Oracle Wallet Manager

Exclusive offer: get 50% off this eBook here
Oracle 10g/11g Data and Database Management Utilities

Oracle 10g/11g Data and Database Management Utilities — Save 50%

Master 12 must-use Oracle Database Utilities with this Oracle book and eBook

$29.99    $15.00
by Hector R. Madrid | July 2009 | Oracle

In this article by Hector R. Madrid, we will discuss about the Oracle Wallet Manager. The Oracle Wallet Manager (OWM) is the tool used by Oracle to manage the authentication processes. It is a key tool for managing most of the authentication and security related tasks in an Oracle environment, this includes; authenticating users, providing SSL communication, and configuring the Transparent Data Encryption (TDE) feature, among others. There are two modes to work with the Oracle Wallet, the first one is by using the Java Oracle Wallet Manager console and the second one is by means of the mkwallet command line version, this method is suitable for batch processing. The Wallet is a very sensitive element; there are several ways to store it, not only in its file at the file system level, but also in the registry (for Windows platforms only). It can also be stored in an LDAP compliant directory.

 

The Oracle Wallet Manager

Oracle Wallet Manager is a password protected stand-alone Java application tool used to maintain security credentials and store SSL related information such as authentication and signing credentials, private keys, certificates, and trusted certificates.

OWM uses Public Key Cryptographic Standards (PKCS) #12 specification for the Wallet format and PKCS #10 for certificate requests.

Oracle Wallet Manager stores X.509 v3 certificates and private keys in industry-standard PKCS #12 formats, and generates certificate requests according to the PKCS #10 specification. This makes the Oracle Wallet structure interoperable with supported third party PKI applications, and provides Wallet portability across operating systems. Additionally, Oracle Wallet Manager Wallets can be enabled to store credentials on hardware security modules that use APIs compliant with the PKCS #11 specification.

The OWM creates Wallets, generates certificate requests, accesses Public Key interface-based services, saves credentials into cryptographic hardware such as smart cards, uploads and unloads Wallets to LDAP directories, and imports Wallets in PKCS #12 format.

In a Windows environment, Oracle Wallet Manager can be accessed from the start menu. The following screenshot shows the Oracle Wallet Manager Properties:

Oracle Wallet Manager

In a Unix like environment, OWM can be accessed directly from the command line with the owm shell script located at $ORACLE_HOME/bin/owm, it requires a graphical environment so it can be launched.

Oracle Wallet Manager

Creating the Oracle Wallet

If this is the first time the Wallet has been opened, then a Wallet file does not yet exist. A Wallet is physically created in a specified directory. The user can declare the path where the Oracle Wallet file should be created.

Oracle Wallet Manager

The user may either specify a default location or declare a particular directory. A file named ewallet.p12 will be created in the specified location.

Enabling Auto Login

The Oracle Wallet Manager Auto Login feature creates an obfuscated copy of the Wallet and enables PKI-based access to the services without a password. When this feature is enabled, only the user who created the Wallet will have access to it.

By default, Single Sign-On (SSO) access to a different database is disabled. The auto login feature must be enabled in order for you to have access to multiple databases using SSO.

Oracle Wallet Manager

Checking and unchecking the Auto Login option will enable and disable this feature.

mkwallet, the CLI OWM version

Besides the Java client, there is a command line interface version of the Wallet, which can be accessed by means of the mkwallet utility. This can also be used to generate a Wallet and have it configured in Auto Login mode. This is a fully featured tool that allows you to create Wallets, and to view and modify their content.

The options provided by the mkwallet tool are shown in the following table:

 

 

Option

Meaning

-R rootPwd rootWrl DN keySize expDate

Create the root Wallet

-e pwd wrl

Create an empty Wallet

-r pwd wrl DN keySize certReqLoc

Create a certificate request, add it to Wallet and export it to certReqLoc

-c rootPwd rootWrl certReqLoc certLoc

Create a certificate for a certificate request

-i pwd wrl certLoc NZDST_CERTIFICATE | NZDST_CLEAR_PTP

Install a certificate | trusted point

-d pwd wrl DN

Delete a certificate with matching DN

-s pwd wrl

Store sso Wallet

-p pwd wrl

Dump the content of Wallet

-q certLoc

Dump the content of the certificate

-Lg pwd wrl crlLoc nextUpdate

Generate CRL

-La pwd wrl crlLoc certtoRevoke

Revoke certificate

-Ld crlLoc

Display CRL

-Lv crlLoc cacert

Verify CRL signature

-Ls crlLoc cert

Check certificate revocation status

-Ll oidHostname oidPortNumber cacert

Fetch CRL from LDAP directory

-Lc cert

Fetch CRL from CRLDP in cert

-Lb b64CrlLoc derCrlLoc

Convert CRL from B64 to DER format

-Pw pwd wrl pkcs11Lib tokenPassphrase

Create an empty Wallet. Store PKCS11 info in it.

-Pq pwd wrl DN keysize certreqLoc

Create cert request. Generate key pair on pkcs11 device.

-Pl pwd wrl

Test pkcs11 device login using Wallet containing PKCS11 info.

-Px pwd wrl pkcs11Lib

tokenPassphrase

Create a Wallet with pkcs11 info from a software Wallet.

 

Managing Wallets with orapki

A CLI-based tool, orapki, is used to manage Public Key Infrastructure components such as Wallets and revocation lists. This tool eases the procedures related to PKI management and maintenance by allowing the user to include it in batch scripts.

This tool can be used to create and view signed certificates for testing purposes, create Oracle Wallets, add and remove certificate and certificate requests, and manage Certification Revocation Lists (CRLs)—renaming them and managing them against the Oracle Internet Directory.

The syntax for this tool is:

orapki module command -parameter <value>

module can have these values:

  1. wallet: Oracle Wallet
  2. crl: Certificate Revocation List
  3. cert: The PKI Certificate

To create a Wallet you can issue this command:

orapki wallet create -wallet <Path to Wallet>

To create a Wallet with the auto login feature enabled, you can issue the command:

orapki wallet create -wallet <Path to Wallet> -autologin

To add a certificate request to the Wallet you can use the command:

orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048>

To add a user certificate to an Oracle Wallet:

orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_location>

The options and values available for the orapki tool depend on the module to be configured:

orapki Action

Description and Syntax

orapki cert create

Creates a signed certificate for testing purposes.

orapki cert create [-wallet <wallet_location>] -request <certificate_request_location> -cert <certificate_location> -validity <number_of_days> [-summary]

orapki cert display

Displays details of a specific certificate.

orapki cert display -cert <certificate_location> [-summary|-complete]

orapki crl delete

Deletes CRLs from Oracle Internet Directory.

 

orapki crl delete -issuer <issuer_name> -ldap <hostname:

ssl_port> -user <username> [-wallet <wallet_location>]

[-summary]

orapki crl diskplay

Displays specific CRLs that are stored in Oracle Internet Directory.

orapki crl display -crl <crl_location> [-wallet <wallet_location>] [-summary|-complete]

orapki crl hash

Generates a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.

orapki crl hash -crl <crl_filename|URL> [-wallet <wallet_location>] [-symlink|-copy] <crl_directory> [-summary]

orapki crl list

Displays a list of CRLs stored in Oracle Internet Directory.

orapki crl list -ldap <hostname:ssl_port>

orapki crl upload

Uploads CRLs to the CRL subtree in Oracle Internet Directory.

orapki crl upload -crl <crl_location> -ldap <hostname:ssl_port> -user <username> [-wallet <wallet_location>] [-summary]

orapki wallet add

Add certificate requests and certificates to an Oracle Wallet.

orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048>

orapki wallet create

Creates an Oracle Wallet or to set auto login on for an Oracle Wallet.

orapki wallet create -wallet <wallet_location> [-auto_login]

orapki wallet display

Displays the certificate requests, user certificates, and trusted certificates in an Oracle Wallet.

orapki wallet display -wallet <wallet_location>

orapki wallet export

Export certificate requests and certificates from an Oracle Wallet.

orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert

<certificate_filename>

 

Oracle Wallet Manager CSR generation

Oracle Wallet Manager generates a certificate request in PKCS #10 format. This certificate request can be sent to a certificate authority of your choice. The procedure to generate this certificate request is as follows:

Oracle Wallet Manager

From the main menu choose the Operations menu and then select the Add Certificate Request submenu. As shown in the following screenshot, a form will be displayed where you can capture specific information.

Oracle Wallet Manager

The parameters used to request a certificate are described next:

Common Name: This parameter is mandatory. This is the user's name or entity's name. If you are using a user's name, then enter it using the first name, last name format.

Organization Unit: This is the name of the identity's organization unit. It could be the name of the department where the entity belongs (optional parameter).

Organization: This is the company's name (optional).

Location/City: The location and the city where the entity resides (optional).

State/Province: This is the full name of the state where the entity resides. Do not use abbreviations (optional).

Country: This parameter is mandatory. It specifies the country where the entity is located.

Key Size: This parameter is mandatory. It defines the key size used when a public/private key pair is created. The key size can be as little as 512 bytes and up to 4096 bytes.

Advanced: When the parameters are introduced a Distinguished Name (DN) is assembled. If you want to customize this DN, then you can use the advanced DN configuration mode.

Oracle Wallet Manager

Once the Certificate Request form has been completed, a PKCS#10 format certificate request is generated. The information that appears between the BEGIN and END keywords must be used to request a certificate to a Certificate Authority (CA); there are several well known certificate authorities, and depending on the usage you plan for your certificate, you could address the request to a known CA (from the browser perspective) so when an end user accesses your site it doesn't get warned about the site's identity. If the certificate will be targeted at a local community who doesn't mind about the certificate warning, then you may generate your own certificate or ask a CA to issue a certificate for you. For demonstration purposes, we used the Oracle Certificate Authority (OCA) included with the Oracle Application Server. OCA will provide the Certificate Authority capabilities to your site and it can issue standard certificates, suitable for the intranet users. If you are planning to use OCA then you should review the license agreements to determine if you are allowed to use it.

 

Oracle 10g/11g Data and Database Management Utilities Master 12 must-use Oracle Database Utilities with this Oracle book and eBook
Published: June 2009
eBook Price: $29.99
Book Price: $49.99
See more
Select your format and quantity:

Storing the Oracle Wallet in the Windows registry

On Windows operating systems the Wallet can either be stored in the file system or in the Windows registry. Storing the Wallet in the registry has several advantages. It creates an additional security layer, allowing transparency for all other users. When a user profile is removed, the Wallet in the profile is also removed. The Wallet is transparent to all other users and when the user logs out, access to the Wallet is automatically precluded.

The supported operations are:

  • Save a Wallet to the registry
  • Open a Wallet from the registry
  • Save as to a different registry location
  • Open Wallet from the file system, save it to the registry, and vice versa
  • Delete a Wallet from the registry

Save Wallet to the registry

In order for you to save a Wallet to the Windows registry, make sure the Use Windows Registry check box is marked; when you command the Wallet to be saved, it will use the Windows registry.

Oracle Wallet Manager

The Wallet will only be available to the user who saved it. At the time to save it, the Wallet will ask the user for a location at the registry to save the Wallet. The user can either specify a location or let the Wallet define a default binary entry at HKEY_CURRENT_USERSOFTWAREORACLEWALLETS. The name of the Windows registry where the Wallet will be stored is ewallet.p12, as you can see in the following image:

Oracle Wallet Manager

Open the Wallet from the registry

Once the Wallet has been saved to the registry, it can be opened from the registry. When asking Wallet manager to open a Wallet, mark the Use Windows Registry check box. This will ask for the registry path where it will look for the Wallet.

Save As to a different registry location

The Wallet can be stored in a different registry location. It is enough to use Save As, providing a different registry path.

Open the Wallet from the registry, save it to the file system and vice versa

If the Wallet currently resides as a regular Wallet on the file system, it can be stored in the Windows registry, just use the Save As menu option and make sure the Use Windows Registry option is marked. If the database currently resides in the Windows registry and you want to save it to the file system, it is enough to use the Save As option with the Use Windows Registry option marked.

Delete the Wallet from the registry

You can get rid of a Wallet that currently resides in the registry by selecting the option Delete from the File menu. This will remove the entry from the registry and will permanently delete the Wallet. You must absolutely make sure this is what you want to do, as this option cannot be rolled back. Deleting a Wallet would mean all the certificates contained in the Wallet will be lost.

Configuring the Wallet location

The client side networking profile file (sqlnet.ora) must be configured to let Oracle know where the Wallet is located, so PKI-based applications know where to look for the Wallet.

Assuming the Wallet was stored in the default location HKEY_CURRENT_USERSOFTWAREORACLEWALLETSDEFAULT, the sqlnet.ora declaration would be:

WALLET_LOCATION = 
(SOURCE =
(METHOD=REG)
(METHOD_DATA =
(KEY=DEFAULT)
)
)

WALLET_LOCATION supports the following sub parameters:

  • SOURCE: Specify the type of storage for Wallets and storage location
  • METHOD: Specify the type of storage
  • METHOD_DATA: Specify the storage location
  • DIRECTORY: Specify the location of Oracle Wallets on file system
  • KEY: Specify the Wallet type and location in the Windows NT registry

This will store the encrypted Wallet in HKEY_CURRENT_USERSOFTWAREORACLEWALLETSDEFAULTewallet.p12 and the obfuscated wallet in HKEY_CURRENT_USERSOFTWAREORACLEWALLETSDEFAULTcwallet.sso.

The previously declared value is the default location, and it is the first path that Oracle will use to look for the obfuscated Wallet if a path has not been explicitly declared.

If no obfuscated Wallet is found there, Oracle PKI applications look for it in the file system of the local computer at: %USERPROFILE%ORACLEWALLETS.

Storing the Wallet in an LDAP server

An LDAP compliant directory can also be used to store and retrieve a Wallet, providing a single point of access. It is more secure than storing it at the client side, as it provides a way to let the manager provide more secure procedures to access the Wallet.

Uploading the Wallet to an LDAP server

Oracle Wallet Manager can store and retrieve certificates to and from a centralized LDAP compliant server. In order for you to be able to store a Wallet, the Wallet must already have a user certificate installed.

The LDAP directory must have been previously configured so the Wallet can be stored there. If the Wallet doesn't have an SSL certificate installed, then password-based authentication will be used to access the Wallet.

You should be aware that there are two passwords to be used in an LDAP/OWM environment, one password is used to access the LDAP server, and a second password is used to access the Oracle Wallet. These passwords are independent and the user should adequately handle them.

In order for you to perform the Wallet upload process, choose Wallet | Upload into the directory service.... Then the dialog box appears asking you first to save the Wallet prior to uploading it.

If at least one certificate has SSL key usage then the Oracle Wallet tries to connect using SSL, otherwise the user will be prompted for a password. It is assumed the Wallet password is the same as that of the directory password.

Downloading the Wallet from LDAP

When asking Oracle Wallet Manager to download a Wallet from the LDAP server, a dialog appears, asking the user for the User DN, directory password, and the connection information to the LDAP server.

Oracle Wallet Manager

Once the Wallet has been downloaded it resides in the OWM's memory, and it needs to be explicitly saved to the file system.

Using certificates for authentication

Using a simple password as a means to authenticate a database user is a weak authentication method. A stronger authentication method can be achieved with certificates, this requires the advanced security to be installed and configured.

Public Key Infrastructure tools

The Oracle database Public Key Infrastructure (PKI) implementation requires:

  • Oracle Advanced Security
  • Oracle Identity Management Infrastructure
  • Oracle Wallet Manager
  • Enterprise Security Manager

The procedure to configure authentication is as follows:

  1. Install the PKI Tools.
  2. Configure SSL on the server side. Store a certificate in the Wallet at the server side.
  3. Configure the network configuration files listener.ora and sqlnet.ora on the server side so it supports SSL.
  4. Configure the client network files, sqlnet.ora and tnsnames.ora so it supports SSL.
  5. Create a user whose authentication is performed with a certificate.

Using the Oracle Wallet to store database credentials

Storing your users' credentials in OS scripts is a common practice when performing batch tasks, but doing so exposes the database users and creates a security breach. The Oracle Wallet can be used to store the user's credentials, so instead of exposing passwords in clear text format in a batch script, those can be safely stored in the client's Wallet without compromising them.

This procedure stores a database user's credentials inside the Wallet. This features uses the auto login feature, so it is not required to provide the Wallet password to access to the user's credentials, the OS file permissions regulate access to the Wallet.

Once the Oracle Wallet has been configured and the database credentials have been stored the user can access the Oracle database from any tool requiring the user to provide access to the database. The access granted to the user will be just like as though the user has provided the password at connect time.

As the database credentials are stored in an area different from the area where the PKI certificates are stored, you cannot use the graphical interface to manage the database user credentials, you must use the mkstore command line utility instead.

There are different options available for the mkstore utility:

  • Listing External Password Store Contents.
      mkstore -wrl <wallet_location> -listCredential
  • Adding Credentials to an External Password Store.
      mkstore -wrl <wallet_location> -createCredential <db_alias> <username> <password>
  • Modifying Credentials in an External Password Store.
      mkstore -wrl <wallet_location> -modifyCredential <dbase_alias> <username> <password>
  • Deleting Credentials from an External Password Store.
      mkstore -wrl <wallet_location> -deleteCredential <db_alias>
  • Oracle Wallet Manager

Using the mkstore utility a Wallet is created at the client side (A).

mkstore -wrl /home/user1/wallet -create

The password being requested is the Wallet's password.

Once the Wallet has been created, using the same mkstore utility, the user's credential is stored inside the Wallet (B).

mkstore -wrl /home/user1/wallet -createCredential scott_secure scott tiger

The createCredential option requires three parameters:

  • The tnsnames entry (SCOTT_SECURE)
  • The database user name (SCOTT)
  • Its database password (TIGER)

The tnsnames entry doesn't need to exist right now.

Next the existence of the credential is confirmed. Using the listCredentail (C) option of the mkstore utility:

mkstore -wrl /home/user1/wallet -listCredential

It shows the existence of one stored credential inside the Wallet that corresponds to the SCOTT user at the database pointed by the SCOTT_SECURE tnsnames entry.

Now there are two files that must be modified at the client side, sqlnet.ora (D) and tnsnames.ora (E), the first one defines where the Wallet resides and the last one defines where the SCOTT_SECURE tnsnames entry is pointing.

WALLET_LOCATION =
(SOURCE =
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY=/home/user1/wallet)
)
)

SQLNET.WALLET_OVERRIDE = TRUE

The WALLET_LOCATION parameter defines the physical location of the Wallet, meanwhile the SQLNET.WALLET_OVERRIDE parameter defines if the values stored inside the Wallet will be used to authenticate the user (TRUE), if the value is set to FALSE then it means that the SSL certificate will be used instead.

Oracle Wallet Manager

The tnsentry found in the tnsnames.ora file (E) is just a regular tnsentry, the name defined here must match the parameter used with the createCredential option of the mkstore command.

SCOTT_SECURE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = alpha)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = beta)
)
)

And finally, the most interesting part of the procedure, using the credentials stored for the particular tnsentry, a new connection is opened against the database without exposing the database user name and its password (F).

sqlplus /@SCOTT_SECURE

It is then confirmed that the user has successfully opened a database session (G).

SQL> SHOW USER
USER is "SCOTT"

Summary

When security requirements go beyond a simple username and password authentication, then more sophisticated authentication mechanisms are required. This is when certificated authentication comes up. Oracle Wallet Manager and all other CLI related tools are the key elements to maintain and manage authentication information to protect passwords, provide single sign on, enable secure socket layer, store data, and provide encryption mechanisms to cipher communications.

Oracle Wallet Manager is the key element used to provide secure access to the certificates used to authenticate users and enable all other advanced security related features.

Oracle 10g/11g Data and Database Management Utilities Master 12 must-use Oracle Database Utilities with this Oracle book and eBook
Published: June 2009
eBook Price: $29.99
Book Price: $49.99
See more
Select your format and quantity:

About the Author :


Hector R. Madrid

Hector Madrid is currently working as a freelance consultant. He is an Oracle ACE, collaborates with Oracle University as a certified instructor for the DBA and Java curriculum tracks. He is a highly respected Oracle professional with 20 years of experience as a full time DBA. He works with a wide range of DBA requirements from the daily DBA routine duties to tasks related to mission-critical and high availability systems. He was the first Oracle Certified Master in Latin America and he holds the certificate for all Oracle Version starting with 7.0 and up to 11g.

He obtained a Masters Degree in Computer Sciences from the Metropolitan Autonomous University (UAM) and he has presented different technical papers at several Oracle conferences.

Books From Packt

Mastering Oracle Scheduler in Oracle 11g Databases
Mastering Oracle Scheduler in Oracle 11g Databases

Oracle Essbase 9 Implementation Guide
Oracle Essbase 9 Implementation Guide

Oracle Coherence 3.5
Oracle Coherence 3.5

Oracle Warehouse Builder 11g: Getting Started
Oracle Warehouse Builder 11g: Getting Started

Oracle VM Manager 2.1.2
Oracle VM Manager 2.1.2

Oracle SOA Suite Developer's Guide
Oracle SOA Suite Developer's Guide

Oracle Web Services Manager
Oracle Web Services Manager

Oracle Modernization Solutions
Oracle Modernization Solutions

Your rating: None Average: 4 (1 vote)

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
e
C
s
Z
p
R
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software