Professional Documents
Culture Documents
A Orapki Utility 1711001914
A Orapki Utility 1711001914
ORAPKI UTILITY
Shashi Kallae
Table of Contents
Security Guide 3.2.9 Managing the Secure External Password Store for
Certificates:
mkstore is a command-line Oracle utility that you can use to add secrets
to the wallet and then manage them. It is available in the Oracle Database
client. Starting in Oracle Database release 23c, mkstore is deprecated.
Oracle recommends that you use the orapki instead of mkstore.
How to manage the Secure External Password Store using the orapki
tool?
ANSWER
Notice that for 23c we are only deprecating the utility - no changes at
this time. We just want to make sure the community is aware that we are
planning to fix this in an upcoming release.
Before delving into the definition of orapki, let’s explore some key
definitions.
1. ewallet.p12
1.1. This is a main keystore file in PKCS#12 format. It contains
private keys, certificates, and other password-protected information
used for database authentication. It is secured with a password and
associated with Oracle Wallet.
Private Key: This is a secret code, like a master key, that grants access
to the database.
Certificate: This is like a digital ID card that verifies your identity to the
database and confirms you have the private key.
Just like a physical safe needs a key to open it, the PKCS#12 file has a
password for extra security. You can use this file to import or export
both the private key and certificate between your computer and Oracle
databases. This helps set up secure connections or use tools that
require both the key and certificate.
2. cwallet.sso
2.1. cwallet.sso is an auto-open wallet file that stores database
authentication and signing credentials. A configured wallet consists
of two files cwallet.sso and ewallet.p12 stored in a secured
directory.
2.1.1. Can you see what’s inside cwallet.sso?
Yes: $ORACLE_HOME/oracle_common/bin/orapki wallet display
-wallet /oracle_dir_name/wallet/cwallet.sso
2.2. The Oracle wallet lock files: Lock files are not recreated
every time a new connection is created, but are only created at
startup to get the DB connection string. ewallet.p12.lck and
cwallet.sso.lck are created by the Oracle UCP driver at startup after
accessing the wallet files ewallet.p12 and cwallet.sso, which are
defined in the argument of the parameter,
-Doracle.net.wallet_location=<path>. Check the permissions on
these lock files. Are they (rw------- or -rwxrwxrwx).
1. $ORACLE_HOME.
2. $JAVA_HOME.
ORACLE_HOME
JAVA_HOME
export JAVA_HOME=/oracle/JDKX/jdk1.x.0_xx/
HOW TO CREATE A WALLET FOR THE ORACLE DATABASE?
v$encryption_wallet;
e) ls -lthr $ORACLE_HOME/network/admin/sqlnet.ora
f) vi $ORACLE_HOME/network/admin/sqlnet.ora
g) WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_
“WALLET_LOCATION” parameter]
cwallet.sso].
b) $ORACLE_HOME/oracle_common/bin/orapki wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet
pwd pa$$word
Oracle Database Config Files Updates
After creating and configuring the Wallet using Orapki, update the
TNSNAMES.ora, LISTENER.ora, and SQLNET.ora files to ensure seamless
auto-login functionality.
SQLNET.ORA Configuration
A configured sqlnet.ora, as per Oracle’s recommendations, should look
like as follows,
SSL_VERSION = 0
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = $ORACLE_HOME/wallet)
)
)
LISTENER.ORA Configuration
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = $ORACLE_HOME/wallet)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = xxxxxxxx1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname)(PORT =
1532))
)
)
TNSNAMES.ORA Configuration
1. A configured tnsnames.ora. Adjust the values as per your
requirements.
2. Ensure the TNS_ADMIN directory includes a properly configured
sqlnet.ora and tnsnames.ora files on the Oracle server and client.
3. After the Oracle server is configured to use Oracle wallets with SSL
certificates, restart the Oracle listener.
ORACLE_DATABASE_ALIAS =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname)(PORT =
1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ORACLE_SID)
)
)
Verify the Oracle Database access with the created Wallet
1. Login into the Oracle database as sysdba, create a user associating
with the respective Oracle wallet and grant create session privileges.
SQL> CONNECT / AS SYSDBA
Connected.
echo $TNS_ADMIN
Note: The user logs in to the database using Oracle wallet and the
ORACLE_DATABASE_ALIAS that is configured in the sqlnet.ora and
tnsnames.ora files in the TNS_ADMIN directory.
4. Execute the following SQL to validate the user.
show user;
Note: The query returns the Oracle user associated with the Oracle
wallet configured in the tnsnames.ora and sqlnet.ora files in the
TNS_ADMIN directory.
1. The files in the TNS_ADMIN directory of the Oracle server and client
are not properly configured.
2. The Oracle wallet configured in the files in the TNS_ADMIN directory
might not be associated with any database users.
3. The user who logged in to the machine does not have appropriate
permissions to access the Oracle wallet configured in the files in the
TNS_ADMIN directory. Double-check the users and grants.
This command will prompt you to enter and re-enter a wallet password. It creates a wallet in the
location specified for -wallet.
To create an Oracle wallet with auto-login enabled:
This command creates a wallet with auto-login enabled, or it can also be used to enable auto-login
on an existing wallet. If the wallet_location already contains a wallet, then auto-login will be
enabled for it. To disable the auto-login feature, delete cwallet.sso.
Note:
For wallets with the auto-login feature enabled, you are prompted for a password only for
operations that modify the wallet, such as add.
This command displays the certificate requests, user certificates, and trusted certificates contained
in the wallet.
This command adds a certificate request to a wallet for the user with the specified distinguished
name (user_dn). The request also specifies the requested certificate's key size (512, 1024, or 2048
bits). To sign the request, export it with the export option. See Section G.1.4.3, "Exporting
Certificates and Certificate Requests from Oracle Wallets with orapki."
certificate_location
This command creates a new self-signed (root) certificate and adds it to the wallet. The -
validity parameter (mandatory) specifies the number of days, starting from the current date, that
this certificate will be valid. You can specify a key size for this root certificate (-keysize) of 512,
1024, 2048, or 4096 bits.
This command adds the user certificate at the location specified with the -cert parameter to the
Oracle wallet at the wallet_location. Before you add a user certificate to a wallet, you must add
all the trusted certificates that make up the certificate chain. If all trusted certificates are not
installed in the wallet before you add the user certificate, then adding the user certificate will fail.
This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a
file that is specified by -cert.
This command exports a certificate request with the subject's distinguished name (-dn) from a
wallet to a file that is specified by -request.
References
1. https://docs.oracle.com/en/database/oracle/oracle-
database/23/dbimi/configuration-and-administration-tools-
overview.html#GUID-7868473D-432C-419A-94DD-39B25D21211B
2. https://docs.oracle.com/en/middleware/fusion-
middleware/12.2.1.3/asadm/orapki.html#GUID-BA36D997-1D53-
4997-B9A7-A881D51C4F16
3. https://docs.oracle.com/middleware/1212/core/ASADM/walletmgr.ht
m#CDEFHBGA
4. https://www.oracle.com/database/technologies/appdev/jdbc-
downloads.html (Oracle UCP and Java Drivers Download).
5. https://www.oracle.com/java/technologies/downloads/ (Latest JDK
downloads)
6. https://docs.oracle.com/en/cloud/paas/autonomous-
database/serverless/adbsb/connect-jdbc-thin-wallet.html#GUID-
BE543CFD-6FB4-4C5B-A2EA-9638EC30900D
7. Configuring the Secure Sockets Layer Authentication section from
the Database Advanced Security Administrator's Guide 23c.
8. Configuring and Administering the Oracle Net Listener section from
the Database Net Services Administrator's Guide 23c.
9. Configuring the Naming Methods section from the Database Net
Services Administrator's Guide 23c.
Disclaimer
This document is intended for educational purposes only. I am not
liable for any adverse effects resulting from using the information
provided herein. Please consult Oracle support for further assistance
if you have any questions or doubts regarding the tools mentioned in
this document.