Setting Up Oracle Wallet Using ORAPKI
To set up Oracle Wallet using ORAPKI command line in Oracle database, complete the following steps:
Create a server wallet for Application server domain.
Create server wallet with the following command:
orapki wallet create -wallet <wallet_name> -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.psft -pwd password
Add self-signed certificate to the wallet.
orapki wallet add -wallet <wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.psft -dn "CN=psft,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd password
Create client wallet for Workstation clients.
Create Workstation wallet with the following command:.
orapki wallet create -wallet <client_wallet_name> -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet create -wallet wallet.wscpsft -pwd password
Add self-signed certificate to the wallet.
orapki wallet add -wallet <client_wallet_name> -dn "user_dn" -keysize 1024 -self_signed -validity 3650 -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -dn "CN=not_used,C=CN" -keysize 1024 -self_signed -validity 3650 -pwd password
Export public key from server certificate.
orapki wallet export -wallet <server_wallet> -dn "user_dn" -cert <server_wallet>/<certificate> -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd password
Add public key from server certificate to client certificate.
orapki wallet add -wallet <client_wallet_name> -trusted_cert -cert <server_wallet>/<certificate> -pwd <password>
For example:
C:\oracle\product\12.1.0\dbhome_2\BIN\orapki wallet add -wallet wallet.wscpsft -trusted_cert -cert $PWD/wallet.psft/psft.cer -pwd password
You can remove client wallet password using the following steps:
cd wallet.wscpsft
Linux:
cd wallet.wscpsft
Windows:
xcopy ewallet.p12 oldwallet.p12
openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:password -passin pass:password
openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:password -passin pass:password
openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:password -passin pass:password -passout pass:temp
openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp
Linux:
cat certificate.crt ca-cert.ca >PEM.pem
Windows:
type certificate.crt ca-cert.ca >PEM.pemtype certificate.crt ca-cert.ca >PEM.pem
openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded
Add the server's certificate to the PIA's truststore.
Export public key from server certificate.
orapki wallet export -wallet <server_wallet> -dn "CN=psft,C=CN" -cert <server_wallet>/<certificate> -pwd <password>
For example
orapki wallet export -wallet wallet.psft -dn "CN=psft,C=CN" -cert wallet.psft/psft.cer -pwd password
Add the server's certificate to the client's truststore.
cd %ORACLE_HOME%\jdk\bin keytool -import -file <server_wallet>/<certificate> -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt
For example:
keytool -import -file wallet.psft\psft.cer -alias srv_cert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt