Tutorial of the Oracle wallet manager
Oracle Wallets are password-protected containers that
are used to store SSL-related:
The Oracle Wallet Manager is an application that wallet
owners use to maintain the security credentials in their Oracle wallets. You
use the Oracle Wallet Manager to perform tasks such as:
-
Creating wallets
-
Generating certificate requests
-
Opening wallets to access PKI-based services
-
Save credentials to cryptographic hardware devices,
such as smart cards
-
Upload wallets to and download them from an LDAP
directory
-
Import third-party PKCS #12-format wallets, and
export Oracle wallets to a third-party environment
The Oracle Wallet manager can save credentials to smart
cards by using APIs which comply to the Public-Key Cryptography Standards
#11 (PKCS #11) specification.
Create the Wallet with the Oracle wallet manager
Navigate to $INST_TOP/certs/Apache directory to create
the new wallet.
[applmgr@ebs appl]$ cd $INST_TOP/certs/Apache
[applmgr@ebs
Apache]$ pwd
/d01/app/oracle/inst/apps/PROD_ebs/certs/Apache
[applmgr@ebs
Apache]$ ls
cwallet.sso ewallet.p12
You should see the demo
wallets that Rapid Install created after R12 was installed as shown above.
Start the OWM (Oracle Wallet Manager) as shown in the figure example listed
below.
Select the option Wallet-> New
It will
prompt you with "Your default wallet directory doesn't exist. Do you wish to
create it now?" Choose No.
The new wallet screen will now prompt you to enter
a password for your wallet.
Enter the password
The new empty wallet is created. We do need to
create the new certificate request so choose yes.
Common Name: is the name of your server including the
domain.
Organizational Unit: (optional) The unit within your
organization.
Organization: is the name of your organization.
Locality/City: is your locality or city.
State/Province: is the full name
of your State or Province - do not abbreviate.
Select your Country
from the drop down list.
Click OK.
Oracle wallet manager and LDAP
The Oracle Wallet Manager can upload and retrieve
wallets them from an LDAP-compliant directory. The use of a centralized LDAP-compliant
directory to store wallets allows users access them from multiple locations
or devices, thus ensuring consistent and reliable user authentication while
providing for centralized wallet management throughout the wallet life
cycle. Oracle prevents the accidental over-write of functional wallets by
only allowing wallets containing an installed certificate to be uploaded.
The LDAP directory must have the Enterprise user
defined and configured prior to use of the Oracle Wallet Manager to upload
or download wallets for a user. When a directory contains Oracle8i (or
prior) users, they are automatically upgraded to use the wallet upload and
download feature on their first use.
Download of a user's wallet from the LDAP directory
using the Oracle Wallet Manager is accomplished using a simple
password-based connection to the LDAP directory. However, when the wallet
contains an SSL Oracle PKI certificate it uses an SSL connection.
Password-based authentication is used when an SSL certificate is not present
in the wallet.
Uploading a Wallet to an LDAP Directory
When uploading a wallet into an LDAP directory, the
Oracle Wallet Manager will use SSL if an SSL certificate is contained in the
specified wallet. Otherwise, it lets you upload after entering the directory
password.
In order to prevent the accidental destruction of a
target wallet, the Oracle Wallet Manager will not allow anyone to execute
the upload option unless the target wallet is currently open and it contains
at least one user certificate.
To upload a wallet use the following procedure:
-
Start the Oracle Wallet Manager GUI by specifying
the owm command at the command line. In Windows it will be
Start>Programs>Oracle_home>Integrated Management Tools>Wallet Manager.
-
From the Wallet Manager Menu Bar choose Wallet >
Upload Into The Directory Service. If the currently open wallet has not
been saved, a dialog box appears with the following warning: Wallet
needs to be saved before uploading. Choose Yes to proceed.
-
Before uploading starts, Wallet certificates are
checked for SSL key usage. If at least one certificate has SSL key
usage, a dialog box will prompt for the LDAP directory server and the
port. You enter the server and port information and click on OK. The
Oracle Wallet Manager will then attempt connection to the LDAP directory
server using SSL. A message will appear indicating whether the wallet
was uploaded successfully or it failed.