Blog Image

MaxSpirit - bevlogen ICT!

Melle Visser

https://www.maxspirit.nl

Oracle Wallet toolkit

Certificaten Posted by Melle VisserPosted on Fri, November 02, 2018 16:49:02

Oracle gebruikt de Oracle Wallet om certificaten in op te slaan.
Hier een aantal methodes om daar mee om te gaan.

Oracle Wallet aanmaken
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd “geheim”

Importeer een Java keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd “geheim” \
-keystore KEYSTORE.jks -jkspwd “geheim”

Importeer een P12 keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet import_pkcs12 -wallet ./ -pwd “geheim” \
-pkcs12file P12.jks -pkcs12pwd “geheim”

Importeer een PEM certifcaat in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert ./CERTIFICATE.pem -pwd “geheim”

Maak auto-login mogelijk van de Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login -pwd “geheim”

Toon wat er in de Oracle Wallet zit
$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./ -pwd “geheim”

Help pagina Oracle Wallet

$ORACLE_HOME/oracle_common/bin/orapki help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

orapki [crl|wallet|cert|help] <-nologo> <-jsafe>
Syntax :
[-option [value]] : mandatory, for example [-wallet [wallet]]
[-option <value>] : optional, but when option is used its value is mandatory.
<option> : optional, for example <-summary>, <-complete>
[option1] | [option2] : option1 ‘or’ option2

$ORACLE_HOME/oracle_common/bin/orapki wallet help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

wallet:
create [-wallet [wallet]] [[-pwd <pwd>] [-auto_login|-auto_login_local]] | [-auto_login_only] [-with_trust_flags] [-compat_v12]
display [-wallet [wallet]] <-summary|-complete> [-pwd <pwd>]
convert [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] [-compat_v12]
change_pwd [-wallet [wallet]] [-oldpwd <oldpwd>] [-newpwd <newpwd>]
enable_trust_flags [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] <-untrust_all>
add [-wallet [wallet]] <[-dn [dn]]> <-asym_alg [RSA|ECC]> <[-keysize [512|1024|2048|4096|8192|16384]] |
[-eccurve [p192|p224|p256|p384|p521|k163|k233|k283|k409|k571|b163|b233|b283|b409|b571]]>
<-self_signed [-validity [days]] | [-valid_from [mm/dd/yyyy] -valid_until [mm/dd/yyyy]]
[-serial_file <file_loc>] | [-serial_num <serial_num>]> <-addext_ski>
<-addext_ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly>
<-addext_basic_cons [CA] | [-pathLen [pathlen]]]>
<-addext_san [DNS:<value>]>
<[-cert [filename]] [-trusted_cert|-user_cert]> [-pwd <pwd>] | [-auto_login_only]
[-sign_alg <md5|sha1|sha256|sha384|sha512|ecdsasha1|ecdsasha256|ecdsasha384|ecdsasha512>]
<-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]>
assign_trust_flags [-wallet [wallet]] [-pwd <pwd>] [-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]]
[-dn [cert_dn]] <-issuer [issuer_dn]> <-serial_num [serial_num]>
remove [-wallet [wallet]] [-dn [subject_dn]] [-issuer_dn [issuer_dn]] [-serial_num <serial_num>]
[-trusted_cert_all|-trusted_cert|-user_cert|-cert_req] [-pwd <pwd>] | [-auto_login_only]
replace [-wallet [wallet]] [-issuer_dn <issuer_dn>] [-serial_num <serial_num>] [-cert [filename]]
[-trusted_cert|-user_cert]> <-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]> [-pwd <pwd>]
export [-wallet [wallet]] [-dn [dn]] [-cert [filename] | -request [filename]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_trust_chain [-wallet [wallet]] [-certchain [filename]] [-dn [user_cert_dn]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_private_key [-wallet [wallet]] [-pwd <pwd>] [-pvtkeyfile [filename]] [-alias [pvtkey_alias]] [-pvtkeypwd <pwd>] [-salt salt]
import_private_key [-wallet [wallet]] [-pwd <pwd>] [-alias [pvtkey_alias]] [-pvtkeyfile [filename]] [-pvtkeypwd <pwd>] [-salt salt] [-cert [certfilename]] [-cacert [cacertfilename]]
upload [-wallet [wallet]] [-ldap [host:port]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
download [-wallet [wallet]] [-ldap [host:nonsslport]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
jks_to_pkcs12 [-wallet [wallet]] [-pwd <pwd>] [-keystore [keystore]] [-jkspwd [jkspwd]]
<-aliases [alias:alias..]>
pkcs12_to_jks [-wallet [wallet]] [-pwd <pwd>] [-jksKeyStoreLoc <jksKSloc> -jksKeyStorepwd <jksKS_pwd>]
[-jksTrustStoreLoc <loc> -jksTrustStorepwd <pwd>]
p11_add [-wallet [wallet]] [-p11_lib <pkcs11Lib>] [-p11_tokenlabel <tokenLabel>]
[-p11_tokenpw <tokenPassphrase>] [-p11_certlabel <certlabel>] [-pwd <pwd>]
p11_verify [-wallet [wallet]] [-pwd <pwd>]
import_pkcs12 [-wallet <wallet>] [[-pwd <pwd>] | [-auto_login_only]] [-pkcs12file <pkcs12Loc>] [-pkcs12pwd <pkcs12Pwd>]
help



Oracle Wallet

Oracle Posted by Melle VisserPosted on Fri, November 02, 2018 13:20:34

Oracle gebruikt voor een aantal van zijn producten de Oracle Wallet om certificaten in op te slaan.
In deze post wordt een procedure beschreven hoe je deze zou kunnen aanmaken.

1. Maak of vraag een nieuw certificaat aan

bijvoorbeeld:
openssl req \
-new -newkey rsa:2048 -nodes \
-subj “/CN=voor.beeld.nl/O=bedrijf/OU=PO/C=NL/ST=Noord-Holland/L=Amsterdam” \
-keyout KEY_voor_beeld_nl.pem -out CSR_voor_beeld_nl.pem

Vraag een certificaat aan en verzamel de intermediate en root certificaten.
Maak daar vervolgens een p12 keystore van.

openssl pkcs12 -export -out CERT_voor_beeld_nl.p12 \
-inkey KEY_voor_beeld_nl.pem \
-in CERT_voor_beeld_nl.pem \
-certfile CARootIntermediates.pem

2. Converteer het p12 formaat naar een Java keystore formaat

$JAVA_HOME/jre/bin/keytool -v -importkeystore \
-srckeystore CERT_voor_beeld_nl.p12 -srcstoretype PKCS12 -srcstorepass geheim \
-destkeystore CERT_voor_beeld_nl.jks -deststoretype JKS -deststorepass geheim

3. Maak een Oracle Wallet aan

$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd “geheim”

4. Importeer de Java keystore in de Oracle Wallet

$ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd “geheim” \
-keystore CERT_voor_beeld_nl.jks -jkspwd “geheim”

5. Zet auto_login aan op de Oracle Wallet voor de Oracle Webtier

$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login

De Oracle Wallet is klaar.
Er staan nu 2 bestanden in de directory
ewallet.p12 – Dit is de Oracle Wallet
cwallet.sso – Dit is de Oracle Wallet met auto-login

Voor gebruik in de Oracle Webtier kopieer je de cwallet.sso naar de gewenste lokatie.
Dit is de directory die staat geconfigureerd in de Webtier config file bij SSLWallet

Bijvoorbeeld:
<IfModule ossl_module>
SSLEngine on
SSLVerifyClient None
SSLCRLCheck Off
SSLWallet “/u01/oracle/certificates”
# SSL Protocol Support: Configure usable SSL/TLS protocol versions.
SSLProtocol ALL
# SSL Cipher Suite: List the ciphers that the client is permitted to negotiate.
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA
</IfModule>