SELECT WRL_TYPE,
WRL_PARAMETER,
STATUS
FROM V$ENCRYPTION_WALLET
export WALLPATH=/home/${USER}/wallet
mkdir -p ${WALLPATH}
mkstore -wrl "${WALLPATH}" -create
Wallets can be copied to different machines, which can represent a security risk. In 11g Release 2, you can prevent the auto login functionality of the wallet from working if it is copied to another machine by creating a local wallet using the "orapki" command, instead of the "mkstore" command...
orapki wallet create -wallet "${WALLPATH}" -auto_login_local
mkstore -wrl "${WALLPATH}" -delete
mkstore -wrl "${WALLPATH}" -createCredential TNS_ALIAS DB_USER
Example:
mkstore -wrl "${WALLPATH}" -createCredential ORCL1 SYS
mkstore -wrl "${WALLPATH}" -listCredential
mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.password17
mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.username17
mkstore -wrl "${WALLPATH}" -viewEntry oracle.security.client.connect_string17
mkstore -wrl "${WALLPATH}" -modifyCredential TNS_ALIAS DB_USER
mkstore -wrl "${WALLPATH}" -deleteCredential TNS_ALIAS
Linux (bash)
DGSID=('ORCL1' 'ORCL2')
AIX (ksh)
set -A DGSID ORCL1 ORCL2
Before Data Guard Broker is configured...
for SID in ${DGSID[@]}
do
mkstore -wrl ${WALLPATH} -createCredential ${SID} SYS
done
You will be prompted for the SYS password and the Wallet password for each entryAfter Data Guard Broker is configured...
For dgmgrl we need to use the "StaticConnectIdentifer" in place of the TNS_ALIAS...
Note that these steps will not work until the Broker has been enabledfor SID in ${DGSID[@]}
do
dgm="'show database ${SID} StaticConnectIdentifier'"
crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )
mkstore -wrl ${WALLPATH} -createCredential ${crd} SYS
done
You will be prompted for the SYS password and the Wallet password for each entryWhen the SYS password changes you should do this...
for SID in ${DGSID[@]}
do
echo ${SID}
mkstore -wrl ${WALLPATH} -modifyCredential ${SID} SYS
dgm="'show database ${SID} StaticConnectIdentifier'"
echo ${dgm}
crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )
mkstore -wrl ${WALLPATH} -modifyCredential ${crd} SYS
done
You will be prompted for the SYS password and the Wallet password for each entryTo remove these entires from the Wallet you can use...
for SID in ${DGSID[@]}
do
dgm="'show database ${SID} StaticConnectIdentifier'"
crd=$(echo ${dgm} | xargs dgmgrl -silent /@${SID} | tail -1 | awk '{ print substr($3,2,length($3)-2) }' )
mkstore -wrl ${WALLPATH} -deleteCredential ${crd}
done
orapki wallet display -wallet ${WALLPATH}
orapki wallet export -wallet ${WALLPATH} -dn 'fromDisplayCertSubject' -cert /tmp/DCGR.txt
orapki cert display -cert /tmp/DCGR.txt -complete
or, for summary information...
orapki cert display -cert /tmp/DCGR.txt -summary
orapki wallet import_private_key -wallet ${WALLPATH} -pvtkeyfile "privatekey.der"
orapki wallet add -wallet ${WALLPATH} -trusted_cert -cert "certificate.der"
WALLPATH assumed to be set in .profile
WALLPWD="password"
CN="hostname"
OU="dept"
O="Company"
L="City"
ST="County"
C="2 character country code"
orapki wallet create -wallet "${WALLPATH}" -auto_login
orapki wallet add -wallet "${WALLPATH}" -pwd ${WALLPWD} -dn "CN=${CN}, OU=${OU}, O=${O}, L=${L}, ST=${ST}, C=GB" -keysize 2048 -self_signed -validity 3650
Sometimes it's not enough to just load an Identity Certificate into an Oracle Wallet. It's likely that you will need to load some Trust certificates to complete the "chain of trust" required for the Identity Certificate to work. These Trust certificates are also referred to as Root certificates and Intermediate Certificates. A Root certificate is mandatory. Intermediate Certificates may or may not be required dependant on how the Certificate Authority created the Identity Certificate.
If you have a PKCS#12 keystore it may contain all the Trust certificates required. Sometimes though it may be assumed you already have the Trust certificates since many of them are built-in to popular browsers. If you find that you are loading Identity Certificates into something like Oracle Wallet where the Trust certificates may not exist and they are not included in your PKCS#12 keystore file (e.g. a .pfx file) then you can export the Root and Intermediate certificates from Windows and transfer them to your target server for loading into Oracle Wallet (or similar).
First, import your Identity Certificate (it makes it easier to identify the chain of trust)...
At a Windows command prompt (or in Search)...
Type mmc to launch the Microsoft Management Console.
Go to File > Add / Remove Snap In
Double Click Certificates
Select Computer Account.
Select Local Computer > Finish
Click OK to exit the Snap-In window.
Click [+] next to Certificates > Personal > Certificates
Right click on Certificates and select All Tasks > Import
Click Next
Click Browse
Select the .cer, .crt, or .pfx you would like to import. Click Open.
Click Next
Select Automatically select the certificate store based on the type of certificate.
Click Finish & OK
Now export the chain of trust...
Right click on the personal certificate which you want to export.
Choose All tasks and then Export.
Choose Next.
Choose No, do not export the private key and Next.
Choose DER encoded binary and Next.
Specify a file name and choose Next.
Check the summary and choose Finish.
Right click on the certificate that you have just exported.
Choose Open.
Choose the tab Certification Path.
Repeat the next steps for each certificate above your own certificate:
Click on intermediate certificate.
Click on View Certificate.
Click on tab Details.
Click on the button Copy to File....
Run through the wizard again and save this certificate as a der encoded file
Copy all the files you just exported to your target server and load into Oracle Wallet (remembering to use -user_cert and -trusted_cert appropriately).
An Oracle Wallet is a PKCS#12 container used to store authentication and encryption keys. The Oracle database secure external password store feature stores passwords in an Oracle Wallet for password-based authentication to the Oracle database. The Oracle Wallet may also be used to store credentials for PKI authentication to the Oracle Database, configuration of network encryption (SSL/TLS), and Oracle Advanced Security transparent data encryption (TDE) master encryption keys. Strong authentication services (Kerberos, PKI, and RADIUS) and network encryption (native network encryption and SSL/TLS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.
Oracle® Database Licensing Information 11g Release 2 (11.2)An Oracle Wallet is actually just a PKCS#12 Keystore with a fixed name of ewallet.p12. As such it is possible to create an Oracle Wallet file without using the Oracle tools...
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:passout
Where passout is the password for the newly created wallet