Oracle Wallet w/ Self-Signed Certificate
Posted by Tyler Muth on July 27, 2007
I was working with some of the security tools included with the Oracle Advanced Security Option and wanted to create a new wallet without going through the hassle of requesting a certificate from one of the popular certificate authorities. After struggling a bit with creating a self-signed certificate, I found a great HowTo by Jim Coulter entitled “How To Build an Oracle Wallet with OpenSSL”. Since I’m planning on a number of future security posts that rely on the Oracle Wallet Manager, I wanted to repost Jim’s HowTo here so they would all be at the same location. Just to be clear, this is NOT my HowTo, it’s Jim’s and I want to give him full credit for a very concise and accurate HowTo.
This HowTo is relevant for any Oracle component that uses the Oracle Wallet Manager, including the Oracle Database with the Advanced Security Option (ASO), Oracle Application Server, Oracle HTTP Server (OHS), Oracle Internet Directory (ODI). For production environments, you should purchase a certificate from a well known certificate authority such as Entrust, Thawte, GoDaddy, or VeriSign. Using self-signed certificates provides no protection against man in the middle attacks so they should NOT be used in production environments.
Even though the example is Linux / Unix centric, I also tested this on Windows using CygWin and it worked flawlessly.
From Jim Coulter’s site, with one addition:
- Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz from the OpenSSL > Contributions page.
- Open Oracle Wallet Manager and create a new wallet and certificate request.
- Export the certificate request to a file. Give it a .csr extension
- Move the certificate request to the directory containing the openSSL certificate authority scripts (e.g. /usr/src/crytpo/openssl/apps/ssl.ca-0.1)
- Create a self-signed root certificate by running the new-root-ca.sh script. This will create a file called ca.crt
- Create the self-signed server certificate by running the sign-server-cert.sh script, e.g. # sign-server-cert.sh <certificate-request-filename>. This will create a file called <certificate-request-filename>.crt
- Import the ca.crt into the Oracle wallet as a trusted certificate. Import the <certificate-request-filename>.crt as a user certificate.
- Enable auto-login and save the wallet. It is now ready for use.
- Oracle Database Advanced Security Administrator’s Guide: “9 Using Oracle Wallet Manager”
- Jim Coulter’s HowTo
- Anton Nielsen’s blog: “Setting Up SSL for Application Express”
- OID Tutorial: “Creating a wallet for SSL connectivity between OID and AD”