Tyler Muth’s Blog

Technology with a focus on Oracle, Application Express and Linux

Oracle Wallet w/ Self-Signed Certificate

Posted by Tyler Muth on July 27, 2007

I was working with some of the security tools included with the Oracle Advanced Security Option and wanted to create a new wallet without going through the hassle of requesting a certificate from one of the popular certificate authorities. After struggling a bit with creating a self-signed certificate, I found a great HowTo by Jim Coulter entitled “How To Build an Oracle Wallet with OpenSSL”. Since I’m planning on a number of future security posts that rely on the Oracle Wallet Manager, I wanted to repost Jim’s HowTo here so they would all be at the same location. Just to be clear, this is NOT my HowTo, it’s Jim’s and I want to give him full credit for a very concise and accurate HowTo.

This HowTo is relevant for any Oracle component that uses the Oracle Wallet Manager, including the Oracle Database with the Advanced Security Option (ASO), Oracle Application Server, Oracle HTTP Server (OHS), Oracle Internet Directory (ODI). For production environments, you should purchase a certificate from a well known certificate authority such as Entrust, Thawte, GoDaddy, or VeriSign. Using self-signed certificates provides no protection against man in the middle attacks so they should NOT be used in production environments.

Even though the example is Linux / Unix centric, I also tested this on Windows using CygWin and it worked flawlessly.

From Jim Coulter’s site, with one addition:

  1. Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz from the OpenSSL > Contributions page.
  2. Open Oracle Wallet Manager and create a new wallet and certificate request.
  3. Export the certificate request to a file. Give it a .csr extension
  4. Move the certificate request to the directory containing the openSSL certificate authority scripts (e.g. /usr/src/crytpo/openssl/apps/ssl.ca-0.1)
  5. Create a self-signed root certificate by running the new-root-ca.sh script. This will create a file called ca.crt
  6. Create the self-signed server certificate by running the sign-server-cert.sh script, e.g. # sign-server-cert.sh <certificate-request-filename>. This will create a file called <certificate-request-filename>.crt
  7. Import the ca.crt into the Oracle wallet as a trusted certificate. Import the <certificate-request-filename>.crt as a user certificate.
  8. Enable auto-login and save the wallet. It is now ready for use.

References:

37 Responses to “Oracle Wallet w/ Self-Signed Certificate”

  1. D.Schroff said

    Hi,
    thanks for this nice howto! In the official Oracle documentation this is completey missing.

    regards
    Dietrich

  2. CL said

    i’m stuck at step 7. trying to import my user.crt i get the following error:

    User certificate installation failed.
    Possible errors:
    – Input was not a valid certificate
    – No matching certificate request was found
    – CA certificate needed for certificate chain not found. Please install it first.

    all the other steps were done quickly wíthout problems. any ideas?
    cornelius

  3. Harvey Raja said

    Cornelius,

    Try pasting only the Base64’d part of the user certificate.

    – Harvey

  4. CL said

    thanks, that worked🙂 cornelius

  5. Paul Knibbs said

    Hi CL (et.al.)

    What constitutes the Base64’d part of the certificate? Is it that part which lies between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags?

    Cheers,
    Paul

  6. BigKahuna said

    Paul – yes that’s correct. Cut and past the stuff between the BEGIN CERTIFICATE and END CERTIFICATE tags..

  7. Kannan said

    Tyler

    Your post was very useful along with other posts that I referred. I’ve compiled a page for those who would want to look at how to configure a “Self-Signed Certificate for Oracle Application Express with Oracle AS 10.1.2 on Windows 2003”. It can be found at http://kannankumara.blogspot.com/2008/02/self-signed-certificate-for-oracle-as.html

  8. SB said

    Tyler,

    We do have open SSL installed. I have tried this logged on as both root and as oracle. And recieved the following error both times:

    /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1
    # /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh
    No Root CA key round. Generating one
    /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found

    Self-sign the root CA…
    /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found

  9. Moosa said

    Hi All,
    I am also getting the same error
    User certificate Installation failed..
    Possible errors

    Input was not a valid certificate
    No matching certificate reques was found
    CA certificate needed for certificate chain not found.Please install it first

    I have even tried to paste Base64′d part, but still the same error. Any suggestions would be appreciated.

    Thanks,
    Moosa.

  10. Frank said

    What about orapki? To generate a self signed wallet, just do:
    cd to your wallet directory
    orapki wallet create -wallet ./ -auto_login
    orapki wallet add -wallet ./ -dn “cn=,cn=OracleContext,dc=oracle,dc=com” -keysize 1024 -self_signed -validity 3650
    ..done!

    • Gary said

      Do you mean you can do this instead of going through all of the steps to generate the certs and installing? That would be great. Can you run that command in windows?

    • Null said

      I also got an error using the openssl and the import of user certificate.

      Using the Oracle command above, I got this error:

      oracle.security.wallet.NZException: Wallet Ptr is NULL.
      at oracle.security.wallet.NZWallet.(NZWallet)
      at oracle.security.wallet.NZWallet.getPersonasWithTypeOld(NZWallet)
      at oracle.security.pki.textui.OracleWalletTextUI.add(OracleWalletTextUI)
      at oracle.security.pki.textui.OracleWalletTextUI.command(OracleWalletTextUI)
      at oracle.security.pki.textui.OraclePKITextUI.main(OraclePKITextUI)
      Unknown error occured: ewallet.p12

      This really is harder than it should be.

  11. mac said

    Hi,

    Im also having the same error

    even if i just copied the base 64

    Input was not a valid certificate
    No matching certificate reques was found
    CA certificate needed for certificate chain not found.Please install it first

    Please help.

    • Gary said

      Hi Mac,

      Did you resolve this problem? I’m having the same problem. Even if I pasted the base 64 part only.

      Thanks,

      Gary

      “Hi,

      Im also having the same error

      even if i just copied the base 64

      Input was not a valid certificate
      No matching certificate reques was found
      CA certificate needed for certificate chain not found.Please install it first

      Please help.”

  12. Harsh said

    Excellent document. It worked out perfectly. First time face problem to get use to for this process but on later stage found it very useful and perfect short and sweet description.

    Thanks a lot.
    Harsh

  13. Robert said

    That was very usefull, thanks a lot!

    I got the same error while importing the user certificate:

    – Input was not a valid certificate
    – No matching certificate reques was found
    – CA certificate needed for certificate chain not found.Please install it first

    In my case I succeeded, not to import the file, but to paste the certificate part, but ONLY when
    I included the

    —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–

    tags in the paste

  14. Martin Novoty said

    —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–

    tags in the paste

  15. […] Creating a self-signed certificate that is oracle friendly got a lot easier when I discovered the orapki utility via a comment made by ‘Frank‘ here. […]

  16. Jason said

    Works great for me, Thanks for your help.

  17. […] 1) Create a self signed certificate using oracle wallet manager. Follow the given below link to create certificate/wallet. https://tylermuth.wordpress.com/2007/07/27/oracle-wallet-w-self-signed-certificate/ […]

  18. Rahul said

    Hi,

    Nice posting. Thanks a lot for sharing.

  19. venkat said

    This was nice posting. It helped me a lot and appreciate your efforts

    Regards

  20. Joe Bautista said

    That was great, it worked!

  21. best computer monitor 2011 gaming…

    […]Oracle Wallet w/ Self-Signed Certificate « Tyler Muth’s Blog[…]…

  22. chuck k said

    I’m trying to import godaddy certs into Fusion Middleware. I’ve created the wallet, the CSR, and imported the trusted certs. Where I’m stuck is the 11g version of your step 7.

    From Godaddy I got a gd_bundle.crt and a servername.edu.crt. Both of those imported fine as trusted certs. Where I’m stuck is that I have no idea what or where my regular (CSR reply) cert is.

  23. Louis Barroso said

    I was able to use this utility with no issues on my linux server but on HPUX itanium 11.31 I keep getting the following error when running sign-server-cert.sh –

    error 18 at 0 depth lookup:self signed certificate (Do not get this error on linux env)

    The cert gets built and I can import it into the wallet just fine but when I attempt to start Oracle HTTP Server (and ssl.conf file is pointing to that wallet) I get the following error in my ohs.log file –

    Cannot open and encrypted wallet (path to wallet) while process is managed by OPMN. Enable it as SSO wallet. The wallet has auto-login enabled which some searches told me to check. Any help would be greatly appreciated.

    • Aeisha said

      Hi,

      I am facing the same issue

      ‘Cannot open and encrypted wallet (path to wallet) while process is managed by OPMN. Enable it as SSO wallet.’

      Have you been able to resolve it.

      Thanks in advance for the help.

  24. […] 1) Create a self signed certificate using oracle wallet manager. Follow the given below link to create certificate/wallet. https://tylermuth.wordpress.com/2007/07/27/oracle-wallet-w-self-signed-certificate/ […]

  25. An outstanding share! I’ve just forwarded this onto a coworker who has been doing a little homework on this. And he actually bought me breakfast due to the fact that I stumbled upon it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanx for spending the time to talk about this issue here on your web site.

  26. Judith17 said

    Joe is back with this postgame thoughts… What is it about Merlot Joe just wanting certain Rays killers to kill the Rays? Bad enough that Merlot Joe continues to pitch to Chris Davis of the Orioles. Now it’s Jose Bautista.joe bautista

  27. I have always used is zero carbohydrate dieting log for a week.
    Okay, I can make plans to manage the munchies by planning a snack see #1 or keeping busy see #3.
    Go high-protein, low carbs this, south beach
    there.

  28. Most avid Custom Knife collectors already contain the
    knowledge necessary to quickly recognize a mediocre knife from that of a high quality, precision built model.
    The Ultimate Survival Knife better be lightweight, an
    easy task to conceal, get the job done for which it can be
    intended and turn into adaptable to the situation. Harley Davidson and Winchester create a number of the more popular
    designs for a commemorative pocket knife.

  29. […] short, this generates a self-signed certificate and loads it to the oracle wallet ( thanks to tyler muth for providing the steps […]

  30. Charles said

    Hi – I am stuck at step 2. In fact, I received an error “Cannot modify AL wallet.”. What should I do next?

    Please see below

    $ orapki wallet create -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -auto_login
    Oracle PKI Tool : Version 11.2.0.2.0 – Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

    Enter password:
    Enter password again:
    [oracle@NGORAN01 oracle]$ ls -l
    total 40
    drwx—— 2 oracle oinstall 4096 Jun 26 16:54 wallet-arngdb

    $ cd wallet-arngdb
    $ ls -l
    total 16
    -rw——- 1 oracle oinstall 3589 Jun 26 16:54 cwallet.sso
    -rw——- 1 oracle oinstall 3512 Jun 26 16:54 ewallet.p12

    $ orapki wallet add -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -dn ‘CN=arngdb,C=US’ -keysize 2048
    Oracle PKI Tool : Version 11.2.0.2.0 – Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

    Cannot modify AL wallet.

    $ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb
    Oracle PKI Tool : Version 11.2.0.2.0 – Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

    Requested Certificates:
    User Certificates:
    Trusted Certificates:
    Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
    Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

  31. Reggie said

    You will need to prove that this Organization Name annd also
    the Domain name are, the truth is, yours to use. It aims at gaining acceptance in the people with different cultural
    and traditional backgrounds. That includes probably the mpst superior computerized validation technique within the industry.
    Thawte supplies a solution to us as one of its busiest and
    quite a few successful distribution partners. Your credit card info
    ought to always be protected via SSL certificate (you typically will see a logo for Go – Daddy, Thawte, Veri – Sign, Comodo or Digicert).

  32. Andrew Webster said

    “Cannot modify AL wallet.” AL means Auto Login you need to specify a password to modify the wallet.
    orapki wallet add -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -dn ‘CN=arngdb,C=US’ -keysize 2048 -pwd XXXXXX
    Note, -pwd at the end.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: