18
Using Oracle Wallet Manager

Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle clients and servers. The wallets it creates are opened by using either the Oracle Enterprise Login Assistant or the Oracle Wallet Manager.

This chapter describes the Oracle Wallet Manager, in the following sections:

• Overview

• Managing Wallets

• Managing Certificates

  See Also: Chapter 19, Using Oracle Enterprise Login Assistant, for information about how to open and close wallets for secure SSL communications using Oracle Enterprise Login Assistant

Overview

Traditional private-key or symmetric-key cryptography requires that entities desiring to establish secure communications possess a single secret key known only to them. Harriet and Dick, for example, could agree to shift each letter in their private messages by two character positions (A becomes C, B becomes E, and so on) to encrypt the message text. Using this method, a HELLO message from Harriet to Dick would read JGNNP. The actual encryption methods in current use are much more complex and significantly more secure, but an underlying problem remains--sending messages encrypted with a single key requires prior, secure distribution of the key to each participating party. Otherwise, a malicious third party might obtain the key, intercept communications, and compromise security. Public-key cryptography addresses this problem, by providing a secure method for key distribution.

Public-key cryptography requires a party to possess a public/private key pair. The private key is kept secret and is known only to that party. The public key, as the name implies, is freely available. To send a secret message to this party requires that a third party sender encrypt the message with the public key. Such a message can only be decrypted by a party holding the associated private key.

For example, when Dick wants to send a secure message to Harriet, he first asks Harriet for her public key (or obtains it from another, public source). Harriet gives Dick the public key, but Tom, a malicious eavesdropper, also obtains the public key. Nevertheless, when Dick sends Harriet a message encrypted with her public key, Tom cannot decrypt it; the message can only be decrypted with Harriet's private key.

Public-key algorithms thus guarantee the secrecy of a message, but they don't guarantee secure communications because they don't verify the identities of the communicating parties. In order to establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its public key for a legitimate key.

If Tom, for example, is able to substitute his public key for Harriet's public key and send it to Dick, Dick might then send a message to Harriet encrypted with Tom's public key--believing he was using Harriet's public key. Tom could then decrypt a subsequent intercepted message from Dick using his private key, re-encrypt it with Harriet's public key and re-transmit it to Harriet. Harriet could then decrypt the incoming message using her private key, and never know that it had been intercepted by Tom--the man-in-the-middle.

In order to avoid such a man-in-the-middle attack, it is necessary to verify the owner of the public key, a process called authentication. This authentication can be accomplished through a certificate authority (CA).

A CA is a third party that is trusted by both of the parties attempting secure communication. The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).

The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known, and does not have to be authenticated each time it is accessed. Such CA public keys are stored in an Oracle wallet.

Oracle Wallet Manager is a stand-alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:

• Generating a public/private key pair and creating a certificate request for submission to a CA.

• Installing a certificate for the entity.

• Configuring trusted certificates for the entity.

• Opening a wallet to enable access to PKI-based services.

• Creating a wallet that can be accessed by using either Oracle Enterprise Login Assistant or Oracle Wallet Manager.

Managing Wallets

This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:

• Starting Oracle Wallet Manager

• Creating a New Wallet

• Opening an Existing Wallet

• Closing a Wallet

• Saving Changes

• Saving the Open Wallet to a New Location

• Saving in System Default

• Deleting the Wallet

• Changing the Password

• Using Auto Login

• Using Oracle Wallet Manager with Oracle Application Server

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

• Microsoft NT: Select Start-->Programs-->Oracle-OraHome81-->Network Administration-->Wallet Manager

• UNIX: Enter owm at the command line.

Creating a New Wallet

Create a new wallet as follows:

1. Choose Wallet > New from the menu bar; the New Wallet dialog box appears.

2. Read the recommended guidelines for creating a password and enter a password in the Wallet Password field.

   Because an Oracle wallet contains a user's credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong password for the wallet. A malicious user who guesses the password to a user's wallet can access all the databases that the user can access.

   Oracle Corporation recommends that you choose a password that is not too short, not easily guessed, and is reasonably complex. A reasonably complex password has at least six characters, and contains at least one symbol or number--so that it will not be found in a dictionary.

   Example: gol8fer

   It is also a prudent security practice for users to change their passwords periodically, such as once a month, or once a quarter.

3. Re-enter that password in the Confirm Password field.

4. Choose OK to continue.

5. An Alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to create a certificate request. See: Creating a Certificate Request.

   If you choose Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of Empty, and the wallet displays its default trusted certificates.

6. Select Wallet > Save In System Default to save the new wallet.

   If you do not have permission to save the wallet in the system default, you can save it to another location.

   A message at the bottom of the window informs you that the wallet was successfully saved.

Opening an Existing Wallet

Open a wallet that already exists in the file system directory as follows:

1. Choose Wallet > Open from the menu bar; the Select Directory dialog box appears.

2. Navigate to the directory location in which the wallet is located, and select the directory.

3. Choose OK; the Open Wallet dialog box appears.

4. Enter the wallet password in the Wallet Password field.

5. Choose OK.

6. The message Wallet opened successfully appears at the bottom of the window, and you are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left window pane.

Closing a Wallet

To close an open wallet in the currently selected directory:

• Choose Wallet > Close.

• The message Wallet closed successfully appears at the bottom of the window, to confirm that the wallet is closed.

Saving Changes

To save your changes to the current open wallet:

• Choose Wallet > Save.

• A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.

Saving the Open Wallet to a New Location

Use the Save As option to save the current open wallet to a new directory location:

1. Choose Wallet > Save As; the select directory dialog box appears.

2. Select a directory location to save the wallet.

3. Choose OK.

   The following message appears if a wallet already exists in the selected directory:

   A wallet already exists in the selected path. Do you want to overwrite it?.

   Choose Yes to overwrite the existing wallet, or No to save the wallet to another directory.

   A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.

Saving in System Default

Use the Save in System Default menu option to save the current open wallet to the system default directory location. This makes the current open wallet the wallet that is used by SSL:

• Choose Wallet > Save in System Default.

• A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location.

Deleting the Wallet

To delete the current open wallet:

1. Choose Wallet > Delete; the Delete Wallet dialog box appears.

2. Review the displayed wallet location to verify you are deleting the correct wallet.

3. Enter the wallet password.

4. Choose OK; a dialog panel appears to inform you that the wallet was successfully deleted.

   Note: Any open wallet in application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use does not immediately affect system operation.

Changing the Password

A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.To change the password for the current open wallet:

1. Choose Wallet > Change Password; the Change Wallet Password dialog box appears.

2. Enter the existing wallet password.

3. Enter the new password.

4. Re-enter the new password.

5. Choose OK.

A message at the bottom of the window confirms that the password was successfully changed.

Using Auto Login

The Oracle Wallet Manager Auto Login feature opens a copy of the wallet and enables PKI-based access to secure services--as long as the wallet in the specified directory remains open in memory.

You must enable Auto Login if you want single sign-on access to multiple Oracle databases.

Enabling Auto Login

To enable Auto Login:

1. Choose Wallet from the menu bar.

2. Choose the check box next to the Auto Login menu item; a message at the bottom of the window displays Autologin enabled.

Disabling Auto Login

To disable Auto Login:

1. Choose Wallet from the menu bar.

2. Choose the check box next to the Auto Login menu item; a message at the bottom of the window displays Autologin disabled.

Using Oracle Wallet Manager with Oracle Application Server

When using the Oracle Application Server (OAS), you must install the Oracle Wallet Manager on a primary node and on each remote node in a multi-node configuration. After you install the product on each node you must then copy the wallet from the primary node to each of the remote nodes.

Managing Certificates

Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section describes how to manage both certificate types, in the following subsections:

• Managing User Certificates

• Managing Trusted Certificates

  Note: You must first install a trusted certificate from the certificate authority before you can install a user certificate issued by that authority. Several trusted certificates are installed by default when you create a new wallet.

  Managing User Certificates

  Managing user certificates involves the following tasks:

  • Creating a Certificate Request

  • Exporting a User Certificate Request

  • Importing the User Certificate into the Wallet

  • Removing a User Certificate from a Wallet

  Creating a Certificate Request

  The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request; store only a correctly filled out certificate request in a wallet.

  To create a PKCS #10 certificate request:

  1. Choose Operations > Create Certificate Request; the Create Certificate Request dialog box appears.

  2. Enter the following information (Table 18-1):

     Table 18-1 Certificate Request: Fields and Descriptions

     Field Name	Description
     Common Name	Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format.
     Organizational Unit	Optional. Enter the name of the identity's organizational unit. Example: Finance.
     Organization	Optional.Enter the name of the identity's organization. Example: XYZ Corp.
     Locality/City	Optional. Enter the name of the locality or city in which the identity resides.
     State/Province	Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two-letter abbreviations.
     Country	Mandatory. Choose the drop-down list to view a list of country abbreviations. Select the country in which the organization is located.
     Key Size	Mandatory. Choose the drop-down box to view a list of key sizes to use when creating the public/private key pair.
     Advanced	Optional. Choose Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality.

  3. Choose OK. An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.

  4. Choose OK. You are returned to the Oracle Wallet Manager main window; the status of the certificate is changed to Requested.

  Exporting a User Certificate Request

  Save the certificate request in a file system directory when you elect to export a certificate request:

  1. Choose Operations > Export Certificate Request from the menu bar; the Export Certificate Request dialog box appears.

  2. Enter the file system directory in which you want o save your certificate request, or navigate to the directory structure under Folders.

  3. Enter a file name to save your certificate request, in the Enter File Name field.

  4. Choose OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

  Importing the User Certificate into the Wallet

  You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.

  Pasting the Certificate

  To paste the certificate:

  1. Copy the certificate text from the e-mail message or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.

  2. Choose Operations > Import User Certificate from the menu bar; the Import Certificate dialog box appears.

  3. Choose the Paste the Certificate button, and choose OK; an Import Certificate dialog box appears with the following message:

     Please provide a base64 format certificate and paste it below.

  4. Paste the certificate into the dialog box, and choose OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status changes to Ready.

  Selecting a File that Contains the Certificate

  To select the file:

  1. Choose Operations > Import User Certificate from the menu bar.

  2. Choose the Select a file... certificate button, and choose OK; the Import Certificate dialog box appears.

  3. Enter the path or folder name of the certificate location.

  4. Select the name of the certificate file (for example, cert.txt).

  5. Choose OK. A message at the bottom of the window appears, to inform you that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status is changes to Ready.

  Removing a User Certificate from a Wallet

  1. Choose Operations > Remove User Certificate; a dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.

  2. Choose Yes; you are returned to the Oracle Wallet Manager main panel, and the certificate displays a status of Requested.

  Managing Trusted Certificates

  Managing trusted certificates includes the following tasks:

  • Importing a Trusted Certificate

  • Removing a Trusted Certificate

  • Exporting a Trusted Certificate

  • Exporting All Trusted Certificates

  • Exporting a Wallet

  Importing a Trusted Certificate

  You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.

  Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust when you create a new wallet.

  Pasting the Trusted Certificate

  To paste the trusted certificate:

  1. Choose Operations > Import Trusted Certificate from the menu bar; the Import Trusted Certificate dialog panel appears.

  2. Choose the Paste the Certificate button, and choose OK. An Import Trusted Certificate dialog panel appears with the following message:

     Please provide a base64 format certificate and paste it below.

  3. Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the lines Begin Certificate and End Certificate.

  4. Paste the certificate into the window, and Choose OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.

  5. Choose OK; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

  Selecting a File that Contains the Trusted Certificate

  To select the file:

  1. Choose Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears.

  2. Enter the path or folder name of the trusted certificate location.

  3. Select the name of the trusted certificate file (for example, cert.txt).

  4. Choose OK. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet.

  5. Choose OK to exit the dialog panel; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

  Removing a Trusted Certificate

  To remove a trusted certificate from a wallet:

  1. Select the trusted certificate listed in the Trusted Certificates tree.

  2. Choose Operations > Remove Trusted Certificate from the menu bar.

     A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.

  3. Choose Yes; the selected trusted certificate is removed from the Trusted Certificates tree.

     Note: A certificate that is signed by a trusted certificate is no longer verifiable when you remove it from your wallet. Also, you cannot remove a trusted certificate if it has been used to sign a user certificate that is still present in the wallet. To remove such a trusted certificate, you must first remove the certificates that it has signed.

  Exporting a Trusted Certificate

  To export a trusted certificate to another file system location:

  1. Select Operations > Export Trusted Certificate; the Export Trusted Certificate dialog box appears.

  2. Select a file system directory to save your trusted certificate, or choose Browse to display the directory structure.

  3. Enter a file name to save your trusted certificate.

  4. Choose OK; you are returned to the Oracle Wallet Manager main window.

  Exporting All Trusted Certificates

  To export all of your trusted certificates to another file system location:

  1. Choose Operations > Export All Trusted Certificates. The Export Trusted Certificate dialog box appears.

  2. Select the file system directory to save your trusted certificates, or choose Browse to display the directory structure.

  3. Enter a file name to save your trusted certificates.

  4. Choose OK; you are returned to the Oracle Wallet Manager main window.

  Exporting a Wallet

  You can export a wallet to text-based PKI formats. Individual components are formatted according to the following standards (Table 18-2):

  Table 18-2 PKI Wallet Encoding Standards

  Component	Encoding Standard
  Certificate chains	X509v3
  Trusted certificates	X509v3
  Private keys	PKCS5