Oracle Wallet w/ Self-Signed Certificate
Posted by Tyler Muth on July 27, 2007
I was working with some of the security tools included with the Oracle Advanced Security Option and wanted to create a new wallet without going through the hassle of requesting a certificate from one of the popular certificate authorities. After struggling a bit with creating a self-signed certificate, I found a great HowTo by Jim Coulter entitled “How To Build an Oracle Wallet with OpenSSL”. Since I’m planning on a number of future security posts that rely on the Oracle Wallet Manager, I wanted to repost Jim’s HowTo here so they would all be at the same location. Just to be clear, this is NOT my HowTo, it’s Jim’s and I want to give him full credit for a very concise and accurate HowTo.
This HowTo is relevant for any Oracle component that uses the Oracle Wallet Manager, including the Oracle Database with the Advanced Security Option (ASO), Oracle Application Server, Oracle HTTP Server (OHS), Oracle Internet Directory (ODI). For production environments, you should purchase a certificate from a well known certificate authority such as Entrust, Thawte, GoDaddy, or VeriSign. Using self-signed certificates provides no protection against man in the middle attacks so they should NOT be used in production environments.
Even though the example is Linux / Unix centric, I also tested this on Windows using CygWin and it worked flawlessly.
From Jim Coulter’s site, with one addition:
- Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz from the OpenSSL > Contributions page.
- Open Oracle Wallet Manager and create a new wallet and certificate request.
- Export the certificate request to a file. Give it a .csr extension
- Move the certificate request to the directory containing the openSSL certificate authority scripts (e.g. /usr/src/crytpo/openssl/apps/ssl.ca-0.1)
- Create a self-signed root certificate by running the new-root-ca.sh script. This will create a file called ca.crt
- Create the self-signed server certificate by running the sign-server-cert.sh script, e.g. # sign-server-cert.sh <certificate-request-filename>. This will create a file called <certificate-request-filename>.crt
- Import the ca.crt into the Oracle wallet as a trusted certificate. Import the <certificate-request-filename>.crt as a user certificate.
- Enable auto-login and save the wallet. It is now ready for use.
References:
- Oracle Database Advanced Security Administrator’s Guide: “9 Using Oracle Wallet Manager”
- Jim Coulter’s HowTo
- Anton Nielsen’s blog: “Setting Up SSL for Application Express”
- OID Tutorial: “Creating a wallet for SSL connectivity between OID and AD”
September 11, 2007 at 2:47 pm
Hi,
thanks for this nice howto! In the official Oracle documentation this is completey missing.
regards
Dietrich
September 12, 2007 at 6:05 am
i’m stuck at step 7. trying to import my user.crt i get the following error:
User certificate installation failed.
Possible errors:
- Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first.
all the other steps were done quickly wíthout problems. any ideas?
cornelius
September 13, 2007 at 4:57 pm
Cornelius,
Try pasting only the Base64′d part of the user certificate.
- Harvey
September 17, 2007 at 1:27 am
thanks, that worked
cornelius
November 6, 2007 at 8:37 am
Hi CL (et.al.)
What constitutes the Base64′d part of the certificate? Is it that part which lies between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags?
Cheers,
Paul
November 22, 2007 at 5:30 am
Paul - yes that’s correct. Cut and past the stuff between the BEGIN CERTIFICATE and END CERTIFICATE tags..
February 17, 2008 at 8:51 pm
Tyler
Your post was very useful along with other posts that I referred. I’ve compiled a page for those who would want to look at how to configure a “Self-Signed Certificate for Oracle Application Express with Oracle AS 10.1.2 on Windows 2003″. It can be found at http://kannankumara.blogspot.com/2008/02/self-signed-certificate-for-oracle-as.html
March 5, 2008 at 11:25 am
Tyler,
We do have open SSL installed. I have tried this logged on as both root and as oracle. And recieved the following error both times:
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1
# /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh
No Root CA key round. Generating one
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found
Self-sign the root CA…
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found
March 14, 2008 at 5:45 am
Hi All,
I am also getting the same error
User certificate Installation failed..
Possible errors
Input was not a valid certificate
No matching certificate reques was found
CA certificate needed for certificate chain not found.Please install it first
I have even tried to paste Base64′d part, but still the same error. Any suggestions would be appreciated.
Thanks,
Moosa.
April 14, 2008 at 6:40 am
What about orapki? To generate a self signed wallet, just do:
cd to your wallet directory
orapki wallet create -wallet ./ -auto_login
orapki wallet add -wallet ./ -dn “cn=,cn=OracleContext,dc=oracle,dc=com” -keysize 1024 -self_signed -validity 3650
..done!
May 8, 2008 at 3:59 pm
Hi,
Im also having the same error
even if i just copied the base 64
Input was not a valid certificate
No matching certificate reques was found
CA certificate needed for certificate chain not found.Please install it first
Please help.