Oracle wallet implementation sanity check

We're taking the plunge into TDE with the ASO and cutover will be coming up soon. I'm going through my backup and recovery testing and in doing so started to think of all the "gotchas" that might come up because once you've turned that key and encrypted your database, there's no looking back. One of the thoughts that popped into my mind was if the following is a true statement: once a wallet is created, the password/key/etc DOES NOT EXPIRE. We're using the wallet for our RAC db for TDE encryption, and a second, separate wallet at the grid/clusterware level to overcome the TNS Poisoning bug revealed last April. We are not using any kind of hardware key management.
I would hate to get these all installed and one day find out my data had closed or instances couldn't register because something had expired. Everything I've read indicates this doesn't occur, but before go-live, I thought I'd ask the community to make sure I was interpreting and understanding things correctly, and that I hadn't missed a detail. I understand I can reset the keys if I want to, though this is discouraged for reasons in the documentation. The passphrase used to create the wallets is kept in a safe place as well.

Wallets are external files - not database objects. As such, you cannot drop a wallet via a SQL command.
You would need to step outside Oracle and into the file system to remove the physical wallet file.
Why would you want to do this anyway from inside Oracle? Wallets contains credentials and forms an important part of robust security - adhoc deletes (or creates) of wallets are not exactly a sound approach in my view.

Similar Messages

  • Issues with using utl_http with Oracle Wallet

    Hello Everyone,
    We are experimenting with Oracle wallet and utl_http and are attempting to do an https transfer and we are facing some problems. I will appreciate your help greatly if you can advise on what could be wrong. We are on db version 10.2.0.1 and Unix HP-UX. The intention ping an https url and get a simple 200 response. Future development would include get/post XML documents from that url and other interesting stuff. I understand that utl_http with Oracle wallet can be used for this purpose.
    The wallet has been created and the ewallet.p12 exists. We downloaded the SSL certificate from the url's website and uploaded into the wallet.
    Everything works if I put in a url with plain http. However, it does not work with an HTTP*S* url.
    With HTTPS when I run the below code I get the following error. Again, greatly appreciate your time and help because this is the first time we are using Oracle wallet manager and do not know where to go from here.
    ORA-29273: HTTP request failed
    ORA-06512: at "SYS.UTL_HTTP", line 1029
    ORA-29268: HTTP client error
    declare
    url varchar2(225);
    req utl_http.req;
    resp utl_http.resp;
    my_proxy BOOLEAN;
    name varchar2(2000);
    value varchar2(2000);
    V_proxy VARCHAR2(2000);
    v_n_proxy varchar2(2000);
    v_msg varchar2(100);
    v_len PLS_INTEGER := 1000;
    BEGIN
    -- Turn off checking of status code.
    utl_http.set_response_error_check(FALSE);
    --Set proxy server
    utl_http.set_proxy('my-proxy');
    utl_http.set_wallet('file:<full Unix path to the wallet on DB server>','wallet998');
    req := utl_http.begin_request('https://service.ariba.com/service/transaction/cxml.asp');
    --Set proxy authentication
    utl_http.set_authentication(req, 'myproxyid', 'myproxypswd','Basic',TRUE); -- Use HTTP Basic
    resp := utl_http.get_response(req);
    FOR i IN 1..utl_http.get_header_count(resp) LOOP
    utl_http.get_header(resp, i, name, value);
    dbms_output.put_line(name || ': ' || value);
    END LOOP;
    utl_http.end_response(resp);
    exception
    when others then
    dbms_output.put_line(sqlerrm);
    END;

    I tried this using plsql ...
    declare
    SOAP_URL constant varchar2(1000) := 'http://125.21.166.27/cordys/com.eibus.web.soap.Gateway.wcp?organization=o=WIPRO,cn=cordys,o=itgi.co.in';
    request      UTL_HTTP.req;
    begin
    dbms_output.put_line('Begin Request');
    request := UTL_HTTP.begin_request(SOAP_URL,'POST',UTL_HTTP.HTTP_VERSION_1_1);
    dbms_output.put_line('After Request');
    exception
    when others then
       dbms_output.put_line('Error : '||sqlerrm);
    end;The output was ...
    Begin Request
    Error : ORA-29273: HTTP request failed
    ORA-06512: at "SYS.UTL_HTTP", line 1029
    ORA-12535: TNS:operation timed outIt seems to be an issue with the webservice, plz check if its available & allowing requests.

  • Oracle Wallet Manager won't allow me to create a certificate request

    Hello,
    I am trying to setup my installation with SSL, I am trying to create a certificate request on Oracle Wallet Manager and I keep getting this error:
    "Could not create certificate request. Please check user information"
    I am entering the following information:
    Common Name: portal.grupoalsea.com.mx
    Organizational Unit: Desarrollo
    Organization: Sistema Integral de Administracion, S.A. de C.V.
    Locality/City: Distrito Federal
    State/Province: Mexico
    Country: Mexico
    Key Size: 1024 bits
    Why could this be happening? Does Oracle Wallet Manager go and look for my info some place? Common Name is the name for my site on WebCache, which is in turn mapped to the HTTP Server called Mservicio.localdomain.
    At this point, I have also tried setting the Common Name to other values, like the name of my HTTP Server, the name of my HTTP server without the "localdomain", but I still get the same message.
    Any help will be really appreciated!!!!

    Problem was due to a bug that won't allow to enter commas in Organization Name. All we needed to do is remove the comma from the Organization name and the certificate was correctly created.

  • Oracle Wallet and XE

    I believe this topic has been discussed quite a bit in the past on this forum. Essentially I would like to be able to utilize utl_http to access an external website using https. Doing research on this, I've come to find out that:
    a. You need to use Oracle Wallet Manager to import trusted certificates from these sites.
    b. Oracle Wallet Manager is part of Oracle Advanced Security Module
    c. Oracle Advanced Security Module is only applicable to Enterprise Edition Database.
    d. The 'owm' binary does not come packaged with Oracle XE.
    In my search, I also came across the following in the official Oracle Database Licensing Information document (http://download-west.oracle.com/docs/cd/B19306_01/license.102/b14199/editions.htm)
    Oracle Wallet
    Oracle Wallet is a password-protected container used to store authentication and signing credentials, including passwords, private keys, certificates, trusted certificates, and TDE master keys. Oracle Wallet Manager is an application that wallet owners can use to manage and edit the security credentials in their Oracle wallets. Oracle Wallets can be deployed on clients, middle tiers, and database servers free of charge. However, the following features that use an Oracle Wallet in turn require licensing of the Oracle Advanced Security Option: PKI credentials and transparent data encryption master keys. Oracle Advanced Security option is not required when configuring wallets to secure communication between the Oracle Database and Oracle Internet Directory.
    Based on this description, my intended use of Oracle Wallet would not require the Oracle Advanced Security option as I just want to store certificates of those sites I'm accessing via https.
    Does this mean that I could fire up owm on another database server, create the file and then use it in my XE application? Or does it mean that because I'm running XE and because owm did not come with the distribution, I have no right to utilize the functionality?
    Thanks in advance for any input.

    The T in TDE stands for transparent, so your application shouldn't need to even be aware that any columns or tablespaces are encrypted. TDE is generally implemented in systems that were never designed to encrypt the data, so in theory it should be "perfectly safe" to develop unencrypted and have the client encrypt the columns during installation.
    Of course, when marketing folks start talking about things that are "perfectly safe", that's always a sign of danger ahead. Even though I've never heard of a case where encrypting a column caused a problem for an application, I would be very dubious of doing development in an environment different than production. That includes the exact version of the database (I assume the client has installed the latest patchsets, so they're running 10.2.0.4, for example) as well as the edition. If you decide to rely on the fact that everything should go smoothly when you promote to a different version of a different edition of the database with a different schema definition, even though it normally should, you're pretty much guaranteeing that you will end up with a problem that will be a pain to resolve.
    In your case, I wouldn't use XE for development. It would be much safer to develop against the personal edition. That isn't free, but that is the enterprise edition of the database licensed to be run on developer machines. It isn't free, but it's way less than an enterprise edition license.
    Justin

  • Db sanity check

    Hi All,
    I would like to develop sanity check script for our product Oracle Db.
    It should be put on crontab, worked periodically.
    How can I retrieve simple pl/sql query(for example how many connections and user..) elapsed time?. Is it possible to achieve this goal by using UNIX scripts(perl, bash etc..) and specific pl/sql statement or have I write to application with java or C?

    Bash and Sql can be used for that, but you should clarify a bit more what you want to do. Here a small example :
    $ cat users.sql
    col username for a20
    select sid, serial#, username, to_char(logon_time,'dd/mm/yyyy hh24:mi:ss') logon_time,
            to_number(sysdate - logon_time)*1440 elapsed_minutes
    from v$session
    where username is not null
    order by username, logon_time
    exit
    $ sqlplus -s / as sysdba @users
           SID    SERIAL# USERNAME             LOGON_TIME          ELAPSED_MINUTES
           144         38 SCOTT                02/04/2006 15:18:10      21.6666667
           142         14 SCOTT                02/04/2006 15:28:41           11.15
           143        105 SYS                  02/04/2006 15:39:50               0
           159        113 TEST                 02/04/2006 15:18:43      21.1166667
    $                                                                                                                        

  • Database connectivity requiring oracle wallet, tnsnames.ora, and sqlnet.ora

    We have a new datasource that I need to write a report against.  In order to access the db, I have to install an Oracle wallet on my pc that contains a certificate.  I then have an entry in the sqlnet.ora file that references this wallet, and I have an entry in my tnsnames file.  I wrote a report successfully on my pc.  We then have our Business Objects installation on a Sun Solaris machine with Unix.  We installed the wallet, added the sqlnet.ora entry, and the tnsnames.ora entry.  I am able to connect to the db from the unix command prompt by typing sqlplus username@dbname successfully.  However, when I place my Crystal Report in Bus. Obj. I cannot get it to work.  I go to the CMC, select the report, choose Process, Database.  I am entering Use custom database logon info and choosing Oracle as my database driver.  I then enter the tnsnames entry into the server and enter my username and password and check the use use same database logon as when report is run.  I get the error The database logon information for this report is either incomplete or incorrect.  I'm guessing the report is not using the certificate in the wallet when it is trying to log on, but I'm not sure.  Does anyone have any suggestions or experience with this?  Thanks in advance for any help.

    Hi Angie,
    you should install the 32bit Oracle driver on your Solaris machine and adjust the LD_LIBRARY_PATH environment variable (in the profile of the BOBJ installation user) to point to the path of the 32bit libraries of your Oracle driver.
    BOBJ is not a native 64bit software and can therefore work only with the 32bit versions of the database drivers.
    Regards,
    Stratos
    Edited by: Efstratios Karaivazoglou on Jul 15, 2009 4:49 PM

  • Glibc 2.19 & find: sanity check of the fnmatch() library function fail

    Since yesterdays update to glibc 2.19, find doesn't like searches by name. The update threw a hole lot of segmentations faults
    [2014-02-12 15:06] [PACMAN] Running 'pacman --color auto -Sy'
    [2014-02-12 15:06] [PACMAN] synchronizing package lists
    [2014-02-12 15:07] [PACMAN] Running 'pacman --color auto -S -u'
    [2014-02-12 15:07] [PACMAN] starting full system upgrade
    [2014-02-12 15:08] [PACMAN] upgraded apr-util (1.5.3-1 -> 1.5.3-2)
    [2014-02-12 15:08] [PACMAN] upgraded linux-api-headers (3.12.4-1 -> 3.13.2-1)
    [2014-02-12 15:08] [ALPM] warning: /etc/locale.gen installed as /etc/locale.gen.pacnew
    [2014-02-12 15:08] [ALPM-SCRIPTLET] Generating locales...
    [2014-02-12 15:08] [ALPM-SCRIPTLET] de_DE.UTF-8
    [2014-02-12 15:08] [ALPM-SCRIPTLET] en_US.UTF-8
    [2014-02-12 15:08] [ALPM-SCRIPTLET] Generation complete.
    [2014-02-12 15:08] [PACMAN] upgraded glibc (2.18-12 -> 2.19-1)
    [2014-02-12 15:08] [PACMAN] upgraded binutils (2.24-1 -> 2.24-2)
    [2014-02-12 15:08] [PACMAN] upgraded gcc-libs (4.8.2-7 -> 4.8.2-8)
    [2014-02-12 15:08] [PACMAN] upgraded elfutils (0.157-1 -> 0.158-1)
    [2014-02-12 15:08] [PACMAN] upgraded gcc (4.8.2-7 -> 4.8.2-8)
    [2014-02-12 15:08] [PACMAN] upgraded shared-mime-info (1.2-1 -> 1.2-2)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_Zt9oRn/.INSTALL: line 1: 10554 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdelibs (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-mobipocket (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded nepomuk-core (4.12.1-2 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kactivities (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kde-base-artwork (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded oxygen-icons (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_lNExqJ/.INSTALL: line 1: 10562 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-runtime (4.12.1-3 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-lib (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded nepomuk-widgets (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-dolphin (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-konsole (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-plasma (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_jc0NOD/.INSTALL: line 1: 10571 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdepim-runtime (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM] warning: /usr/share/config/kdm/kdmrc installed as /usr/share/config/kdm/kdmrc.pacnew
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_9emqkf/.INSTALL: line 10: 10582 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdebase-workspace (4.11.6-1 -> 4.11.6-2)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_HVYliW/.INSTALL: line 1: 10587 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded libkipi (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_JMyH2D/.INSTALL: line 1: 10591 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-gwenview (4.12.1-2 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_BOmkIm/.INSTALL: line 1: 10595 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-kcolorchooser (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_V9lYA5/.INSTALL: line 1: 10598 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-ksnapshot (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded libkexiv2 (4.12.1-2 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_NKbRqP/.INSTALL: line 1: 10602 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-okular (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_1CccYz/.INSTALL: line 1: 10606 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded libkdcraw (4.12.1-2 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdegraphics-thumbnailers (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdemultimedia-ffmpegthumbs (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_PRYdSk/.INSTALL: line 1: 10609 Segmentation fault (core dumped) xdg-icon-resource forceupdate --theme hicolor &>/dev/null
    [2014-02-12 15:08] [PACMAN] upgraded kdemultimedia-kmix (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdemultimedia-mplayerthumbs (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdepimlibs (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded kdeutils-ark (4.12.1-1 -> 4.12.2-1)
    [2014-02-12 15:08] [PACMAN] upgraded lib32-elfutils (0.157-1 -> 0.158-1)
    [2014-02-12 15:08] [PACMAN] upgraded lib32-glibc (2.18-12 -> 2.19-1)
    [2014-02-12 15:08] [PACMAN] upgraded lib32-gcc-libs (4.8.2-7 -> 4.8.2-8)
    [2014-02-12 15:08] [PACMAN] upgraded libsasl (2.1.26-6 -> 2.1.26-7)
    [2014-02-12 15:08] [PACMAN] upgraded mpd (0.18.7-1 -> 0.18.8-1)
    [2014-02-12 15:08] [PACMAN] upgraded nginx (1.4.4-2 -> 1.4.5-1)
    [2014-02-12 15:08] [PACMAN] upgraded openjpeg (1.5.1-1 -> 1.5.1-2)
    [2014-02-12 15:08] [PACMAN] upgraded pam (1.1.8-2 -> 1.1.8-3)
    [2014-02-12 15:08] [PACMAN] upgraded python2-numpy (1.8.0-1 -> 1.8.0-2)
    [2014-02-12 15:08] [PACMAN] upgraded redland (1:1.0.17-1 -> 1:1.0.17-2)
    [2014-02-12 15:08] [PACMAN] upgraded s-nail (14.5.2-3 -> 14.5.2-4)
    [2014-02-12 15:08] [PACMAN] upgraded sudo (1.8.9.p4-1 -> 1.8.9.p5-1)
    [2014-02-12 15:08] [PACMAN] upgraded systemd (208-10 -> 208-11)
    [2014-02-12 15:08] [PACMAN] upgraded systemd-sysvcompat (208-10 -> 208-11)
    [2014-02-12 15:08] [ALPM-SCRIPTLET] /tmp/alpm_7YRIvT/.INSTALL: line 10: 10659 Segmentation fault (core dumped) mkfontdir usr/share/fonts/local
    [2014-02-12 15:08] [PACMAN] upgraded terminus-font (4.38-3 -> 4.38-4)
    [2014-02-12 15:08] [PACMAN] upgraded vim-systemd (20130410-1 -> 20140209-1)
    [2014-02-12 15:08] [PACMAN] upgraded whois (5.1.0-1 -> 5.1.1-1)
    [2014-02-12 15:08] [PACMAN] upgraded xdg-utils (1.1.0.git20140109-1 -> 1.1.0.git20140207-1)
    [2014-02-12 15:08] [PACMAN] upgraded xf86-video-intel (2.99.909-2 -> 2.99.910-1)
    After that nearly all applications segfaulted but somehow it everything works again. Except for find (which I only recognized after mkinitcpio destroyed my initramfs......):
    # find -name \*.pkg.tar.xz
    find: sanity check of the fnmatch() library function failed.
    Regex, type and all other operators work as expected:
    # find -regex '.*\.pkg\.tar\.xz'
    ./gcc-4.8.2-7-x86_64.pkg.tar.xz
    ./binutils-2.24-1-x86_64.pkg.tar.xz
    ./glibc-2.18-12-x86_64.pkg.tar.xz
    ./gcc-libs-4.8.2-7-x86_64.pkg.tar.xz
    # find -type d
    # pacman -Q findutils glibc
    findutils 4.4.2-5
    glibc 2.19-1
    First is suspected it to be a locale issue, but everything seems to be fine:
    # diff -u0 {,/}etc/locale.gen
    --- etc/locale.gen 2014-02-07 23:56:45.000000000 +0100
    +++ /etc/locale.gen 2014-02-12 19:43:03.037279970 +0100
    @@ -124 +124 @@
    -#de_DE.UTF-8 UTF-8
    +de_DE.UTF-8 UTF-8
    @@ -161 +161 @@
    -#en_US.UTF-8 UTF-8
    +en_US.UTF-8 UTF-8
    # locale-gen
    Generating locales...
    de_DE.UTF-8
    en_US.UTF-8
    Generation complete.
    Downgrading to glibc 2.18-12 solved the problem for now...
    # pacman -U --noprogressbar --noconfirm *
    loading packages...
    warning: downgrading package binutils (2.24-2 => 2.24-1)
    warning: downgrading package gcc (4.8.2-8 => 4.8.2-7)
    warning: downgrading package gcc-libs (4.8.2-8 => 4.8.2-7)
    warning: downgrading package glibc (2.19-1 => 2.18-12)
    resolving dependencies...
    looking for inter-conflicts...
    Packages (4): binutils-2.24-1 gcc-4.8.2-7 gcc-libs-4.8.2-7 glibc-2.18-12
    Total Installed Size: 134.89 MiB
    Net Upgrade Size: -0.42 MiB
    :: Proceed with installation? [Y/n]
    checking keyring...
    checking package integrity...
    loading package files...
    checking for file conflicts...
    checking available disk space...
    downgrading glibc...
    warning: /etc/locale.gen installed as /etc/locale.gen.pacnew
    downgrading binutils...
    downgrading gcc-libs...
    downgrading gcc...
    # find -name \*.pkg.tar.xz
    ./gcc-4.8.2-7-x86_64.pkg.tar.xz
    ./binutils-2.24-1-x86_64.pkg.tar.xz
    ./glibc-2.18-12-x86_64.pkg.tar.xz
    ./gcc-libs-4.8.2-7-x86_64.pkg.tar.xz
    According to the findutils manual one should file a bug report for this message, but I don't think they expect glibc to be the buggy implementation of fnmatch that looks enough like the GNU version to fool configure, but which doesn't work properly.
    Does anybody experience similar problems? Does anybody have suggestions how to solve this?
    Last edited by auti (2014-02-13 22:14:12)

    I've regenerated the locales multiple times but only the upgrade to findutils 4.5.12 worked.
    glibc 2.19-2 works with the current findutils.
    But if a corrupt locale archive file caused this, why didn't findutils 4.5.12 complained about this?
    Anyhow: It works, I'm happy; thanks for your effort, Allan!

  • Oracle Wallet Manager Issue

    Hi,
    We are having a problem in importing user certificate using oracle wallet manager.
    While adding a new certificate request, we gave the domain name as abacus.ofda.gov to generate the key but we are doing this on a different machine laharguard.ofda.gov.
    Can we do this? If so how can I achieve this?
    Thanks

    Hi,
    For the error you are getting, please check below points -
    1. CA (Certificate Signer) certificate is there under trusted certificate list. If it is not, then first import the CA cert (with complete chain, if any) and then try to import the user cert.
    2. User cert should be imported in the same wallet where CSR (Certificate Signing Request) is saved.
    3. Certificate is valid in terms of it's date of expiry.
    Remember, process of getting a server cert is below -
    1. Generate a CSR and save it in a wallet.
    2. Export the CSR from the wallet and send it to CA for signing.
    3. Import the signed user cert in the same wallet after importing it's CA cert in this wallet (CA cert should be imported as Trusted Cert)
    It is recommended to generate CSR at the same server where it will be used. In case server machine changes, please get a new cert for that otherwise it may cause problems during authentication.
    Regards,
    Anuj

  • How to load the ssl certificate to oracle wallet

    I have oracle 10.2.0.3 on Unix.
    I have a oracle wallet created. I need to load ssl certificate to the oracle wallet. I have CA certificate and server related certificate. In owm interface, there is Certificate:(Empty) and Trusted Certificates. Does anybody know where my certificate should go, Certification:(Empty) or Tryusted Certificates? By the way my certificate is from Verisign.
    Thanks a lot!

    Hi
    Thanks. I have added my LDAP certificate to Oracle wallet.
    Now my doubt is :
    Before adding this cert to my wallet , i have tried to connect my application through SSL , am able to connect it.
    I have used DBMS_LDAP.open_SSL function for conencting.
    Before adding the new cert my wallet conatins :
    ewallet.p12
    cwallet.sso
    GeoTrust.cer
    Equifaxb64.cer
    After adding the new cert also i am able to conenct through ssl my concern is , how we can figure out whether the ldap package checking my cert or not?
    How DBMS_LDAP.open_SSL works?
    Could anyone help me out to solve the issue?
    Thanks,
    San

  • Oracle Wallet Issue

    Good Afternoon,
    Well once again they have me trying to figure out some more oracle issues. To make a long story short, one of the servers that we have which is on a separate network, I had to create an oracle wallet to connect our database on the server over an SSL port going out to our dev database. I was able to successfully set this up using the wallet manager and connect to the database.
    The reason we are doing this is because we have some DBlinks setup and we are trying to pull data from another schema. Well I had to create another oracle wallet on another server to go to our test database but this time this network has some pretty tight security, firewall on the switch, ACL’s on some other hardware.
    At first we had to get one of the network guys to open up the port to the database because when we performed a tnsping, we were not getting a response. After the change we got a successful response, and I started creating the other wallet. All was successful and I modify the sqlnet.ora file similar to the other server. I login into the database with the schema owner that we have on the one database and I perform a simple select statement to pull data back from the other database using the DBlink. My issues is that I am getting “ Error:ORA_28759:Failed to open file”. The sqlnet.ora points to the correct wallet and auto-login is enabled.
    I am wondering if there is another port or socket that the oracle wallet or DBlinks uses that the network could possibly be blocking. We have no DBA so pretty much we are stuck on trying to figure this out.
    Sorry for the long post.

    ORA-28759: Failure to Open File
    Cause: The system could not open the specified file. Typically, this error occurs because the wallet cannot be found.
    Action: Check the following:
    •Ensure that the correct wallet location is specified in the sqlnet.ora file. This should be the same directory location where you saved the wallet.
    •Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason.
    •Ensure that auto login was enabled when you saved the wallet.

  • Oracle Wallet question

    I have an interesting situation. I need a way to basically take a pre-existing SSL certificate and ram it down the throat of an Oracle Wallet as we run a wildcard certificate for our domain and there will not be a matching certificate request fore each server. I have the certificate in an already existing JKS but I have components in my domain that require wallets. In 10 IAS there was a tool that would allow me to basically build the wallet in a way that would let me totally bypass any kind of checks that would stop me from doing just this but I have yet to find a way to do so in the 11g envrioment. Can anyone provide any tips?
    I still have my 10gR2 OID wallet but when following the metalink (309627.1) tip for moving them, the password still gets mangled after it is copied to my other servers and OWM is unable to access them.
    I am not sure if this is the best place to ask this question but it seemed ok as this deals specifically with Oracle Wallets and not any particular product.

    David
    This seems to cover your questions :
    "Configuring Wallet Manager to enable HTTPS connect with Oracle 11g database"
    http://oraclepoint.com/oralife/2010/10/08/configuring-wallet-manager-to-enable-https-connect-with-oracle-11g-database/
    Best Regards
    mseberg
    My own rough notes are : ( I already had the ACL for Oracle setup )
    Step 1
    create the needed file
    vi newwallet.crt
    And insert the cert information into it.
    Watch out for white space left by vi
    Step 2
    As root under /etc create the folder ORACLE
    As root under /etc create the folder WALLETS
    Set the owner as follows
    chown -R oracle.oinstall /etc/ORACLE
    ( You can put this where it make the most sense on your system )
    Step 3
    Try to create a new Wallet using owm
    If the wallet exists owm will bark.
    If own asks you if you want to create a certificate click no.
    If you created a new Wallet make sure to save it in owm.
    Step 4
    Select "Import Trusted Certificate" in owm.
    Pick the file you saved before, you should get "The trusted certificate has been successfully imported"
    Step 5
    Add the following to the sqlnet.ora file on the server:
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = %PATH_TO_WALLET%)))
    Note: adding extra lines like #SQLNET.WALLET_OVERRIDE = TRUE will override everything and your database will not connect!!!
    What was added
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /etc/ORACLE/WALLETS/oracle)))
    Step 6
    Restart Listener
    Step 7
    Try to create a SELECT utl_http.request from dual and use it to check.
    Sorry, my example is worthless to you.
    But this may help
    Configuring Wallet Manager To Enable HTTPS Connections Via UTL_HTTP.REQUEST [ID 169768.1]
    Edited by: mseberg on Aug 1, 2011 3:10 PM

  • Is it posible to use openssl csr for oracle Wallet Manager?

    Hi,
    I have used openssl to create csr instead of using oracle Wallet Manager. I need to use certificate for OAS. I have sent csr to RapidSSL.com and they sent me the certificate with a fee. Now I release that it was a mistake and I should create the csr from Oracle Wallet Manger and send it to RapidSSL.com and import the user certificate to owm then no problem. My question are followings:
    1-     Can I use csr that generated from openssl to owm?
    2-     Can I import certificate that purchased from RapidSSL.com to owm?
    3-     What are the steps I have to follow?
    Thank you

    Here are the answers inline for your questions.
    1- Can I use csr that generated from openssl to owm?
    Yes
    2- Can I import certificate that purchased from RapidSSL.com to owm?
    Yes
    3- What are the steps I have to follow?
    Check this link for step by step instructions.
    http://download-west.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm
    http://www.thesslstore.com
    http://www.rapidsslonline.com
    Edited by: 794364 on Sep 12, 2010 11:56 PM

  • Separate License for Oracle Wallet Manager

    Hi,
    From our application we have been making webservice calls using utl_http. In the past this has been via http but we now have a requirement to make a webservice call using https. This requires the use of Oracle Wallet Manager. Is a separate License required to be purchased to use the Oracle Wallet, or is it part of the Oracle database license? We have an internal check going on now with various people, but I just thought I'd ask the question here as well.
    Database version: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi

    Oracle Wallets can be deployed on clients, middle tiers, and database servers FREE of charge. However, the following features that use an Oracle Wallet in turn require licensing of the Oracle Advanced Security Option:
    - PKI credentials
    - Transparent Data Encryption.
    Please check following MOS for more details.
    Is There Any Additional License Required For Wallet Manager? (Doc ID 1068223.1)

  • Oracle Wallet Manager question..

    Hello,
    I have a question on Oracle Wallet Manager and will appreciate if you can help me with this:
    In our environment, there are distributed databases and background processes running on different systems ( windows NT and SGI IRIX ) the application uses Oracle Background processes which have Database account names and login to processes running on different machines..
    In an environment which has 250+ systems, changing passwords every 60 days or so becomes very cumbersome and problematic: If one network link is down, the password change is not done on one system and the next time the application tries to access a remote process it does not work..
    Currently, the password changes are restricted to once a year ..
    In the long run, it would be a better solution to replace this set-up with a industry standard secure architecture (i.e. one using PKI tokens, Certificate Authority etc..)
    Currently, I am looking at Oracle Wallet Manager as a possible solution .. will appreciate, if you can give me some feedback, whether this will be feasible ..
    Thank you ..
    --osman

    I would like to share my idea.
    Use Oracle Internet Directory (LDAP), single sign-on, SSL (Oracle Wallet), keberos and Windows Native Authentication.
    Check OracleAS 10g (10.1.2) documentations.
    We did all the above which were included in the the integration of OracleAS 9.0.4 with Oracle Applications 11.5.10.

  • Replace a new wallet for Oracle Wallet Manager

    Hi, all,
    Here is my current situation.
    We are using Oracle Wallet Manager (version 10.1.0.5) for Oracle 10.1.3.1 on Windows Server 2003. Currently our SSL certificate in the wallet is going to expired within a month. However, we forgot the password to the current wallet. So we have to create a new wallet and import the new certificates. The certificate shows Ready state. Then we moved the old wallet file to a different directory, and copied the new wallet file, ewallet.p12, to the default wallet location, C:\product\10.1.3.1\OracleAS_1\Apache\Apache\conf\ssl.wlt\default. We also rebooted the machine to make sure Apache will pick up the new wallet file. However, when we connected from a client browser, it still shows old certificate. I checked the ssl.conf, it still have the default value as follows:
    SSLWallet file:C:\product\10.1.3.1\OracleAS_1\Apache\Apache\conf\ssl.wlt\default
    The Auto Login and Use Windows Registry options are uncheck and there is no Oracle wallet entry in the Windows registry.
    Does anyone have the similar problem? Any advice is highly appreciated.
    Thank you very much in advance.

    Roberto,
    Thanks a lot for your response. I have one more question.
    Supposed the client browser has installed the old certificate which is still valid for another month, when the client browser hit the site again, as the old certificate is still valid, is it going to download the new certificate? If not, how do I remove the old certificate from browser, IE?
    Thanks.

Maybe you are looking for

  • Problem in Background Job. Job Completed Successfully but data not Posted

    Hi All, There is a problem in Background Job in Production server (600). The job completed successfully but data not posted. The same Job was working perfectly till the starting of the May month. but now it is not working and rebate has not been post

  • Trouble with new IPOD

    we just got a new ipod and cant get it to do anything. in fact, all we have ever seen on the screen is "do not disconnect". the only message we can get thru Itunes is "ipod cannot be updated. the disk could not be read from or written to." can anyone

  • Getting mirror images on Pages

    Out of the blue I'm getting text in mirror image on preview when printing out pages. I am able to use settings to check "mirror image" so the text prints out ok but it is annoying to have the preview show up in mirror images. I'm sure it's something

  • Importing QuickTime, WMV, and MPG movies

    Is it possible to import QuickTime, WMV, or MPG movies into Captivate? Or can Captivate only import FLV movies.

  • Oracle apps Question

    Hi all, I have basic question. can some one explain me the difference between Oracle Applicatios 11i and Oracle E-business suite 11i ? I guess the oracle financial modules GL,AR, PA etc is bundled in E-business suite 11i? Thanks sk