Setting Up Oracle Wallet Using ORAPKI

To set up Oracle Wallet using ORAPKI command line in Oracle database, complete the following steps:

  1. Create a server wallet for Application server domain.

    1. Create server wallet with the following command:

      orapki wallet create -wallet <wallet_name> -pwd <password>

      For example:

      C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.psft -pwd password

    2. Add self-signed certificate to the wallet.

    orapki wallet add -wallet <wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>

    For example:

    C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.psft -dn "CN=psft,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd password

  2. Create client wallet for Workstation clients.

    1. Create Workstation wallet with the following command:.

      orapki wallet create -wallet <client_wallet_name> -pwd <password>

      For example:

      C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.wscpsft -pwd password

    2. Add self-signed certificate to the wallet.

      orapki wallet add -wallet <client_wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>

      For example:

      C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -dn "CN=not_used,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd password

  3. Export public key from server certificate.

    orapki wallet export -wallet <server_wallet> -dn "user_dn" -cert <server_wallet>/<certificate> -pwd <password>

    For example:

    C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd password

  4. Add public key from server certificate to client certificate.

    orapki wallet add -wallet <client_wallet_name> -trusted_cert -cert <server_wallet>/<certificate> -pwd <password>

    For example:

    C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -trusted_cert -cert $PWD/wallet.psft/psft.cer -pwd password

  5. You can remove client wallet password using the following steps:

    1. cd wallet.wscpsft

    2. Linux: cd wallet.wscpsft

      Windows:xcopy ewallet.p12 oldwallet.p12

    3. openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:password -passin pass:password

    4. openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:password -passin pass:password

    5. openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:password -passin pass:password -passout pass:temp

    6. openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp

    7. Linux: cat certificate.crt ca-cert.ca >PEM.pem

      Windows: type certificate.crt ca-cert.ca >PEM.pemtype certificate.crt ca-cert.ca >PEM.pem

    8. openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded

  6. Add the server's certificate to the PIA's truststore.

    1. Export public key from server certificate.

       orapki wallet export -wallet <server_wallet> -dn "CN=psft,C=CN" -cert <server_wallet>/<certificate> -pwd <password>

      For example

      orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd password

    2. Add the server's certificate to the client's truststore.

      cd %ORACLE_HOME%\jdk\bin
keytool -import -file <server_wallet>/<certificate> -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt

      For example:

      keytool -import -file wallet.psft\psft.cer -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt