Oracle Wallet w/ Self-Signed Certificate
Posted by Tyler Muth on July 27, 2007
I was working with some of the security tools included with the Oracle Advanced Security Option and wanted to create a new wallet without going through the hassle of requesting a certificate from one of the popular certificate authorities. After struggling a bit with creating a self-signed certificate, I found a great HowTo by Jim Coulter entitled “How To Build an Oracle Wallet with OpenSSL”. Since I’m planning on a number of future security posts that rely on the Oracle Wallet Manager, I wanted to repost Jim’s HowTo here so they would all be at the same location. Just to be clear, this is NOT my HowTo, it’s Jim’s and I want to give him full credit for a very concise and accurate HowTo.
This HowTo is relevant for any Oracle component that uses the Oracle Wallet Manager, including the Oracle Database with the Advanced Security Option (ASO), Oracle Application Server, Oracle HTTP Server (OHS), Oracle Internet Directory (ODI). For production environments, you should purchase a certificate from a well known certificate authority such as Entrust, Thawte, GoDaddy, or VeriSign. Using self-signed certificates provides no protection against man in the middle attacks so they should NOT be used in production environments.
Even though the example is Linux / Unix centric, I also tested this on Windows using CygWin and it worked flawlessly.
From Jim Coulter’s site, with one addition:
- Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz from the OpenSSL > Contributions page.
- Open Oracle Wallet Manager and create a new wallet and certificate request.
- Export the certificate request to a file. Give it a .csr extension
- Move the certificate request to the directory containing the openSSL certificate authority scripts (e.g. /usr/src/crytpo/openssl/apps/ssl.ca-0.1)
- Create a self-signed root certificate by running the new-root-ca.sh script. This will create a file called ca.crt
- Create the self-signed server certificate by running the sign-server-cert.sh script, e.g. # sign-server-cert.sh <certificate-request-filename>. This will create a file called <certificate-request-filename>.crt
- Import the ca.crt into the Oracle wallet as a trusted certificate. Import the <certificate-request-filename>.crt as a user certificate.
- Enable auto-login and save the wallet. It is now ready for use.
References:
- Oracle Database Advanced Security Administrator’s Guide: “9 Using Oracle Wallet Manager”
- Jim Coulter’s HowTo
- Anton Nielsen’s blog: “Setting Up SSL for Application Express”
- OID Tutorial: “Creating a wallet for SSL connectivity between OID and AD”
D.Schroff said
Hi,
thanks for this nice howto! In the official Oracle documentation this is completey missing.
regards
Dietrich
CL said
i’m stuck at step 7. trying to import my user.crt i get the following error:
User certificate installation failed.
Possible errors:
– Input was not a valid certificate
– No matching certificate request was found
– CA certificate needed for certificate chain not found. Please install it first.
all the other steps were done quickly wíthout problems. any ideas?
cornelius
Harvey Raja said
Cornelius,
Try pasting only the Base64’d part of the user certificate.
– Harvey
CL said
thanks, that worked 🙂 cornelius
Paul Knibbs said
Hi CL (et.al.)
What constitutes the Base64’d part of the certificate? Is it that part which lies between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags?
Cheers,
Paul
BigKahuna said
Paul – yes that’s correct. Cut and past the stuff between the BEGIN CERTIFICATE and END CERTIFICATE tags..
Kannan said
Tyler
Your post was very useful along with other posts that I referred. I’ve compiled a page for those who would want to look at how to configure a “Self-Signed Certificate for Oracle Application Express with Oracle AS 10.1.2 on Windows 2003”. It can be found at http://kannankumara.blogspot.com/2008/02/self-signed-certificate-for-oracle-as.html
SB said
Tyler,
We do have open SSL installed. I have tried this logged on as both root and as oracle. And recieved the following error both times:
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1
# /export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh
No Root CA key round. Generating one
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found
Self-sign the root CA…
/export/home/oracle/SCRIPTS/OPEN_SSL/ssl.ca-0.1/new-root-ca.sh: openssl: not found
Moosa said
Hi All,
I am also getting the same error
User certificate Installation failed..
Possible errors
Input was not a valid certificate
No matching certificate reques was found
CA certificate needed for certificate chain not found.Please install it first
I have even tried to paste Base64′d part, but still the same error. Any suggestions would be appreciated.
Thanks,
Moosa.
Gary said
Hi Moosa,
Did you ever get this to work? I’m having the same problem.
Praful said
Did it work! i am also facing same issue since some time
Frank said
What about orapki? To generate a self signed wallet, just do:
cd to your wallet directory
orapki wallet create -wallet ./ -auto_login
orapki wallet add -wallet ./ -dn “cn=,cn=OracleContext,dc=oracle,dc=com” -keysize 1024 -self_signed -validity 3650
..done!
Gary said
Do you mean you can do this instead of going through all of the steps to generate the certs and installing? That would be great. Can you run that command in windows?
Null said
I also got an error using the openssl and the import of user certificate.
Using the Oracle command above, I got this error:
oracle.security.wallet.NZException: Wallet Ptr is NULL.
at oracle.security.wallet.NZWallet.(NZWallet)
at oracle.security.wallet.NZWallet.getPersonasWithTypeOld(NZWallet)
at oracle.security.pki.textui.OracleWalletTextUI.add(OracleWalletTextUI)
at oracle.security.pki.textui.OracleWalletTextUI.command(OracleWalletTextUI)
at oracle.security.pki.textui.OraclePKITextUI.main(OraclePKITextUI)
Unknown error occured: ewallet.p12
This really is harder than it should be.
mac said
Hi,
Im also having the same error
even if i just copied the base 64
Input was not a valid certificate
No matching certificate reques was found
CA certificate needed for certificate chain not found.Please install it first
Please help.
Gary said
Hi Mac,
Did you resolve this problem? I’m having the same problem. Even if I pasted the base 64 part only.
Thanks,
Gary
“Hi,
Im also having the same error
even if i just copied the base 64
Input was not a valid certificate
No matching certificate reques was found
CA certificate needed for certificate chain not found.Please install it first
Please help.”
Praful said
is your issue resolved!! i am also facing same issue!!
Harsh said
Excellent document. It worked out perfectly. First time face problem to get use to for this process but on later stage found it very useful and perfect short and sweet description.
Thanks a lot.
Harsh
Robert said
That was very usefull, thanks a lot!
I got the same error while importing the user certificate:
– Input was not a valid certificate
– No matching certificate reques was found
– CA certificate needed for certificate chain not found.Please install it first
In my case I succeeded, not to import the file, but to paste the certificate part, but ONLY when
I included the
—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
tags in the paste
Martin Novoty said
—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
tags in the paste
Tall Birch » Blog Archive » Self-signed certificate for Oracle said
[…] Creating a self-signed certificate that is oracle friendly got a lot easier when I discovered the orapki utility via a comment made by ‘Frank‘ here. […]
Jason said
Works great for me, Thanks for your help.
FAQs on Oracle SOA Admin « My Life said
[…] 1) Create a self signed certificate using oracle wallet manager. Follow the given below link to create certificate/wallet. https://tylermuth.wordpress.com/2007/07/27/oracle-wallet-w-self-signed-certificate/ […]
Rahul said
Hi,
Nice posting. Thanks a lot for sharing.
venkat said
This was nice posting. It helped me a lot and appreciate your efforts
Regards
Joe Bautista said
That was great, it worked!
best computer monitor 2011 gaming said
best computer monitor 2011 gaming…
[…]Oracle Wallet w/ Self-Signed Certificate « Tyler Muth’s Blog[…]…
chuck k said
I’m trying to import godaddy certs into Fusion Middleware. I’ve created the wallet, the CSR, and imported the trusted certs. Where I’m stuck is the 11g version of your step 7.
From Godaddy I got a gd_bundle.crt and a servername.edu.crt. Both of those imported fine as trusted certs. Where I’m stuck is that I have no idea what or where my regular (CSR reply) cert is.
Louis Barroso said
I was able to use this utility with no issues on my linux server but on HPUX itanium 11.31 I keep getting the following error when running sign-server-cert.sh –
error 18 at 0 depth lookup:self signed certificate (Do not get this error on linux env)
The cert gets built and I can import it into the wallet just fine but when I attempt to start Oracle HTTP Server (and ssl.conf file is pointing to that wallet) I get the following error in my ohs.log file –
Cannot open and encrypted wallet (path to wallet) while process is managed by OPMN. Enable it as SSO wallet. The wallet has auto-login enabled which some searches told me to check. Any help would be greatly appreciated.
Aeisha said
Hi,
I am facing the same issue
‘Cannot open and encrypted wallet (path to wallet) while process is managed by OPMN. Enable it as SSO wallet.’
Have you been able to resolve it.
Thanks in advance for the help.
FAQ’s of Oracle SOA « Dilip Mavireddi's Weblog said
[…] 1) Create a self signed certificate using oracle wallet manager. Follow the given below link to create certificate/wallet. https://tylermuth.wordpress.com/2007/07/27/oracle-wallet-w-self-signed-certificate/ […]
cardiff city centre hotels cheap said
An outstanding share! I’ve just forwarded this onto a coworker who has been doing a little homework on this. And he actually bought me breakfast due to the fact that I stumbled upon it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanx for spending the time to talk about this issue here on your web site.
Judith17 said
Joe is back with this postgame thoughts… What is it about Merlot Joe just wanting certain Rays killers to kill the Rays? Bad enough that Merlot Joe continues to pitch to Chris Davis of the Orioles. Now it’s Jose Bautista.joe bautista
integrated chinese textbook said
I have always used is zero carbohydrate dieting log for a week.
Okay, I can make plans to manage the munchies by planning a snack see #1 or keeping busy see #3.
Go high-protein, low carbs this, south beach
there.
Buy huntung knives said
Most avid Custom Knife collectors already contain the
knowledge necessary to quickly recognize a mediocre knife from that of a high quality, precision built model.
The Ultimate Survival Knife better be lightweight, an
easy task to conceal, get the job done for which it can be
intended and turn into adaptable to the situation. Harley Davidson and Winchester create a number of the more popular
designs for a commemorative pocket knife.
ouch: ORA-07445: exception encountered: core dump [__intel_new_memcpy()+52] « Daniel Westermann's Blog said
[…] short, this generates a self-signed certificate and loads it to the oracle wallet ( thanks to tyler muth for providing the steps […]
Charles said
Hi – I am stuck at step 2. In fact, I received an error “Cannot modify AL wallet.”. What should I do next?
Please see below
”
$ orapki wallet create -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -auto_login
Oracle PKI Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
[oracle@NGORAN01 oracle]$ ls -l
total 40
drwx—— 2 oracle oinstall 4096 Jun 26 16:54 wallet-arngdb
$ cd wallet-arngdb
$ ls -l
total 16
-rw——- 1 oracle oinstall 3589 Jun 26 16:54 cwallet.sso
-rw——- 1 oracle oinstall 3512 Jun 26 16:54 ewallet.p12
$ orapki wallet add -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -dn ‘CN=arngdb,C=US’ -keysize 2048
Oracle PKI Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Cannot modify AL wallet.
$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb
Oracle PKI Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
“
Reggie said
You will need to prove that this Organization Name annd also
the Domain name are, the truth is, yours to use. It aims at gaining acceptance in the people with different cultural
and traditional backgrounds. That includes probably the mpst superior computerized validation technique within the industry.
Thawte supplies a solution to us as one of its busiest and
quite a few successful distribution partners. Your credit card info
ought to always be protected via SSL certificate (you typically will see a logo for Go – Daddy, Thawte, Veri – Sign, Comodo or Digicert).
Andrew Webster said
“Cannot modify AL wallet.” AL means Auto Login you need to specify a password to modify the wallet.
orapki wallet add -wallet /u01/app/oracle/product/11.2.0/dbhome_arngdb/owm/wallets/oracle/wallet-arngdb -dn ‘CN=arngdb,C=US’ -keysize 2048 -pwd XXXXXX
Note, -pwd at the end.
Gerrit Haase said
Well, one of the problems with post like this 12 year-old article: http://www.openssl.org/contrib/ gives a 404 error, also several links to other blogs are not valid anymore…
Do you have the ssl-ca scripts somewhere local and would provide these?