password-protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces the following password management policy guidelines:
Minimum password length: 8 characters
Maximum password length: Unlimited
Alphanumeric character mix: Required
Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption.
As an option, Oracle Wallet Manager enables you to store multiple Oracle wallets in the user profile area of the Microsoft Windows system registry or in a Microsoft Windows file management system. Storing your wallets in the registry provides the following benefits:
Better Access Control: Wallets stored in the user profile area of the registry are accessible only by the associated user. User access controls for the system become, by extension, access controls for the wallets. In addition, when you log out of a system, access to your wallet is effectively prohibited.
Easier Administration: Because wallets are associated with specific user profiles, no file permissions need to be managed, and the wallets stored in the profile are automatically deleted when the user profile is deleted. Oracle Wallet Manager can be used to create and manage the wallets in the registry.
Oracle Wallet Manager lets you perform the following tasks:
Open the wallet from the registry
Save the wallet to the registry
Save the wallet to a different registry location
Delete the wallet from the registry
Open the wallet from the file system and save it to the registry
Open the wallet from the registry and save it to the file system
Oracle Wallet Manager can use PKI credentials from the following third-party applications:
Microsoft Internet Explorer 5.0 and later
Netscape Communicator 4.7.2 and later
OpenSSL
Browser PKI credential stores (those from Microsoft Internet Explorer and Netscape) hold user certificates, which contain the subject's public key and identifying information, and their associated trusted certificates. To use these credentials, you must export them from the third-party environment and save them in PKCS #12 format. Then, you can use Oracle Wallet Manager to open them for use with SSL.
Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication, while providing centralized wallet management throughout the wallet life cycle. To prevent accidental overwrite of functional wallets, only wallets containing an installed certificate can be uploaded.
Directory user entries must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download wallets for a user. Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads, Oracle Wallet Manager uses an SSL connection, if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, then password-based authentication is used.
Note:
The directory password and the wallet password are independent of each other and can be different. Oracle recommends that these passwords be maintained to be consistently different, where neither one can logically be derived from the other.To start Oracle Wallet Manager:
On Microsoft Windows, click Start, Programs, ORACLE_HOME, Network Administration, and then Wallet Manager.
On UNIX, type owm at the command prompt.
A wallet is a necessary repository in which you can securely store user certificates and the trust points needed to validate the certificates of peers.
The following steps provide an overview of the complete wallet creation process:
Use Oracle Wallet Manager to create a new wallet:
Refer to Guidelines for Creating Wallet Passwords for information about creating a wallet password
Refer to Creating a Wallet for information about creating standard wallets (store credentials on your file system) and hardware security module wallets.
Generate a certificate request. When you create a wallet with Oracle Wallet Manager, the tool automatically prompts you to create a certificate request. Refer to Adding a Certificate Request for information about creating a certificate request.
Send the certificate request to the Certificate Authority (CA) you want to use. You can copy and paste the certificate request text into an e-mail message, or you can export the certificate request to a file. Refer to Exporting a User Certificate Request. The certificate request becomes part of the wallet and must remain there until you remove its associated certificate.
When the CA sends your signed user certificate and its associated trusted certificate, you can import these certificates in the following order:
Import the trusted certificate of the CA into the wallet. Refer to Importing a Trusted Certificate. This step is optional if the new user certificate has been issued by one of the CAs whose trusted certificate is already present in Oracle Wallet Manager by default.
After you have successfully imported the trusted certificate, import the user certificate that the CA sent to you into your wallet. Refer to Importing the User Certificate Into the Wallet.
Note:
User certificates and trusted certificates in the PKCS #7 format can be imported at the same time.Set the Auto Login feature for the wallet. Refer to Using Auto Login. This step is optional.
Typically, this feature, which enables PKI-based access to services without a password, is required for most wallets. It is required for database server and client wallets. It is only optional for products that take the wallet password at the time of startup.
After completing the preceding steps, you have a wallet that contains a user certificate and its associated trust points.
This section describes how to create a wallet and perform associated wallet management tasks in the following subsections:
Because an Oracle Wallet contains user credentials that can be used to authenticate the user to multiple databases, it is important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.
Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters.
Caution:
It is strongly recommended that you avoid choosing easily guessed passwords based on user names, phone numbers, or government identification numbers, such as
admin0, oracle1, or 2135551212A. This prevents a potential attacker from using personal information to deduce user passwords. It is also a prudent security practice for you to change your passwords periodically, such as once in a month or once in three months.
When you change passwords, you must regenerate Auto Login wallets.
See Also:
You can use Oracle Wallet Manager to create PKCS #12 wallets (the standard default wallet type) that store credentials in a directory on your file system. It can also be used to create PKCS #11 wallets that store credentials on a hardware security module for servers, or private keys on tokens for clients. The following sections explain how to create both types of wallets by using Oracle Wallet Manager:
Creating a Standard Wallet
Unless you have a hardware security module (a PKCS #11 device), you should use a standard wallet that stores credentials in a directory on your file system.
To create a standard wallet:
From the Wallet menu, select New. The New Wallet dialog box is displayed.
Follow the guidelines specified in Guidelines for Creating Wallet Passwords and enter a password in the Wallet Password field. This password protects unauthorized use of your credentials.
Reenter that password in the Confirm Password field.
Select Standard from the Wallet Type list.
Click OK to continue. If the entered password does not conform to the required guidelines, then the following message is displayed:
Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again?
An alert that informs you that a new empty wallet has been created appears. It prompts you to choose whether you want to add a certificate request. Refer to Adding a Certificate Request.
If you click No, then you are redirected to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.
From the Wallet menu, select Save In System Default to save the new wallet.
If you do not have permission to save the wallet in the system default, then you can save it to another location. This location must be used in the SSL configuration for clients and servers.
A message at the bottom of the window confirms that the wallet was successfully saved.
Creating a Wallet to Store Hardware Security Module Credentials
To create a wallet to store credentials on a hardware security module that complies with PKCS #11:
From the Wallet menu, select New. The New Wallet dialog box is displayed.
Follow the guidelines specified in Guidelines for Creating Wallet Passwords and enter a password in the Wallet Password field.
Reenter that password in the Confirm Password field.
Choose PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet dialog box is displayed.
Choose a vendor name from the Select Hardware Vendor list.
Note:
In the current release of Oracle Wallet Manager, only nCipher hardware has been certified to interoperate with Oracle wallets.In the PKCS11 library filename field, enter the path to the directory in which the PKCS11 library is stored, or click Browse to find it by searching the file system.
Enter the SmartCard password, and click OK.
The SmartCard password, which is different from the wallet password, is stored in the wallet.
An alert that informs you that a new empty wallet has been created appears. It prompts you to decide whether you want to add a certificate request. Refer to Adding a Certificate Request.
If you click No, then you are redirected to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.
From the Wallet menu, select Save In System Default to save the new wallet.
If you do not have permission to save the wallet in the system default, then you can save it to another location.
A message at the bottom of the window confirms that the wallet was successfully saved.
Note:
If you change the SmartCard password or move the PKCS #11 library, then an error message appears when you try to open the wallet. Then, you are prompted to enter the new SmartCard password or the new path to the library.To open a wallet that already exists in the file system directory:
From the Wallet menu, select Open. The Select Directory dialog box is displayed.
Navigate to the directory location in which the wallet is located, and select the directory.
Click OK. The Open Wallet dialog box is displayed.
Enter the wallet password in the Wallet Password field.
Click OK.
You are redirected to the main window and a message is displayed at the bottom of the window indicating the wallet was opened successfully. The wallet certificate and its trusted certificates are displayed in the left pane.
To close an open wallet in the currently selected directory, select Close from the Wallet menu.
A message is displayed at the bottom of the window to confirm that the wallet is closed.
Oracle Wallet Manager can export its own wallets to third-party environments.
To export a wallet to third-party environments:
Use Oracle Wallet Manager to save the wallet file.
Follow the procedure specific to your third-party product to import an operating system PKCS #12 wallet file created by Oracle Wallet Manager (called ewallet.p12 on UNIX and Microsoft Windows platforms).
Note:
Oracle Wallet Manager supports multiple certificates for each wallet, but current browsers typically support import of single-certificate wallets only. For these browsers, you must export an Oracle wallet containing a single key pair.
Oracle Wallet Manager supports exporting wallets only to Netscape Communicator 4.7.2 and later, OpenSSL, and Microsoft Internet Explorer 5.0 and later.
You can export a wallet to text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are formatted according to the standards listed in Table 6-1. Within the wallet, only those certificates with SSL key usage are exported with the wallet.
To export a wallet to text-based PKI format:
From the Operations menu, select Export Wallet.... The Export Wallet dialog box is displayed.
Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders.
Enter the destination file name for the wallet.
Click OK to return to the main window.
To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate. Otherwise, it lets you enter the directory password.
To prevent the accidental destruction of your wallet, Oracle Wallet Manager will not permit you to complete the upload option unless the target wallet is currently open and contains at least one user certificate.
To upload a wallet:
From the Wallet menu, select Upload Into The Directory Service.... If the currently open wallet has not been saved, then the following message is displayed:
Wallet needs to be saved before uploading.
Click Yes to proceed.
Wallet certificates are checked for SSL key usage. Depending on whether a certificate with SSL key usage is found in the wallet, one of the following results occur:
If at least one certificate has SSL key usage: When prompted, enter the LDAP directory server host name and port information, and then click OK. Oracle Wallet Manager attempts to connect to the LDAP directory server using SSL. A message is displayed indicating whether the wallet was uploaded successfully or if it failed.
If no certificates have SSL key usage: When prompted, enter your distinguished name (DN), the LDAP server host name and port information, and click OK. Oracle Wallet Manager attempts to connect to the LDAP directory server using simple password authentication mode, assuming that the wallet password is the same as the directory password.
If the connection fails, then you are prompted for the directory password of the specified DN. Oracle Wallet Manager attempts to connect to the LDAP directory server using this password and displays a warning message if the attempt fails. Otherwise, Oracle Wallet Manager displays a status message at the bottom of the window indicating that the upload was successful.
When a wallet is downloaded from an LDAP directory, it is stored in the working memory. It is not saved to the file system unless you explicitly save it using any of the Save options described in the following sections.
To download a wallet from an LDAP directory:
From the Wallet menu, select Download From The Directory Service....
A dialog box prompts for your DN, the LDAP directory password, host name, and port information. Oracle Wallet Manager uses simple password authentication to connect to the LDAP directory.
Depending on whether the downloading operation succeeds or not, one of the following results occurs:
If the download operation fails: Check to make sure that you have correctly entered your DN, and the LDAP server host name and port information.
If the download is successful: Click OK to open the downloaded wallet. Oracle Wallet Manager attempts to open that wallet using the directory password. If the operation fails after using the directory password, then a dialog box prompts for the wallet password.
If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure that you have entered the correct password. Otherwise, a message is displayed at the bottom of the window, indicating that the wallet was downloaded successfully.
To save your changes to the current open wallet, select Save from the Wallet menu.
A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.
To save open wallets to a new location:
From the Wallet menu, select Save As.... The Select Directory dialog box is displayed.
Select a directory location to save the wallet.
Click OK.
The following message is displayed if a wallet already exists in the selected location:
A wallet already exists in the selected path. Do you want to overwrite it?
Click Yes to overwrite the existing wallet, or No to save the wallet to another location.
A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.
To save wallets in the default directory location, use the Save In System Default menu option:
From the Wallet menu, select Save In System Default.
A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location, as follows, for UNIX and Microsoft Windows platforms:
(UNIX) ORACLE_HOME/admin/ORACLE_SID
(Microsoft Windows) ORACLE_BASE\ORACLE_HOME\rdbms\admin
Note:
SSL uses the wallet that is saved in the system default directory location.
Some Oracle applications cannot use the wallet if it is not in the system default location. Check the Oracle documentation for your specific application to determine whether wallets must be placed in the default wallet directory location.
To delete an open wallet:
From the Wallet menu, select Delete. The Delete Wallet dialog box is displayed.
Review the displayed wallet location to confirm that you are deleting the correct wallet.
Enter the wallet password.
Click OK. A dialog box is displayed that informs you that the wallet was successfully deleted.
Note:
Any open wallet in application memory will remain in memory until the application exits. Deleting a wallet that is currently in use does not immediately affect system operation.A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.
Note:
If you are using a wallet with Auto Login enabled, then you must regenerate the Auto Login wallet after changing the password. Refer to Chapter6, "Using Auto Login".To change the password for the current open wallet:
From the Wallet menu, select Change Password. The Change Wallet Password dialog box is displayed.
Enter the existing wallet password.
Enter the new password.
Reenter the new password.
Click OK.
A message at the bottom of the window confirms that the password was successfully changed.
The Oracle Wallet Manager Auto Login feature creates an obfuscated copy of the wallet and enables PKI-based access to services without a password until the Auto Login feature is disabled for the wallet. File system permissions provide the necessary security for Auto Login wallets. When Auto Login is enabled for a wallet, it is only available to the operating system user who created that wallet.
You must enable Auto Login if you want single sign-on access to multiple Oracle databases, which is disabled by default. Sometimes these are called SSO wallets because they provide single sign-on capability.
Enabling Auto Login
To enable Auto Login select Auto Login from the Wallet menu. A message at the bottom of the window indicates that Auto Login is enabled.
Disabling Auto Login
To disable Auto Login, clear Auto Login from the Wallet menu. A message at the bottom of the window indicates that Auto Login is disabled.
Oracle Wallet Manager uses two types of certificates, user certificates and trusted certificates. All certificates are signed data structures that bind a network identity with a corresponding public key. User certificates are used by end entities, including server applications, to validate the identity of an end entity in a public key/private key exchange. In comparison, trusted certificates are the certificates that you trust, such as those provided by CAs to validate the user certificates that they issue.
This section describes how to manage both certificate types, in the following subsections:
Note:
You must first install a trusted certificate from the certificate authority before you can install a user certificate issued by that authority. Several trusted certificates are installed by default when you create a new wallet.User certificates can be used by end users, smart cards, or applications, such as Web servers. Server certificates are a type of user certificate. For example, if a CA issues a certificate for a Web server by placing its DN in the Subject field, then the Web server is the certificate owner or the user for this user certificate. User certificates do not validate other user certificates, except when they are used as a trusted certificate in a user-centric trust model.
See Also:
Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations by Carlisle Adams and Steve Lloyd, a third-party publication, for a discussion of user-centric and other trust models.Managing user certificates involves the following tasks:
Adding a Certificate Request
You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit.
The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request. Store only a correctly filled certificate request in a wallet.
To create a PKCS #10 certificate request:
From the Operations menu, select Add Certificate Request. The Create Certificate Request dialog box is displayed.
Enter the information specified in Table 6-2.
Click OK. A message informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog box and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.
Click OK to return to the Oracle Wallet Manager main window. The status of the certificate changes to [Requested].
See Also:
Exporting a User Certificate RequestTable 6-2 Certificate Request: Fields and Descriptions
| Field Name | Description |
|---|---|
| Common Name | Mandatory. Enter the name of the identity of the user or service identity. Enter a user name in firstname.lastname format.
Example: Eileen.Sanger |
| Organizational Unit | Optional. Enter the name of the organizational unit of the identity. Example: Finance. |
| Organization | Optional. Enter the name of the organization of the identity. Example: XYZ Corp. |
| Locality/City | Optional. Enter the name of the locality or city in which the identity resides. |
| State/Province | Optional. Enter the full name of the state or province in which the identity resides.
Enter the full state name, because some certificate authorities do not accept two-letter abbreviations. |
| Country | Mandatory. Select to view a list of country abbreviations. Choose the country in which the organization is located. |
| Key Size | Mandatory. Select to view a list of key sizes to use when creating the public/private key pair. Refer to Table 6-3 to evaluate key sizes. |
| Advanced | Optional. Select Advanced to view the Advanced Certificate Request dialog box. Use this dialog box to edit or customize the identity's DN. For example, you can edit the full state name and locality. |
Table 6-3 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048 bits. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys.
Table 6-3 Available Key Sizes
| Key Size | Relative Security Level |
|---|---|
| 512 or 768 | Not regarded as secure. |
| 1024 or 2048 | Secure. |
| 3072 or 4096 | Very secure. |
Importing the User Certificate Into the Wallet
The CA sends you an e-mail notification when your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways, copy and paste the certificate from the e-mail of the CA, or import the user certificate from a file. CAs may send your certificate in a PKCS #7 certificate chain file, or as an individual X.509 certificate. Oracle Wallet Manager can import both types. PKCS #7 certificate chains are a collection of certificates, including the user's certificate and all of the supporting CA and subCA certificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain.
To copy and paste the text only (BASE64) user certificate from the e-mail of the CA:
Copy the certificate text from the e-mail message or file you receive from the CA. Include the lines Begin Certificate and End Certificate.
From the Operations menu, select Import User Certificate.... The Import Certificate dialog box is displayed.
Select Paste the certificate, and then click OK. Another Import Certificate dialog box is displayed with the following message:
Please provide a base64 format certificate and paste it below.
Paste the certificate into the dialog box, and click OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are redirected to the Oracle Wallet Manager main window, and the status of the corresponding entry in the left panel subtree changes to [Ready].
To import a file that contains the user certificate:
From the Operations menu, select Import User Certificate.... The Import Certificate dialog box is displayed.
Choose Select a file that contains the certificate, and click OK. Another Import Certificate dialog box is displayed.
Enter the path or folder name of the certificate file location.
Select the name of the certificate file (for example, cert.txt).
Click OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are redirected to the Oracle Wallet Manager main window, and the status of the corresponding entry in the left panel subtree changes to [Ready].
Note:
The file containing the user certificate should have been saved in either text (BASE64) or binary (der) format.Importing Certificates Created with a Third-Party Tool
Third-party certificates are the certificates whose certificate requests have been generated without using Oracle Wallet Manager. Oracle Wallet Manager can import and support the following PKCS #12-format certificates, subject to procedures and limitations specific to the program you use:
Netscape Communicator 4.x
Microsoft Internet Explorer 5.x and later
OpenSSL
To import a certificate created with a third-party tool, you must first export it from the application you are using, and then save it as a wallet file that can be read by Oracle Wallet Manager. Refer to Importing Wallets Created with a Third-Party Tool for information about importing certificates that are created with third-party tools.
Removing a User Certificate from a Wallet
To remove a user certificate from a wallet:
In the left panel, select the certificate that you want to remove.
From the Operations menu, select Remove User Certificate.... A dialog box is displayed and it prompts you to verify that you want to remove the user certificate from the wallet.
Click Yes to return to the Oracle Wallet Manager main panel. The certificate displays a status of [Requested].
Removing a Certificate Request
You must remove a certificate before removing its associated request.
To remove a certificate request:
In the left panel, select the certificate request that you want to remove.
From the Operations menu, select Remove Certificate Request....
Click Yes. The certificate displays a status of [Empty].
Exporting a User Certificate
To save the certificate in a file system directory, export the certificate, as follows:
In the left panel, select the certificate that you want to export.
From the Operations menu, select Export User Certificate.... The Export Certificate dialog box is displayed.
Enter the file system directory location in which you want to save your certificate, or navigate to the directory structure under Folders.
Enter a file name for your certificate in the Enter File Name field.
Click OK. A message at the bottom of the window confirms that the certificate was successfully exported to the file. You are redirected to the Oracle Wallet Manager main window.
See Also:
Exporting Oracle Wallets to Third-Party Environments for information about exporting wallets. Note that Oracle Wallet Manager supports storing multiple certificates in a single wallet, yet current browsers typically support only single-certificate wallets. For these browsers, you must export an Oracle wallet that contains a single key-pair.Exporting a User Certificate Request
To save the certificate request in a file system directory, export the certificate request, as follows:
In the left panel, select the certificate request that you want to export.
From the Operations menu, select Export Certificate Request.... The Export Certificate Request dialog box is displayed.
Enter the file system directory location in which you want to save your certificate request, or navigate to the directory structure under Folders.
Enter a file name for your certificate request in the Enter File Name field.
Click OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are redirected to the Oracle Wallet Manager main window.
Managing trusted certificates includes the following tasks:
Importing a Trusted Certificate
You can import a trusted certificate into a wallet either by pasting the trusted certificate from an e-mail that you receive from the CA, or importing the trusted certificate from a file.
Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.
To copy and paste the text-only (BASE64) trusted certificate:
Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the lines Begin Certificate and End Certificate.
From the Operations menu, select Import Trusted Certificate.... The Import Trusted Certificate dialog box is displayed.
Select Paste the Certificate and click OK. Another Import Trusted Certificate dialog box is displayed with the following message:
Please provide a base64 format certificate and paste it below.
Paste the certificate into the window and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.
Click OK. You are redirected to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates list.
To import a file that contains the trusted certificate:
From the Operations menu, select Import Trusted Certificate.... The Import Trusted Certificate dialog box is displayed.
Enter the path or folder name of the trusted certificate location.
Select the name of the trusted certificate file (for example, cert.txt).
Click OK. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet.
Click OK to exit the dialog box. You are redirected to the Oracle Wallet Manager main window, and the trusted certificate is displayed at the bottom of the Trusted Certificates list.
Note:
The file containing the trusted certificate should have been saved in either text (BASE64) or binary (der) format.Removing a Trusted Certificate
You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the certificates it has signed. In addition, you cannot verify a certificate after its trusted certificate has been removed from your wallet.
To remove a trusted certificate from a wallet:
Select the trusted certificate listed in the Trusted Certificates list.
From the Operations menu, select Remove Trusted Certificate....
A dialog box warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.
Click Yes. The selected trusted certificate is removed from the Trusted Certificates list.
Exporting a Trusted Certificate
To export a trusted certificate to another file system location:
In the left panel, select the trusted certificate that you want to export.
From the Operations menu, select Export Trusted Certificate.... The Export Trusted Certificate dialog box is displayed.
Enter a file system directory in which you want to save your trusted certificate, or navigate to the directory structure under Folders.
Enter a file name to save your trusted certificate.
Click OK. You are redirected to the Oracle Wallet Manager main window.
Exporting All Trusted Certificates
To export all your trusted certificates to another file system location:
From the Operations menu, select Export All Trusted Certificates.... The Export Trusted Certificate dialog box is displayed.
Enter a file system directory location in which you want to save your trusted certificates, or navigate to the directory structure under Folders.
Enter a file name to save your trusted certificates.
Click OK. You are redirected to the Oracle Wallet Manager main window.
The orapki utility is a command-line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and create signed certificates for testing purposes.
The following sections describe this tool and how to use it:
The orapki utility is provided to manage PKI elements, such as wallets and certificate revocation lists, on the command line so that the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI.
This command-line utility can be used to perform the following tasks:
Create signed certificates for testing purposes
Manage Oracle wallets:
Create and display Oracle wallets
Add and remove certificate requests
Add and remove certificates
Add and remove trusted certificates
Manage CRLs:
Rename CRLs with a hash value for certificate validation
Upload, list, view, and delete CRLs in Oracle Internet Directory
The basic syntax of the orapki command-line utility is:
orapki module command -parameter value
In the preceding command, module can be wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate). The available commands depend on the module you are using. For example, if you are working with a wallet, then you can add a certificate or a key to the wallet by using the add command. The following example adds the user certificate located at /private/lhale/cert.txt to the wallet located at $ORACLE_HOME/wallet/ewallet.p12:
orapki wallet add -wallet $ORACLE_HOME/wallet/ewallet.p12 -user_cert -cert /private/lhale/cert.txt
You can display all the orapki commands that are available for a specific mode by entering the following at the command line:
orapki mode help
For example, to display all available commands for managing CRLs, enter the following at the command line:
orapki crl help
Note:
Using the-summary, -complete, or -wallet command options is optional. A command will still run if these command options are not specified.This command-line utility provides a convenient, lightweight way to create signed certificates for testing purposes. The following syntax can be used to create signed certificates and to view certificates:
To create a signed certificate for testing purposes, use the following command:
orapki cert create [-wallet wallet_location] -request certificate_request_location -cert certificate_location -validity number_of_days [-summary]
This command creates a signed certificate from the certificate request. The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request. The -validity parameter specifies the number of days, starting from the current date, that this certificate will be valid. Specifying a certificate and certificate request is mandatory for this command.
To view a certificate, use the following command:
orapki cert display -cert certificate_location [-summary | -complete]
This command enables you to view a test certificate that you have created with orapki. You can choose either -summary or -complete, which determines how much detail the command will display. If you choose -summary, then the command will display the certificate and its expiration date. If you choose -complete, then it will display additional certificate information, including the serial number and public key.
The following sections describe the syntax used to create and manage Oracle wallets with the orapki command-line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process. This section contains the following topics:
Adding Certificates and Certificate Requests to Oracle Wallets with orapki
Exporting Certificates and Certificate Requests from Oracle Wallets with the orapki Utility
Note:
The-wallet parameter is mandatory for all wallet module commands.To create an Oracle wallet, use the following command:
orapki wallet create -wallet wallet_location
The preceding command prompts you to enter and reenter a wallet password. It creates a wallet in the location specified for -wallet.
To create an Oracle wallet with Auto Login enabled, use the following command:
orapki wallet create -wallet wallet_location -auto_login
The preceding command creates a wallet with Auto Login enabled. This command can also be used to enable Auto Login on an existing wallet. If wallet_location already contains a wallet, then Auto Login will be enabled for it. To turn the Auto Login feature off, use Oracle Wallet Manager. Refer to Using Auto Login for details.
Note:
For wallets with the Auto Login feature enabled, you are prompted for a password only for operations that modify the wallet, such asadd.To view an Oracle wallet, use the following command:
orapki wallet display -wallet wallet_location
The preceding command displays the certificate requests, user certificates, and trusted certificates contained in the wallet.
To add a certificate request to an Oracle wallet, use the following command:
orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048
The preceding command adds a certificate request to a wallet for the user with the specified DN, user_dn. You can also specify the key size of the requested certificate: 512, 1024, or 2048 bits. To sign the request, export it with the export option. Refer to Exporting Certificates and Certificate Requests from Oracle Wallets with the orapki Utility.
To add a trusted certificate to an Oracle wallet, use the following command:
orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location
This command adds a trusted certificate, at -cert certificate_location, to a wallet. You must add all trusted certificates in the certificate chain of a user certificate before adding a user certificate, or the command to add the user certificate will fail.
To add a root certificate to an Oracle wallet, use the following command:
orapki wallet add -wallet wallet_location -dn certificate_dn -keySize 512|1024|2048 -self_signed -validity number_of_days
The preceding command creates a new self-signed root certificate and adds it to the wallet. The -validity parameter, which is mandatory, specifies the number of days, starting from the current date, that this certificate will be valid. You can specify a key size for this root certificate: 512, 1024, or 2048 bits.
To add a user certificate to an Oracle wallet, use the following command:
orapki wallet add -wallet wallet_location -user_cert -cert certificate_location
The preceding command adds the user certificate at the location specified with the -cert parameter to the Oracle wallet at wallet_location. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate fails.
To export a certificate from an Oracle wallet, use the following command:
orapki wallet export -wallet wallet_location -dn certificate_dn -cert certificate_filename
The preceding command exports a certificate with the subject's DN from a wallet to a file that is specified by -cert.
To export a certificate request from an Oracle wallet, use the following command:
orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename
The preceding command exports a certificate request with the subject's DN from a wallet to a file that is specified by -request.
CRLs must be managed with the orapki utility. This utility creates a hashed value of the CRL issuer's name to identify the location of the CRL in your system. If you do not use orapki, then your Oracle server cannot locate CRLs to validate PKI digital certificates. The following sections describe CRLs, how you use them, and how to use the orapki utility to manage them:
The process of determining whether a given certificate can be used in a given context is referred to as certificate validation. Certificate validation includes determining that:
A trusted CA has digitally signed the certificate.
The certificate's digital signature corresponds to the independently calculated hash value of the certificate itself and the public key of the CA.
The certificate has not expired.
The certificate has not been revoked.
The SSL network layer automatically performs the first three validation checks, but you must configure CRL checking to ensure that certificates have not been revoked. CRLs are signed data structures that contain a list of revoked certificates. They are usually issued and signed by the same entity who issued the original certificate.
What CRLs Should You Use?
You should have CRLs for all of the trust points that you honor. The trust points are the trusted certificates from a third-party identity that is qualified with a level of trust. Typically, the certificate authorities you trust are called trust points.
How does CRL Checking Work?
Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use CRL DPs, then CRLs are downloaded each time a certificate is used so there is no need to regularly refresh the CRLs.
The server searches for CRLs in the following locations, in the order listed subsequently. When the system finds a CRL that matches the DN of the certificate CA, it stops searching.
Local file system
The system checks the sqlnet.ora file for the SSL_CRL_FILE parameter first, followed by the SSL_CRL_PATH parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs.
Note:
If you store CRLs on your local file system, then you must use theorapki utility to periodically update them. Refer to Renaming CRLs with a Hash Value for Certificate Validation.Oracle Internet Directory
If the server cannot locate the CRL on the local file system and directory connection information has been configured in the ORACLE_HOME/ldap/admin/ldap.ora file, then the server searches in the directory. It searches the CRL subtree by using the DN) of the CA and the DN of the CRL subtree.
The server must have a properly configured ldap.ora file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. In addition, if you store CRLs in the directory, then you must use the orapki utility to periodically update them. Refer to Uploading CRLs to Oracle Internet Directory.
CRL DP
If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Advanced Security supports downloading CRLs over HTTP and LDAP.
Notes:
For performance reasons, only user certificates are checked.
Oracle recommends that you store CRLs in the directory rather than the local file system.
Before you enable certificate revocation status checking, you must ensure that the CRLs you receive from the CAs you use are in a form (renamed with a hash value) or in a location (uploaded to the directory) in which your system can use them. Oracle Advanced Security provides a command-line utility, orapki, that you can use to perform the following tasks:
Deleting CRLs from Oracle Internet Directory
Note:
CRLs must be updated at regular intervals (before they expire) for successful validation. You can automate this task by usingorapki commands in a script.You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory.
Renaming CRLs with a Hash Value for Certificate Validation
When the system validates a certificate, it must locate the CRL issued by the CA who created the certificate. The system locates the CRL by matching the issuer name in the certificate with the issuer name in the CRL.
When you specify a CRL storage location for the Certificate Revocation Lists Path field in Oracle Net Manager (sets the SSL_CRL_PATH parameter in the sqlnet.ora file), use the orapki utility to rename CRLs with a hash value that represents the issuer's name. Creating the hash value enables the server to load the CRLs.
On UNIX operating systems, orapki creates a symbolic link to the CRL. On Microsoft Windows operating systems, it creates a copy of the CRL file. In either case, the symbolic link or the copy created by orapki are named with a hash value of the issuer's name. Then, when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so that the CRL can be loaded.
Depending on your operating system, enter one of the following commands to rename CRLs stored in the file system.
To rename CRLs stored in UNIX file systems:
orapki crl hash -crl crl_filename [-wallet wallet_location] -symlink crl_directory [-summary]
To rename CRLs stored in Microsoft Windows file systems:
orapki crl hash -crl crl_filename [-wallet wallet_location] -copy crl_directory [-summary]
In the preceding commands, crl_filename is the name of the CRL file, wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL, and crl_directory is the directory in which the CRL is located.
Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the certificate of the CA prior to renaming the CRL. Specifying the -summary option causes the tool to display the CRL issuer's name.
Uploading CRLs to Oracle Internet Directory
Publishing CRLs in the directory enables CRL validation throughout your enterprise, eliminating the need for individual applications to configure their own CRLs. All applications can use the CRLs stored in the directory in which they can be centrally managed, reducing the administrative overhead of CRL management and use.
You must be a member of the directory group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the directory by using orapki. This is a privileged operation because these CRLs are accessible to the entire enterprise. Contact your directory administrator to be added to this administrative directory group.
To upload CRLs to the directory, enter the following at the command line:
orapki crl upload -crl crl_location -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary]
In the preceding command, crl_location is the file name or URL in which the CRL is located, hostname and ssl_port (SSL port with no authentication) are the host name and SSL port of the system on which your directory is installed, username is the directory user who has permission to add CRLs to the CRL subtree, and wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL.
Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the certificate of the CA prior to uploading it to the directory. Specifying the -summary option causes the tool to print the CRL issuer's name and the LDAP entry in which the CRL is stored in the directory.
Note:
The orapki utility prompts you for the directory password when you perform this operation.
Ensure that you specify the directory SSL port on which the Diffie-Hellman–based SSL server is running. This is the SSL port that does not perform authentication. Neither the server authentication nor the mutual authentication SSL ports are supported by the orapki utility.
Listing CRLs Stored in Oracle Internet Directory
You can display a list of all CRLs stored in the directory with orapki, which lets you browse to locate a particular CRL to view or download to your local system. This command displays the CA who issued the CRL (Issuer) and its location (DN) in the CRL subtree of your directory.
To list CRLs in Oracle Internet Directory, enter the following at the command line:
orapki crl list -ldap hostname:ssl_port
In the preceding command, hostname and ssl_port are the host name and SSL port of the system on which your directory is installed. Note that this is the directory SSL port with no authentication, as described in the preceding section.
Viewing CRLs in Oracle Internet Directory
You can view specific CRLs that are stored in Oracle Internet Directory in a summarized format, or you can request a complete listing of revoked certificates for the specified CRL. A summary listing provides the CRL issuer's name and its validity period. A complete listing provides a list of all revoked certificates contained in the CRL.
To view a summary listing of a CRL in Oracle Internet Directory, enter the following at the command line:
orapki crl display -crl crl_location [-wallet wallet_location] -summary
In the preceding command, crl_location is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that is displayed when you use the orapki crl list command. Refer to Listing CRLs Stored in Oracle Internet Directory.
To view a list of all revoked certificates contained in a specified CRL, which is stored in Oracle Internet Directory, enter the following at the command line:
orapki crl display -crl crl_location [-wallet wallet_location] -complete
For example, the following orapki command:
orapki crl display -crl $T_WORK/pki/wlt_crl/nzcrl.txt -wallet $T_WORK/pki/wlt_crl -complete
produces the following output, which lists the CRL issuer's DN, its publication date, date of its next update, and the revoked certificates it contains:
issuer = CN=root,C=us, thisUpdate = Sun Nov 16 10:56:58 PST 2003, nextUpdate = Mon
Sep 30 11:56:58 PDT 2013, revokedCertificates = {(serialNo =
153328337133459399575438325845117876415, revocationDate - Sun Nov 16 10:56:58 PST
2003)}
CRL is valid
Using the -wallet option causes the orapki crl display command to validate the CRL against the certificate of the CA.
Depending on the size of your CRL, choosing the -complete option may take a long time to display.
You can also use Oracle Directory Manager, a GUI tool that is provided with Oracle Internet Directory, to view CRLs in the directory. CRLs are stored in the following directory location:
cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
Deleting CRLs from Oracle Internet Directory
To delete CRLs from the directory by using orapki, you must be a member of the directory group CRLAdmins. Refer to Uploading CRLs to Oracle Internet Directory for information about this directory administrative group.
To delete CRLs from the directory, enter the following at the command line:
orapki crl delete -issuer issuer_name -ldap host:ssl_port -user username [-summary]
In the preceding command, issuer_name is the name of the CA who issued the CRL, hostname and ssl_port are the host name and SSL port of the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree. Note that this must be a directory SSL port with no authentication. Refer to Uploading CRLs to Oracle Internet Directory for more information about this port.
Using the -summary option causes the tool to print the CRL LDAP entry that was deleted.
For example, the following orapki command:
orapki crl delete -issuer "CN=root,C=us" -ldap machine1:3500 -user cn=orcladmin -summary
produces the following output, which lists the location of the deleted CRL in the directory:
Deleted CRL at cn=root cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
This section lists and describes the following orapki commands:
The following sections describe this command.
orapki cert create [-wallet wallet_location] -request certificate_request_location -cert certificate_location -validity number_of_days [-summary]
The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request.
The -request parameter (mandatory) specifies the location of the certificate request for the certificate you are creating.
The -cert parameter (mandatory) specifies the directory location in which the tool places the new signed certificate.
The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid.
The following sections describe this command.
orapki cert display -cert certificate_location [-summary|-complete]
The -cert parameter specifies the location of the certificate you want to display.
You can use either the -summary or the -complete parameter to display the following information:
-summary displays the certificate and its expiration date.
-complete displays additional certificate information, including the serial number and public key.
The following sections describe this command.
Use this command to delete CRLs from Oracle Internet Directory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group.
orapki crl delete -issuer issuer_name -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary]
The -issuer parameter specifies the name of the CA who issued the CRL.
The -ldap parameter specifies the host name and SSL port for the directory in which the CRLs are to be deleted. Note that this must be a directory SSL port with no authentication. Refer to Uploading CRLs to Oracle Internet Directory for more information about this port.
The -user parameter specifies the user name of the directory user who has permission to delete CRLs from the CRL subtree in the directory.
The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to deleting it from the directory.
The -summary parameter is optional. Using it causes the tool to print the CRL LDAP entry that was deleted.
The following sections describe this command.
orapki crl display -crl crl_location [-wallet wallet_location] [-summary|-complete]
The -crl parameter specifies the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. Refer to orapki crl list.
The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to displaying it.
Selecting either the -summary or the -complete parameters displays the following information:
-summary provides a listing that contains the CRL issuer's name and the CRL's validity period.
-complete provides a list of all revoked certificates that the CRL contains. Note that this option may take a long time to display, depending on the size of the CRL.
The following sections describe this command.
Use this command to generate a hash value of the CRL issuer to identify the location of the CRL in your file system for certificate validation.
orapki crl hash -crl crl_filename|URL [-wallet wallet_location] [-symlink|-copy] crl_directory [-summary]
The -crl parameter specifies the filename that contains the CRL or the URL in which it can be found.
The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.
Depending on your operating system, use either the -symlink or the -copy parameter:
(UNIX) Use -symlink to create a symbolic link to the CRL at the crl_directory location.
(Microsoft Windows) Use -copy to create a copy of the CRL at the crl_directory location.
The -summary parameter (optional) causes the tool to display the CRL issuer's name.
The following sections describe this command.
Use this command to display a list of CRLs stored in Oracle Internet Directory. This is useful for browsing to locate a particular CRL to view or download to your local file system.
orapki crl list -ldap hostname:ssl_port
The -ldap parameter specifies the host name and SSL port for the directory server from which you want to list CRLs. Note that this must be a directory SSL port with no authentication. Refer to Uploading CRLs to Oracle Internet Directory for more information about this port.
The following sections describe this command.
Use this command to upload CRLs to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the directory administrative group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the directory.
orapki crl upload -crl crl_location -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary]
The -crl parameter specifies the directory location or the URL of the CRL that you are uploading to the directory.
The -ldap parameter specifies the host name and SSL port for the directory to which you are uploading the CRLs. Note that this must be a directory SSL port with no authentication. Refer to Uploading CRLs to Oracle Internet Directory for more information about this port.
The -user parameter specifies the user name of the directory user who has permission to add CRLs to the CRL subtree in the directory.
The -wallet parameter specifies the location of the wallet that contains the certificate of the CA who issued the CRL. This is an optional parameter. Using it causes the tool to verify the validity of the CRL against the certificate of the CA certificate prior to uploading it to the directory.
The -summary parameter is also optional. Using it causes the tool to display the CRL issuer's name and the LDAP entry in which the CRL is stored in the directory.
The following sections describe this command.
To add certificate requests:
orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048
The -wallet parameter specifies the location of the wallet to which you want to add a certificate request.
The -dn parameter specifies the distinguished name of the certificate owner.
The -keySize parameter specifies the key size for the certificate.
To sign the request, export it with the export option. Refer to orapki wallet export.
To add trusted certificates, use the following command:
orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location
The -trusted_cert parameter causes the tool to add the trusted certificate, at the location specified with -cert, to the wallet.
To add root certificates, use the following command:
orapki wallet add -wallet wallet_location -dn certificate_dn -keySize 512|1024|2048 -self_signed -validity number_of_days
The -self_signed parameter causes the tool to create a root certificate.
The -validity parameter is mandatory. Use this parameter to specify the number of days, starting from the current date, that this root certificate will be valid.
To add user certificates:
orapki wallet add -wallet wallet_location -user_cert -cert certificate_location
The -user_cert parameter causes the tool to add the user certificate at the location specified with the -cert parameter to the wallet. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail.
The following sections describe this command.
orapki wallet create -wallet wallet_location [-auto_login]
The -wallet parameter specifies a location for the new wallet or the location of the wallet for which you want to turn on Auto Login.
The -auto_login parameter creates an Auto Login wallet, or it turns on automatic login for the wallet specified with the -wallet option. Refer to Using Auto Login for details about Auto Login wallets.
The following sections describe this command.
The following sections describe this command.
To export a certificate from an Oracle wallet, use the following command:
orapki wallet export -wallet wallet_location -dn certificate_dn -cert certificate_filename
The -wallet parameter specifies the location of the wallet from which you want to export the certificate.
The -dn parameter specifies the distinguished name of the certificate.
The -cert parameter specifies the name of the file that contains the exported certificate.
To export a certificate request from an Oracle wallet:
orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename
The -request parameter specifies the name of the file that contains the exported certificate request.
Oracle Wallet Manager functionality supports users who already have certificates provisioned. If you do not use Oracle Wallet Manager to create certificates, then you can use it to manage and store certificates created previously.
Oracle Wallet Manager stores X.509 certificates and private keys in Public Key Cryptography Standards (PKCS) #12 format, and generates certificate requests according to the PKCS #10 specification developed by RSA Laboratories. This makes the Oracle wallet structure interoperable with supported third-party PKI applications, and provides wallet portability across operating systems.
Oracle Wallet Manager wallets can be enabled to store credentials on hardware security modules using APIs that conform to the PKCS #11 specification. When PKCS11 wallet type is chosen at the time of wallet creation, then all keys stored in that wallet are saved to a hardware security module or token, such as smart cards, PCMCIA cards, smart diskettes, or other types of portable hardware devices that store private keys, perform cryptographic operations, or both.
See Also:
Creating a Wallet to Store Hardware Security Module Credentials
To view PKCS standards documents, navigate to the following URL:
http://www.rsasecurity.com/rsalabs/
Oracle Wallet Manager enables you to store multiple certificates for each wallet, supporting the following Oracle PKI certificate usages:
SSL
S/MIME signature
S/MIME encryption
Code-Signing
CA Certificate Signing
Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usages, but the same certificate cannot be used for all such usages (Refer to Table 6-4 and Table 6-5 for legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates. However, more than one certificate for each certificate request cannot be installed in the same wallet at the same time.
Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension types to define Oracle PKI certificate usages. The key usage extension types are optional bits that can be set in certificates. Setting these bits defines what purpose the key of the certificate can be used for. When certificates are issued, the certificate authority sets these bits according to the type of certificate that you have requested. Table 6-4 lists and describes these key usage types.
Table 6-4 X.509 Version 3 KeyUsage Extension Types, Values, and Descriptions
| KeyUsage Extension Type | Value | Description |
|---|---|---|
| digitalSignature | 0 | Used for entity authentication and to authenticate data origin integrity. |
| nonRepudiation | 1 | Used to protect against the signing entity falsely denying some action. |
| keyEncipherment | 2 | Used when the subject public key is used for key transport. |
| dataEncipherment | 3 | Used when the subject public key is used for enciphering data, other than cryptographic keys. |
| keyAgreement | 4 | Used when the subject public key is used for key agreement during SSL connection negotiation. |
| keyCertSign | 5 | Used when the subject public key is used for verifying a signature on certificates. May only be used in CA certificates. |
| cRLSign | 6 | Used when the subject public key is used for verifying a signature on certificate revocation lists. |
| encipherOnly | 7 | When the encipherOnly bit is asserted, the keyAgreement bit must also be set. When these two bits are set the subject public key may be used only for enciphering data while performing key agreement. |
| decipherOnly | 8 | As with the encipherOnly bit, the keyAgreement bit must also be set when decipherOnly is set. When these two bits (decipherOnly and keyAgreement) are set the subject public key may be used only for deciphering data while performing key agreement. |
See Also:
The Internet Engineering Task Force RFC #2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, for a complete description of theKeyUsage extension types at the following URL:
http://www.ietf.org/rfc/
When installing a certificate (user certificate or trusted certificate), Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 6-4 and Table 6-5.
Table 6-5 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet
| KeyUsage Value | Critical?Foot 1 | Usage |
|---|---|---|
| none | na | Importable. |
| Any combination excluding 5 | Yes
No |
Not importable.
Importable. |
| 5 alone, or any combination including 5 | na | Importable. |
KeyUsage extension is critical, then the certificate cannot be used for other purposes.You should obtain certificates from the certificate authority with the correct KeyUsage value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table 6-4 and Table 6-5. Oracle PKI applications use the first certificate containing the required PKI certificate usage.
For example, for SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.
If you do not have a certificate with SSL usage, then an ORA-28885 error (No certificate with required key usage found) is returned.
Oracle has developed wallets to function as secure containers to keep PKI credentials together. Oracle wallets hold user certificates, which contain the subject's public key and identifying information, and their associated trusted certificates. Third-party applications whose PKI credentials interoperate with Oracle Wallet Manager use various ways to organize credentials, but some are not as tightly organized as Oracle wallets are. Some provide the option to export the associated trusted certificates when you export a user certificate, but some do not provide this option. When you import certificates from third-party tools that do not provide the option to include the associated trusted certificates, you must manually add the trusted certificates by using Oracle Wallet Manager.
Oracle Wallet Manager can import and support PKCS #12-format certificates from the following applications, subject to procedures and limitations specific to the program you use:
Netscape Communicator 4.x
Microsoft Internet Explorer 5.x and later
OpenSSL
To import a certificate created with a third-party tool, perform the following steps:
Follow the procedures for your particular product to export the certificate and its associated trusted certificates.
If your third-party product does not provide the option to include the trusted certificates, then you must export them separately and save them in either text (BASE64) or binary (der) format.
Save the exported certificate to a file name according to your operating system in a directory expected by Oracle Wallet Manager.
For UNIX and Microsoft Windows, the file name is ewallet.p12.
For other operating systems, refer to the Oracle documentation for that specific operating system.
Use Oracle Wallet Manager to navigate to the directory in which you saved the ewallet.p12 file and open it to use the PKI credentials it contains.
If you exported the trusted certificate separately, then you must import the trusted certificate first before you open the ewallet.p12 file that contains the imported third-party user certificate.
See Also:
Importing a Trusted Certificate