SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI

I discussed about  SSL basics in WebLogic like Certifying Authority and Certificate, configuring SSL for OID and SSL for OVD  using Graphical User Interface (GUI) using Fusion Middleware Control (EM).

What if EM doesn’t work or you did not select Enterprise Manager during WebLogic Domain Creation?

or

You are not allowed to use GUI like EM to configure/manage SSL in Oracle.

If you are in situation like me where GUI is not an option and only Command Line Interface (CLI) is allowed then you can use utility orapki to manage certificates in Wallet for OID.

Similar to keystore in WebLogic, you have wallet to store SSL certificate (both Identity & Trust certificate) for Oracle components managed by OPMN like Oracle Internet Directory (OID), Oracle HTTP Server (OHS), and Oracle Virtual Directory (OVD).

In this post I am going to show how to create Wallet, create Certificate Signing Request (CSR) and importing Certificates (Identity and Trust).

First terminology

  • Wallet: is store to keep certificates both Identity (to which certificate is issued) like OID/OHS/OVD server and Trust (Certificate of Certifying Authority that issued the certificate). Wallet can be protected by password (use option -pwd) or allowed auto login only (use option -auto_login_only)
  • Identity Certificate : is the certificate of the Server that client (Web Client for OHS and LDAP client for OID/OVD) connects to. – When you import Identity Certificate in to wallet, you must use option -user_cert
  • Trust Certificate : is the certificate of the Certifying Authority (CA) that issued Identity Certificate. There could be multiple Certifying Authority in chain that issued the certificate. When you import Trust Certificate in to wallet, you must use option -trusted_cert . If there are multiple CAs in certificate chain then you must import all CA’s certificates with option -trusted_cert
  • orapki : is utility to manage (create, import, export) certificate and wallet. orapki is under MIDDLEWARE_HOME/ oracle_common/ bin

 

1. To create wallet
orapki wallet create -wallet [wallet_location]

orapki wallet create -wallet /u01/app/oracle/admin/oid_inst1/OID/admin/myWalletDir

2. To Display certificates in wallet

orapki wallet display -wallet [wallet_location]

orapki wallet display -wallet /u01/app/oracle/admin/oid_inst1/OID/admin/myWalletDir

Note:

  • Requested Certificates” contains details of Certificate Signing Requests that are not yet signed 
  • User Certificates” contains signed certificate for identity aka Identity Certificate 
  • Trusted Certificates”  contains certificates of Signing Authority (aka Certifying Authority – CA) . These certificate are also called as Trust Certificate or Root/Intermediate Certificate
  • By default when you create wallet , you get four CA certificate

3. To add a trusted certificate to an Oracle wallet:

orapki wallet add -wallet wallet_location -cert certificate_location -trusted_cert -auto_login_only
4. To add a user certificate to an Oracle wallet:

orapki wallet add -wallet wallet_location -cert certificate_location -user_cert -auto_login_only

 

 

Note: In above wallet, you can see 1 User Certificate (Identity Certificate ) and 6 Trusted Certificate (Certifying Authority certificate)

 

Related/References

Did you get a chance to download FREE Guide on Oracle Secure Sockets Layer (now Transport Layer Security TSL), download it here http://k21academy.com/fmw-interview-question

 

Learn Oracle Fusion Middleware Administration

If you want to learn Oracle Fusion Middleware Administration with tons of additional features like Live Interactive Sessions, Lifetime access to membership portal, Free re-taking sessions for next one year, Dedicated Machine to practice, On Job Support and much more

Click here to know more

 

About the Author Masroof Ahmad

Leave a Comment:

5 comments
David Richardson says August 24, 2013

This was already on my to-do list!

Just in Time Support!

Reply
mrbow says January 22, 2016

Hi, when I try to run orapki I get

/oracle_dhome/product/9.2.0/jdk/jre/bin/java: not found.

Is there something I need to install?

Reply
    Atul Kumar says January 26, 2016

    @mrbow,
    For which product you are running orapki , OHS or OID or Database ? What is version ?

    Reply
Ajay says February 1, 2017

When i type ‘owm’ in console for Oracle Wallet Manager message is displayed as “-bash: owm: command not found”. What could be the reason? Thanks in advance

Reply
Poonam Patil says March 8, 2018

Hi. Is it possible to access the certificates stored in wallet through python program to sign and verify the data?

Reply
Add Your Reply