Hello, everyone, today we would like to share with you the way to create an Oracle wallet, to save the certificates and thus be able to configure a secure access through SSL to the database. We will do it through a .p12 certificate.
What is an Oracle Wallet and what is a p12 certificate?
Oracle Wallet is a directory inside the server where passwords are written (in encrypted form), this allows us to manage database credentials or certificates. It can be managed using the graphic tool owmor with commands using mkstore.
Once it is configured, the database is told where to find the Wallet by configuring specific parameters in the sqlnet.ora file and for example retrieving a stored password by referring to a TNS alias configured in its tnsnames.ora file. So there are no services that you should start or stop, nor should you install anything in particular.
To access the listener via SSL, you must configure the listener.ora indicating the port and the new protocol (TCPS). Today we are just going to see how to upload a .p12 certificate into our wallet.
The p12 fileis created in binary formatwhere the certificate (including its intermediate certificates) is saved with the private key. The certificates and the private key are protected in the file with a password.
Once we have seen the terms we will see how it is created:
The Oracle documentation tells us that we can directly rename the file with the extension p12 to ewallet.p12 and use it, but in some cases it causes us problems. We have seen these problems in version 11, but it seems that in 12 it can also occur. What we have detected is that when opening the wallet with the file it does not correctly show the certificate it contains. Why?
Reviewing Oracle errors we have encountered this one in particular:
Bug 10178208 : USER CERTIFICATE IS NOT VISIBLE IN OWM WITH OPENSSL CREATED WALLETS
This bug is reported in 22.214.171.124 but in 126.96.36.199we have reproduced it equally.
It seems that it does not have a simple solution unless the following workaround is applied:
1. Convert the wallet p12 to jks
orapki wallet pkcs12_to_jks -wallet ewallet.p12 -jksKeyStoreLoc ewallet.jks -jksKeyStorepwd WalletPass
2. We create a new empty wallet
mkdir /home/oracle/wallet orapki wallet create -wallet /home/oracle/wallet -pwd WalletPass
We create it with the same password as the p12 certificate to avoid problems.
3. On the contrary, we import from jks to the new empty wallet
orapki wallet jks_to_pkcs12 -wallet /home/oracle/wallet -pwd WalletPass -keystore ewallet.jks -jkspwd WalletPass
And voila, we already have the wallet working with the certificate that we have generated ourselves.
We hope you find it useful.
If you do not want to miss our tickets on Oracle, do not hesitate to subscribe to our newsletter.