Oracle Wallet

Databases

Oracle

Oracle Security

SELECT WRL_TYPE,

WRL_PARAMETER,

STATUS

FROM V$ENCRYPTION_WALLET

Prerequsites

Oracle .profile

Ensure WALLPATH is setDefine the DGSID array (see later)

SQLNET.ORA

NOTE: if you want to use different wallets (e.g. for different scripts) then you can use an alternate SQLNET.ORA by setting the TNS_ADMIN variable.

NOTE: the wallet does not have to be called "wallet". If you use a different name then make sure the SQLNET.ORA reflects the alternative name.

Wallet Management

Create Wallet

export WALLPATH=/home/${USER}/wallet

mkdir -p ${WALLPATH}

mkstore -wrl "${WALLPATH}" -create

Wallets can be copied to different machines, which can represent a security risk. In 11g Release 2, you can prevent the auto login functionality of the wallet from working if it is copied to another machine by creating a local wallet using the "orapki" command, instead of the "mkstore" command...

orapki wallet create -wallet "${WALLPATH}" -auto_login_local

NOTE: with 12.1.0.2 there appears to be a bug (22505635) that results in: "ORA-12578: TNS:wallet open failed" if an auto_login_local wallet is created with the 12.1.0.2 version of orapki. The workaround is to use the 11.2.0.4 version of orapki (if available) however in initial testing, this does not appear to work. Alternatively use -auto_login instead of -auto_login_local and use other methods to prevent the wallet being copied to another server. See: https://blog.pythian.com/oracle-secure-external-password-stores/

Delete Wallet

mkstore -wrl "${WALLPATH}" -delete

Credential Management

Create Credentials

mkstore -wrl "${WALLPATH}" -createCredential TNS_ALIAS DB_USER

Example:

mkstore -wrl "${WALLPATH}" -createCredential ORCL1 SYS

NOTE: You can pass the password on the command line but this is discouraged as it will show up in the shell history. If you do not pass it you will be prompted for it.
NOTE: In a Data Guard environment setting up a wallet containing the SYS password for each database avoids issues with rman (e.g RMAN-06820).

View Credentials

mkstore -wrl "${WALLPATH}" -listCredential

Each entry has an "index" number that can be used in the commands below to extract more information. In the example below the index is "17".

mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.password17

mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.username17

mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.connect_string17

Modify Credentials

mkstore -wrl "${WALLPATH}" -modifyCredential TNS_ALIAS DB_USER

Delete Credentials

mkstore -wrl "${WALLPATH}" -deleteCredential TNS_ALIAS

Credentials for Data Guard Broker

Linux (bash)

DGSID=('ORCL1' 'ORCL2')

AIX (ksh)

set -A DGSID ORCL1 ORCL2

Oracle .profile

Before Data Guard Broker is configured...

for SID in ${DGSID[@]}

mkstore -wrl ${WALLPATH} -createCredential ${SID} SYS

done

You will be prompted for the SYS password and the Wallet password for each entry

After Data Guard Broker is configured...

For dgmgrl we need to use the "StaticConnectIdentifer" in place of the TNS_ALIAS...

Note that these steps will not work until the Broker has been enabled

for SID in ${DGSID[@]}

dgm="'show database ${SID} StaticConnectIdentifier'"

crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )

mkstore -wrl ${WALLPATH} -createCredential ${crd} SYS

done

You will be prompted for the SYS password and the Wallet password for each entry

When the SYS password changes you should do this...

for SID in ${DGSID[@]}

echo ${SID}

mkstore -wrl ${WALLPATH} -modifyCredential ${SID} SYS

dgm="'show database ${SID} StaticConnectIdentifier'"

echo ${dgm}

crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )

mkstore -wrl ${WALLPATH} -modifyCredential ${crd} SYS

done

You will be prompted for the SYS password and the Wallet password for each entry

Backout

To remove these entires from the Wallet you can use...

for SID in ${DGSID[@]}

dgm="'show database ${SID} StaticConnectIdentifier'"

crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )

mkstore -wrl ${WALLPATH} -deleteCredential ${crd}

done

NOTE: In 11.2.0.3 the Wallet needs to contain the identifier containing _DGB (not _DGMGRL) e.g.(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1524))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=orcl4_DGB)(INSTANCE_NAME=ORCL4)))

Broker

Snapshot Standby

Certificate Management

Display Certificates

orapki wallet display -wallet ${WALLPATH}

Display Certificate Details

orapki wallet export -wallet ${WALLPATH} -dn 'fromDisplayCertSubject' -cert /tmp/DCGR.txt

orapki cert display -cert /tmp/DCGR.txt -complete

or, for summary information...

orapki cert display -cert /tmp/DCGR.txt -summary

Load Key

orapki wallet import_private_key -wallet ${WALLPATH} -pvtkeyfile "privatekey.der"

Add a Certificate

Identity Certificate : is the certificate of the Server that client (Web Client for OHS and LDAP client for OID/OVD) connects to. – Toi import into wallet, you must use option -user_certTrust Certificate : is the certificate of the Certifying Authority (CA) that issued Identity Certificate. There could be multiple CAs in chain that issued the certificate. When you import Trust Certificate in to wallet, you must use option -trusted_cert . If there are multiple CAs in certificate chain then you must import all CA’s certificates with option -trusted_cert

orapki wallet add -wallet ${WALLPATH} -trusted_cert -cert "certificate.der"

Self-Signed SSL Certificate

WALLPATH assumed to be set in .profile

WALLPWD="password"

CN="hostname"

OU="dept"

O="Company"

L="City"

ST="County"

C="2 character country code"

orapki wallet create -wallet "${WALLPATH}" -auto_login

orapki wallet add -wallet "${WALLPATH}" -pwd ${WALLPWD} -dn "CN=${CN}, OU=${OU}, O=${O}, L=${L}, ST=${ST}, C=GB" -keysize 2048 -self_signed -validity 3650

Chain of Trust

Sometimes it's not enough to just load an Identity Certificate into an Oracle Wallet. It's likely that you will need to load some Trust certificates to complete the "chain of trust" required for the Identity Certificate to work. These Trust certificates are also referred to as Root certificates and Intermediate Certificates. A Root certificate is mandatory. Intermediate Certificates may or may not be required dependant on how the Certificate Authority created the Identity Certificate.

If you have a PKCS#12 keystore it may contain all the Trust certificates required. Sometimes though it may be assumed you already have the Trust certificates since many of them are built-in to popular browsers. If you find that you are loading Identity Certificates into something like Oracle Wallet where the Trust certificates may not exist and they are not included in your PKCS#12 keystore file (e.g. a .pfx file) then you can export the Root and Intermediate certificates from Windows and transfer them to your target server for loading into Oracle Wallet (or similar).

See also: The command "orapki wallet jks_to_pkcs12" fails with "No self-signed cert in chain" exception (Doc ID 1954053.1)

First, import your Identity Certificate (it makes it easier to identify the chain of trust)...

At a Windows command prompt (or in Search)...

Type mmc to launch the Microsoft Management Console.
Go to File > Add / Remove Snap In
Double Click Certificates
Select Computer Account.
Select Local Computer > Finish
Click OK to exit the Snap-In window.
Click [+] next to Certificates > Personal > Certificates
Right click on Certificates and select All Tasks > Import
Click Next
Click Browse
Select the .cer, .crt, or .pfx you would like to import. Click Open.
Click Next
Select Automatically select the certificate store based on the type of certificate.
Click Finish & OK

Now export the chain of trust...

Right click on the personal certificate which you want to export.
Choose All tasks and then Export.
Choose Next.
Choose No, do not export the private key and Next.
Choose DER encoded binary and Next.
Specify a file name and choose Next.
Check the summary and choose Finish.
Right click on the certificate that you have just exported.
Choose Open.
Choose the tab Certification Path.
Repeat the next steps for each certificate above your own certificate:
Click on intermediate certificate.
Click on View Certificate.
Click on tab Details.
Click on the button Copy to File....
Run through the wizard again and save this certificate as a der encoded file

Copy all the files you just exported to your target server and load into Oracle Wallet (remembering to use -user_cert and -trusted_cert appropriately).

Licensing

An Oracle Wallet is a PKCS#12 container used to store authentication and encryption keys. The Oracle database secure external password store feature stores passwords in an Oracle Wallet for password-based authentication to the Oracle database. The Oracle Wallet may also be used to store credentials for PKI authentication to the Oracle Database, configuration of network encryption (SSL/TLS), and Oracle Advanced Security transparent data encryption (TDE) master encryption keys. Strong authentication services (Kerberos, PKI, and RADIUS) and network encryption (native network encryption and SSL/TLS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle® Database Licensing Information 11g Release 2 (11.2)

Oracle Wallet / OpenSSL

An Oracle Wallet is actually just a PKCS#12 Keystore with a fixed name of ewallet.p12. As such it is possible to create an Oracle Wallet file without using the Oracle tools...

openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:passout

Where passout is the password for the newly created wallet

Bibliography

https://oracle-base.com/articles/10g/secure-external-password-store-10gr2https://oracle-base.com/articles/misc/utl_http-and-ssl https://docs.oracle.com/cd/B19306_01/network.102/b14266/cnctslsh.htm#CBHGEBEIhttps://blog.pythian.com/oracle-secure-external-password-stores/https://www.mydbaworld.com/remove-passwords-script-oracle-secure-external-password-store/ https://docs.oracle.com/cd/B14099_19/core.1012/b13995/wallets.htm#i1008339 (orapki)https://docs.oracle.com/cd/B28359_01/network.111/b28530/asoappf.htm#i634246 (orapki)https://onlineappsdba.com/index.php/2013/08/24/ssl-wallets-in-oidohs-how-to-manage-certificates-in-wallet-using-command-line-orapki/ https://docs.oracle.com/cd/E87544_01/pt856pbr1/eng/pt/tsvt/task_SettingUpOracleWalletUsingOpenSSL.html https://documentation.invantive.com/notes/webhelp/invantive-notes-import-pfx-oracle-wallet.html https://support.globalsign.com/ssl/ssl-certificates-installation/import-and-export-certificate-microsoft-windows https://blog.aregger.io/beware-of-the-oracle-wallet-autologin-option/https://danielwestermann.com/2014/03/15/modify-an-oracle-non-auto-login-wallet-to-an-auto-open-wallet/
The command "orapki wallet jks_to_pkcs12" fails with "No self-signed cert in chain" exception (Doc ID 1954053.1)
https://docs.oracle.com/cd/B28359_01/server.111/b28320/dynviews_1112.htm#REFRN30488
Wallet Recoveryhttps://github.com/mguessan/oracle-wallet-recover