Hello, everyone, today we would like to share with you how to create an Oracle wallet. to save the certificates so that you can configure secure ssl access to the database. We will do this by means of a .p12 certificate.
What is an Oracle Wallet and what is a p12 certificate?
Oracle Wallet is a directory within the server where passwords are written (in encrypted form), this allows us to manage database credentials or certificates. It can be managed using the owm graphical tool or with commands using mkstore.
Once it is configured, the database is told where to find the Wallet by configuring specific parameters in the sqlnet.ora file and retrieve for example a stored password referring to a TNS alias configured in your tnsnames.ora file. So there are no services that you need to start or stop, nor should you install anything in particular.
To access the listener using SSL you have to configure the listener.ora indicating the port and the new protocol (TCPS). Today we are just going to see how to upload a .p12 certificate inside our wallet.
The p12 file is created in binary format where the certificate (including its intermediate certificates) is saved with the private key. The certificates and private key are protected in the file with a password.
Once we have seen the terms we will see how it is created:
The Oracle documentation tells us that we can directly rename the file with the extension p12 to ewallet.p12 and use it, but in certain cases it generates problems. We have seen these problems in version 11, but it seems that in 12 it can also occur. What we have detected is that when opening the wallet with the file it does not correctly show the certificate it contains. Why?
Reviewing Oracle bugs we have come across this one in particular:
Bug 10178208 : USER CERTIFICATE IS NOT VISIBLE IN OWM WITH OPENSSL CREATED WALLETS
This bug is reported in 11.1.0.7 but in 11.2.0.4 we have reproduced it as well.
It seems that you do not have a simple solution unless the following workaround is applied:
1. We convert the p12 wallet to jks
orapki wallet pkcs12_to_jks -wallet ewallet.p12 -jksKeyStoreLoc ewallet.jks -jksKeyStorepwd WalletPass
2. We create a new empty wallet
mkdir /home/oracle/wallet orapki wallet create -wallet /home/oracle/wallet -pwd WalletPass
We create it with the same password as the p12 certificate to avoid problems.
3. We import the opposite, from jks to the new empty wallet
orapki wallet jks_to_pkcs12 -wallet /home/oracle/wallet -pwd WalletPass -keystore ewallet.jks -jkspwd WalletPass
And ready, we already have the wallet working with the certificate that we have generated ourselves.
We hope you find it useful.
Greetings.
DBA Team.
If you do not want to miss our entries about Oracle, do not hesitate to subscribe to our newsletter.