This chapter describes how to configure Oracle wallets.
This chapter contains these topics:
WLST commands are available to manage Oracle wallets for Oracle Fusion Middleware components.
Use the commands listed in Table 4-1 for this task.
See Also:
Administering Oracle Fusion Middleware for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location.Note:
All WLST commands for SSL configuration must be run in online mode.You can obtain help for each command by issuing:
help('command_name')
Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command:
state('serverName') [in WebLogic domain] nmServerStatus(serverName='name', serverType='type') [in Standalone domain]
Table 4-1 WLST Commands for Oracle Wallet Management
Use this command... | To... | Use with WLST... |
---|---|---|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
Change the password to an Oracle wallet. |
Online |
|
Create an Oracle wallet. |
Online |
|
Delete an Oracle wallet. |
Online |
|
Export an Oracle wallet to a file. |
Online |
|
Export an object (for example, a certificate) from an Oracle wallet to a file. |
Online |
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
Import an Oracle wallet from a file. |
Online |
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
List all objects (such as certificates) present in an Oracle wallet. |
Online |
|
List all Oracle wallets configured for a component instance. |
Online |
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
Note:
WLST
allows you to import certificates only in PEM format.Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest('instName', 'compName', 'compType', 'walletName', 'password', 'DN', 'keySize')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
DN | Specifies the Distinguished Name of the key pair entry. |
keySize | Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.acme.com
and key size 1024
in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'ohs1', 'ohs','wallet1', 'password', 'cn=www.acme.com', '1024',)
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate('instName', 'compName', 'compType', 'walletName', 'password', 'DN', 'keySize')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
DN | Specifies the Distinguished Name of the key pair entry. |
keySize | Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.acme.com
, key size 1024
to wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'ohs1', 'ohs','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server). This command is only applicable to password-protected wallets.
changeWalletPassword('instName', 'compName', 'compType', 'walletName','currPassword', 'newPassword')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the filename of the wallet. |
currPassword | Specifies the current wallet password. |
newPassword | Specifies the new wallet password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server). Wallets can be of password-protected or auto-login type.
createWallet('instName', 'compName', 'compType', 'walletName', 'password')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file to be created. |
password | Specifies the wallet password. |
The following command creates a wallet named wallet1
with password password
, for Oracle HTTP Server instance ohs1
in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2
for Oracle WebCache instance wc1
, in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes an Oracle wallet.
deleteWallet('instName', 'compName', 'compType', 'walletName')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file to be deleted. |
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance, to files under the given directory. If the exported file is an auto-login only wallet, the file name is cwallet.sso. If it is password-protected wallet, two files are created—ewallet.p12 and cwallet.sso.
exportWallet('instName', 'compName', 'compType', 'walletName','password', 'path')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
path | Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1
for Oracle HTTP Server instance ohs1
to file cwallet.sso
under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'ohs1', 'ohs', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2
for Oracle HTTP Server instance ohs1
to two files, ewallet.p12
and cwallet.sso
, under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'ohs1', 'ohs', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance. DN indicates the object to be exported.
exportWalletObject('instName', 'compName', 'compType', 'walletName', 'password', 'type', 'path', 'DN')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
type | Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
path | Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
DN | Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.acme.com
in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')
The following command exports a certificate with DN cn=www.acme.com
in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')
The following command exports a trusted certificate with DN cn=www.acme.com
in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')
The following command exports a certificate chain with DN cn=www.acme.com
in wallet1
, for Oracle HTTP Server instance ohs1,
in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance. The wallet object is indicated by its index number, as given by the listWalletObjects
command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject('instName', 'compName', 'compType', 'walletName', 'password', 'type', 'index')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
type | Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
index | Specifies the index number of the wallet object as returned by the listWalletObjects command. |
The following command shows certificate signing request details for the object with index 0
present in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ohs1', 'ohs','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0
present in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ohs1', 'ohs','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0
, present in wallet1
, for Oracle HTTP Server instance ohs1
, in application serverinstance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ohs1', 'ohs','wallet1','password', 'TrustedCertificate', '0')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso
; if the wallet is password-protected, it must point to ewallet.p12
. The wallet name must be unique for the component instance.
importWallet('instName', 'compName', 'compType', 'walletName', 'password', 'filePath')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet being imported. The name must be unique for the component instance. |
password | Specifies the password of the wallet. |
filePath | Specifies the absolute path of the wallet file being imported. |
The following command imports the auto-login wallet file /tmp/cwallet.sso
as wallet1
into Oracle HTTP Server instance ohs1
. Subsequently, the wallet is managed with the name wallet1
. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'ohs1', 'ohs', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12
as wallet2
into Oracle HTTP Server instance ohs1
. Subsequently, the wallet is managed with the name wallet2
. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'ohs1', 'ohs', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance. When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject('instName', 'compName', 'compType', 'walletName', 'password', 'type', 'filePath')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
type | Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
filePath | Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt
into wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt
into wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> > importWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt
into wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance.
listWalletObjects('instName', 'compName', 'compType', 'walletName', password', 'type')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
type | Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'ohs1', 'ohs','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'ohs1', 'ohs','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'ohs1', 'ohs','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance, and identifies the auto-login wallets.
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance. DN is used to indicate the object to be removed.
removeWalletObject('instName', 'compName', 'compType', 'walletName', 'password', 'type', 'DN')
Argument | Definition |
---|---|
instName | Specifies the name of the application server instance. |
compName | Specifies the name of the component instance. |
compType | Specifies the type of component. Valid value is 'ohs'. |
walletName | Specifies the name of the wallet file. |
password | Specifies the password of the wallet. |
type | Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
DN | Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
. It is not necessary to provide a DN, so you pass null (denoted by None
) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.acme.com
from wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')
The following command removes a certificate indicated by DN cn=www.acme.com
from wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'Certificate','cn=www.acme.com')
The following command removes a trusted certificate indicated by DN cn=www.acme.com
from wallet1
, for Oracle HTTP Server instance ohs1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')