Introduction to Oracle Wallet

December 14, 2021
()

Introduction to Oracle Wallet

Oracle Wallet is a container that stores authentication, signing credentials and Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials. Oracle Wallet is PKCS#12 (Public key cryptographic standards) binary format storing the server certificate, any intermediate certificates, and private key in one encrypted file have extensions .p12


In this blog post, we will discuss below topics

1. Type of Oracle Wallet
2. Tools used to manage Oracle Wallet
3. Usage of Oracle Wallet
4. SSL/TLS certificate format

Type of Wallet

Wallets can be 1. Password Protected 2. AutoLogin 3. AutoLogin Local

Password Protected: As the name suggests Wallet is protected by a password and requires a password to perform any operation on Wallet like Open, Close. When we create a password-protected wallet it creates ewallet.p12 file which actually contains our credentials and certificates.

AutoLogin: With autologin, option password is not required to open the wallet but it is protected by a password. This feature is required to open the wallet when DB or Server is restarted so it doesn’t require opening the wallet manually to access the database. Autologin wallet can be copied or transferred to another Server and can be reused. With Autologin wallet it will create two files ewallet.p12 & cwallet.sso. File ewallet.p12 will have your credentials and certificates and file cwallet.sso give wallet the ability to open without a password.

AutoLogin Local: With AutoLogin local option wallet works the same as Autologin but with more security as it’s bound with the Server where it is created. You cannot copy or transfer to use Autologin Local wallet in another Server.


Tools used to manage Oracle Wallet


The Wallet can be managed using tools like 1. orapki 2. mkstore 3. owm(Oracle Wallet Manager-GUI Tool) 4. openssl

orapki: The orapki tool is available with the Oracle database, and use mainly to manage Certificates and Keys in Wallet. orapki tool can be used to create a wallet, add a self-sign certificate, remove the certificate, convert of SSL certificate format from jks (Java Key Store) to pkcs12 or pkcs12 to jks. In the below example we have created all 3 wallet types 1. Password Protected 2. AutoLogin 3. AutoLogin Local.

[oracle@test-machine01 wallet_test]$ orapki
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

orapki [crl|wallet|cert|help] <-nologo>
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet help
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

wallet:
create [-wallet [wallet]] [[-pwd <pwd>] [-auto_login|-auto_login_local]] | [-auto_login_only]
display [-wallet [wallet]] <-summary> [-pwd <pwd>]
change_pwd [-wallet [wallet]] [-oldpwd <oldpwd>] [-newpwd <newpwd>]
add [-wallet [wallet]] <[-keysize [512|1024|2048|4096]] [-dn [dn]]>
     <-self_signed [-validity [days]] | [-valid_from [mm/dd/yyyy] -valid_until [mm/dd/yyyy]]
                   [-serial_file <file_loc>] | [-serial_num <serial_num>]> <-addext_ski>
     <[-cert [filename]] [-trusted_cert|-user_cert]> [-pwd <pwd>] | [-auto_login_only] [-sign_alg <md5|sha1|sha256|sha384|sha512>]
remove [-wallet [wallet]] [-dn [dn]] [-trusted_cert_all|-trusted_cert|-user_cert|-cert_req]
     [-pwd <pwd>] | [-auto_login_only]
export [-wallet [wallet]] [-dn [dn]] [-cert [filename] | -request [filename]] [-pwd <pwd>]
export_trust_chain [-wallet [wallet]] [-certchain [filename]] [-dn [user_cert_dn]] [-pwd <pwd>]
upload [-wallet [wallet]] [-ldap [host:port]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
download [-wallet [wallet]] [-ldap [host:nonsslport]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
jks_to_pkcs12 [-wallet [wallet]] [-pwd <pwd>] [-keystore [keystore]] [-jkspwd [jkspwd]]
     <-aliases [alias:alias..]>
pkcs12_to_jks [-wallet [wallet]] [-pwd <pwd>] [-jksKeyStoreLoc <jksKSloc> -jksKeyStorepwd <jksKS_pwd>]
     [-jksTrustStoreLoc <loc> -jksTrustStorepwd <pwd>]
p11_add [-wallet [wallet]] [-p11_lib <pkcs11Lib>] [-p11_tokenlabel <tokenLabel>]
     [-p11_tokenpw <tokenPassphrase>] [-p11_certlabel <certlabel>] [-pwd <pwd>]
p11_verify [-wallet [wallet]] [-pwd <pwd>]
help

[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 0
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ pwd
/u01/app/oracle/admin/ucas/wallet_test
[oracle@test-machine01 wallet_test]$ orapki wallet create -wallet /u01/app/oracle/admin/ucas/wallet_test  -pwd password
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

PKI-01002: Invalid password:Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet create -wallet /u01/app/oracle/admin/ucas/wallet_test  -pwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 4
-rw-------. 1 oracle oinstall 3512 Dec 13 11:16 ewallet.p12
[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet create -wallet /u01/app/oracle/admin/ucas/wallet_test -auto_login -pwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 8
-rw-------. 1 oracle oinstall 3512 Dec 13 11:16 ewallet.p12
-rw-------. 1 oracle oinstall 3589 Dec 13 11:19 cwallet.sso
[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet create -wallet /u01/app/oracle/admin/ucas/wallet_test -auto_login_local -pwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 8
-rw-------. 1 oracle oinstall 3512 Dec 13 11:16 ewallet.p12
-rw-------. 1 oracle oinstall 3589 Dec 13 11:20 cwallet.sso
[oracle@test-machine01 wallet_test]$


mkstore: The mkstore tool is available with Oracle database, and use mainly to manage credentials and passwords in Wallet. mkstore tool can be used to create a wallet, create credentials, modify credentials, delete credentials.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ mkstore
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-createCredential connect_string username password] [-listCredential] [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ mkstore -wrl "/u01/app/oracle/admin/ucas/wallet_test" -create
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter password:   PassworD
Enter password again:    assworD
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 8
-rw-------. 1 oracle oinstall 3512 Dec 13 11:34 ewallet.p12
-rw-------. 1 oracle oinstall 3589 Dec 13 11:34 cwallet.sso
[oracle@test-machine01 wallet_test]$


owm (Oracle Wallet Manager-GUI Tool): Oracle Wallet Manager is a GUI tool. In Windows platform search program with keyword “Wallet Manager” and in Linux platform use keyword “owm” to invoke OWM tool. You can perform the same operations as orapki using owm.


openssl: openssl is an open-source tool that does not have a license for Oracle database can use this utility to create and manage their own certificates. openssl can be used to create key pairs, csr (Certificate Signature Request), SelfSigned Certificate, Conversion of various SSL certificate formats like PEM to DER, PEM to PFX, DER to PEM, PFX to PEM, PEM to .P12. Below is an example of creating a Self Sign Certificate using openssl.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 0
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ openssl genrsa -out dbgurus.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
........+++
e is 65537 (0x10001)
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 4
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ openssl req -new -key dbgurus.key -out dbgurus.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DB
State or Province Name (full name) []:INDIA
Locality Name (eg, city) [Default City]:INDIA
Organization Name (eg, company) [Default Company Ltd]:DBSGURU
Organizational Unit Name (eg, section) []:DBSGURU
Common Name (eg, your name or your server's hostname) []:test-machine01
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 12
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
[oracle@test-machine01 wallet_test]$

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ openssl x509 -in dbgurus.csr -out dbgurus.crt -req -signkey dbgurus.key -days 365
Signature ok
subject=/C=DB/ST=INDIA/L=INDIA/O=DBSGURU/OU=DBSGURU/CN=test-machine01
Getting Private key
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 16
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 12:09 dbgurus.crt
[oracle@test-machine01 wallet_test]$


Usage of Oracle Wallet


Oracle Wallet is required to use the below Oracle functionalities.

1. External Password Store: With this option, you can store your database schema/user password in Oracle wallet and avoid writing hard code user passwords in a shell script or in an application database configuration file. This will enhance your security and management of user passwords as now you will only update passwords in your wallet and no need to share user passwords with the application team. Click here to read more.

2. Store Master Key for TDE (Transparent Data Encryption): Oracle Wallet is required to store the TDE master key which is required to encrypt your datafiles. Click here to read more.

3. Store SSL Certificates for SSL/TLS enabled connection encryption: Oracle Wallet is required to store your SSL certificates which is required to enable SSL enabled database network connection encryption. Click here to read more


SSL/TLS certificate format


To get your own SSL Certificate you need to follow the below steps: In the above openssl example we created keypair and CSR but since it was self-sign we sign our certificate with our own private key instead of sending it to CA (Certificate Authority) to get it sign.

1. Create Keypair i.e. public private key
2. Create CSR (Certificate Signature Request ) based on Keypair
3. Send to CA (Certificate Authority)
4. Get CA signed Certificate


The received CA Signed Certificate can be in any below format and you can use tools like orapki and openssl to convert it into the required format. For example, you received an SSL certificate in .pfx but Oracle Wallet require in .p12 format in this case you can use openssl or orapki tool to convert it.

PEM Format: The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extensions such as .pem, .crt . They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

DER Format: The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It has a file extension of .der

PKCS#12/PFX Format: The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12.

JKS (Java Key Store) Format: A Java Keystore is a container for authorization certificates or public key certificates, and is often used by Java-based applications for encryption, authentication, and serving over HTTPS. JKS certificates usually have extensions such as .jks.


In the below example we will use the PEM certificate we created using openssl in the above example to convert it into .der and .pfx format.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 16
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ openssl x509 -in dbgurus.crt -outform der -out dbgurus.der
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 20
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ openssl pkcs12 -export -out dbgurus.pfx -inkey dbgurus.key -in dbgurus.crt
Enter Export Password:
Verifying - Enter Export Password:
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 24
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
-rw-r--r--. 1 oracle oinstall 2453 Dec 13 13:53 dbgurus.pfx
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$


In the below example we will use .pfx certificate we created from the above steps to convert into .jks and then to .p12 format.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 24
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
-rw-r--r--. 1 oracle oinstall 2453 Dec 13 13:53 dbgurus.pfx
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet pkcs12_to_jks -wallet dbgurus.pfx -jksKeyStoreLoc dbgurus.jks -jksKeyStorepwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 28
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
-rw-r--r--. 1 oracle oinstall 2453 Dec 13 13:53 dbgurus.pfx
-rw-------. 1 oracle oinstall 2214 Dec 13 14:13 dbgurus.jks
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet create -wallet . -pwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 32
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
-rw-r--r--. 1 oracle oinstall 2453 Dec 13 13:53 dbgurus.pfx
-rw-------. 1 oracle oinstall 2214 Dec 13 14:13 dbgurus.jks
-rw-------. 1 oracle oinstall 3512 Dec 13 14:16 ewallet.p12
[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ orapki wallet jks_to_pkcs12 -wallet . -pwd PassworD_#1234 -keystore dbgurus.jks -jkspwd PassworD_#1234
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@test-machine01 wallet_test]$
[oracle@test-machine01 wallet_test]$ ls -ltr
total 36
-rw-r--r--. 1 oracle oinstall 1675 Dec 13 12:04 dbgurus.key
-rw-r--r--. 1 oracle oinstall 1009 Dec 13 12:07 dbgurus.csr
-rw-r--r--. 1 oracle oinstall 1208 Dec 13 13:52 dbgurus.crt
-rw-r--r--. 1 oracle oinstall  852 Dec 13 13:52 dbgurus.der
-rw-r--r--. 1 oracle oinstall 2453 Dec 13 13:53 dbgurus.pfx
-rw-------. 1 oracle oinstall 2214 Dec 13 14:13 dbgurus.jks
-rw-------. 1 oracle oinstall 7664 Dec 13 14:17 ewallet.p12
[oracle@test-machine01 wallet_test]$


This document is just for learning purpose and always validate in the LAB environment first before applying in the LIVE environment.


Hope so you like this article
!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the most recent update. 
Click here to understand more about our pursuit.


Related Articles


Loading

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Hello and welcome to DBsGuru,I’m Jamsher Khan working as Senior Oracle DBA based in KSA-Jeddah, I have working experience in Oracle DBA, SQL Server, MySql, PostgreSQL, Linux, Golden Gate, ODA.Thanks for the visits!Share Learn Grow!

Leave a Reply

Your email address will not be published. Required fields are marked *