Setting Up Oracle Wallet Using OpenSSL
To set up Oracle Wallet using OpenSSL, use the following command:
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:<password>
where
Field or Control |
Definition |
---|---|
-export |
Indicates that a PKCS 12 file is being created. |
-chain |
Specifies that an attempt is made to include the entire certificate chain of the user certificate. |
-inkey |
Specifies the private key file. |
-in |
Specifies the file that contains the user certificate and any other certificates in the certificate chain. Note: If the private key and the certificate chain are in the same file, the -inkey and -in parameters can specify the same file. |
-CAfile |
Specifies a file containing trusted certificates. |
-out |
Specifies the output file name, which must be ewallet.p12 for an Oracle Wallet. |
-passin |
Specifies the password for the private key file. |
-passout |
Specifies the password for the newly created wallet. |
To create a self-signed SSL certificate using OpenSSL, complete the following steps:
Create server wallet.
mkdir wallet.server cd wallet.server openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr -subj <subectj> #For example: openssl req -new -key server.key -out server.csr -subj '/C=CN/CN=psft' openssl genrsa -out caCert.key 4096 openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj <subject> #For example: openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj '/C=US/OU=Class 2 Public Primary Certification Authority/O=VeriSign' openssl x509 -req -days 730 -in server.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out server.crt openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:<password> #For example: openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:Passw0rd
Create Workstation wallet.
mkdir wallet.client cd wallet.client openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr -subj '/C=CN/CN=wscpsft'
Copy server's truststore to client:
cd .. cp wallet.server\caCert.crt wallet.client cp wallet.server\caCert.key wallet.client cd wallet.client openssl x509 -req -days 730 -in client.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out client.crt openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:<password> #For example: openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:Passw0rd
To remove the client wallet password:
cp ewallet.p12 oldwallet.p12 openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:Passw0rd -passin pass:Passw0rd openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:Passw0rd -passin pass:Passw0rd openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:Passw0rd -passin pass:Passw0rd -passout pass:temp openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp cat certificate.crt ca-cert.ca >PEM.pem openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded
Add the server's certificate to the PIA's truststore.
cd %ORACLE_HOME%\jdk\bin keytool -import -file <server_wallet>/<certificate> -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt #For example: keytool -import -file wallet.server\caCert.crt -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt