Thursday, July 8, 2021

ORAPKI commands, oracle wallets ,OHS certificate import export update

ORAPKI commands, oracle wallets ,OHS certificate import export update Oracel wallets are used to store SSL certificates for producst as OID, OVD, OHS, think of it a combination of Keystore and Truststore which stores both Identity(termed 'User certificate') and Trust certificates . ORAPKI is the utility provided by oracle to manage public key infrastructure (PKI) elements, such as wallets , on the command line. this is available under MIDDLEWARE_HOME/ oracle_common/ bin path. **The other way will be to use EM console for OID or OVD, or to use Oracel Wallet Manager tool(OWM) , I'll have to check it after this** SSL for OID and SSL for OVD. The syntax for orapki is : orapki module command -parameter value module will be the object you're working with : wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate). Display a wallet : ./orapki wallet display -wallet /app/Oracle/Middleware/wallet-wam.xxx.com-2017 This will give you an update such as : User Certificates: Subject: CN=XXX.XXX.com,OU=TRC,O=XXX.,L=,ST=LA,C=IT Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=XXX-SUBCA,DC=xxxnet,DC=xxx,DC=intranet Display a certificate : orapki cert display -cert certificate_location -summary(for brief info) | -complete Export a cert from a wallet : orapki wallet export -wallet wallet_location -dn certificate_dn -cert certificate_filename. ./orapki wallet export -wallet /apps/Oracle/Middleware/wallet-abc.xxx.com -dn "CN=XXX-SUBCA,DC=xxxnet,DC=xxx,DC=intranet"-cert /apps/Oracle/Middleware/NEW_CERTNAME.cer ERRORS : PKI-04006 : No matching private key in the wallet. Cause: Attempted to install a user certificate, but no matching private key was found in the wallet. Action: Make sure that the user certificate is being installed to the wallet where the certificate request was created. We can not export a user certificate and add it to another wallet since the certification request was not generated from the second wallet. PKI-02008 : Unable to modify a read-only Auto-login wallet. Cause: Attempted to update a read-only Auto-login wallet. Action: Specify the associated Password-protected wallet. For this error, you'll have to use the -pwd option with the password in the add command itself, if you don't , you'll be prompted to enter the password but it'll not work. If you don't already have a wallet, or just wanna create a new one : STEP 1 : Create a wallet : ./orapki wallet create -wallet /apps/Oracle/Middleware/wallet-abc.xxx.com/ -pwd xxx123 -auto_login This command creates a wallet with auto-login enabled, or it can also be used to enable auto-login on an existing wallet. If the wallet_location already contains a wallet, then auto-login will be enabled for it. To disable the auto-login feature, delete cwallet.sso. STEP 2 : Add a certificate request to an Oracle wallet : orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048 ./orapki wallet add -wallet /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/ -dn "CN=abc.xxx.com,OU=ICT,O=xxx S.p.A.,L=San Donato Milanese,ST=Milano,C=IT" -pwd ***123 -keysize 2048 -validity 1024 STEP 3 : Export the certificate request and share it with you CA to generate a certificate : orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename ./orapki wallet export -wallet /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/ -dn "CN=wam.xxx.com,OU=ICT,O=xxx S.p.A.,L=San Donato Milanese,ST=Milano,C=IT" -request /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/wam.xxx.com.csr To add user certificate : orapki wallet add -wallet wallet_location -user_cert -cert certificate_location ./orapki wallet add -wallet /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/ -user_cert -cert /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/wam.cer -pwd xxx123 To add a trusted certificate to an Oracle wallet : (we must add all the trust certificates before adding an user certificate) orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location ./orapki wallet add -wallet /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/ -trusted_cert -cert /apps/Oracle/Middleware/wallet-wam.xxx.com-2017/xxx_SUBCA.cer -pwd xxx123 To add a root certificate to an Oracle wallet : orapki wallet add -wallet wallet_location -dn certificate_dn -keySize 512|1024|2048 -self_signed -validity number_of_days Since I was working with OHS , the way to find the wallet is : Go to /Middleware_HOME/Oracle_WT1/instances/instance1/config/OHS/password_host1 open the ssl.conf look for SSLWallet entry , to find the wallet. As always, thanks for reading ! http://bitoshok-das.blogspot.com/2019/07/orapki-commands-oracle-wallets-ohs_24.html http://h2hdba.blogspot.com/2016/11/managing-oracle-wallets-and.html

No comments:

Post a Comment

Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1)

  Database Options/Management Packs Usage Report You can determine whether an option is currently in use in a database by running options_pa...