Setting Up Oracle Wallet Using ORAPKI

To set up Oracle Wallet using ORAPKI command line in Oracle database, complete the following steps:

1. Create a server wallet for Application server domain.

   1. Create server wallet.

      orapki wallet create -wallet <wallet_name> -pwd <password>
      #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.psft -pwd Passw0rd

   2. Add self-signed certificate to the wallet.

   orapki wallet add -wallet <wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>
   #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.psft -dn "CN=psft,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd Passw0rd

2. Create client wallet for Workstation clients.

   1. Create Workstation wallet.

      orapki wallet create -wallet <client_wallet_name> -pwd <password>
      #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.wscpsft -pwd Passw0rd

   2. Add self-signed certificate to the wallet.

       orapki wallet add -wallet <client_wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>
      #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -dn "CN=not_used,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd Passw0rd

   3. Export public key from server certificate.

       orapki wallet export -wallet <server_wallet> -dn "user_dn" -cert <server_wallet>/<certificate> -pwd <password>
      #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd Passw0rd

   4. Add public key from server certificate to client certificate.

       orapki wallet add -wallet <client_wallet_name> -trusted_cert -cert <server_wallet>/<certificate> -pwd <password>
      #For example: C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -trusted_cert -cert $PWD/wallet.psft/psft.cer -pwd Passw0rd

   You can remove client wallet password using the following steps:

   1. cd wallet.wscpsft

   2. Linux: cd wallet.wscpsft

      Windows:xcopy ewallet.p12 oldwallet.p12

   3. openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:Passw0rd -passin pass:Passw0rd

   4. openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:Passw0rd -passin pass:Passw0rd

   5. openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:Passw0rd -passin pass:Passw0rd -passout pass:temp

   6. openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp

   7. Linux: cat certificate.crt ca-cert.ca >PEM.pem

      Windows: type certificate.crt ca-cert.ca >PEM.pemtype certificate.crt ca-cert.ca >PEM.pem

   8. openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded

3. Add the server's certificate to the PIA's truststore.

   1. Export public key from server certificate.

       orapki wallet export -wallet <server_wallet> -dn "CN=psft,C=CN" -cert <server_wallet>/<certificate> -pwd <password>
      #For example: orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd Passw0rd

   2. Add the server's certificate to the client's truststore.

      cd %ORACLE_HOME%\jdk\bin
      keytool -import -file <server_wallet>/<certificate> -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt
      #For example: keytool -import -file wallet.psft\psft.cer -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt