Oracle Wallet Issue

Similar Messages

• Issues with using utl_http with Oracle Wallet

  Hello Everyone,
  We are experimenting with Oracle wallet and utl_http and are attempting to do an https transfer and we are facing some problems. I will appreciate your help greatly if you can advise on what could be wrong. We are on db version 10.2.0.1 and Unix HP-UX. The intention ping an https url and get a simple 200 response. Future development would include get/post XML documents from that url and other interesting stuff. I understand that utl_http with Oracle wallet can be used for this purpose.
  The wallet has been created and the ewallet.p12 exists. We downloaded the SSL certificate from the url's website and uploaded into the wallet.
  Everything works if I put in a url with plain http. However, it does not work with an HTTP*S* url.
  With HTTPS when I run the below code I get the following error. Again, greatly appreciate your time and help because this is the first time we are using Oracle wallet manager and do not know where to go from here.
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1029
  ORA-29268: HTTP client error
  declare
  url varchar2(225);
  req utl_http.req;
  resp utl_http.resp;
  my_proxy BOOLEAN;
  name varchar2(2000);
  value varchar2(2000);
  V_proxy VARCHAR2(2000);
  v_n_proxy varchar2(2000);
  v_msg varchar2(100);
  v_len PLS_INTEGER := 1000;
  BEGIN
  -- Turn off checking of status code.
  utl_http.set_response_error_check(FALSE);
  --Set proxy server
  utl_http.set_proxy('my-proxy');
  utl_http.set_wallet('file:<full Unix path to the wallet on DB server>','wallet998');
  req := utl_http.begin_request('https://service.ariba.com/service/transaction/cxml.asp');
  --Set proxy authentication
  utl_http.set_authentication(req, 'myproxyid', 'myproxypswd','Basic',TRUE); -- Use HTTP Basic
  resp := utl_http.get_response(req);
  FOR i IN 1..utl_http.get_header_count(resp) LOOP
  utl_http.get_header(resp, i, name, value);
  dbms_output.put_line(name || ': ' || value);
  END LOOP;
  utl_http.end_response(resp);
  exception
  when others then
  dbms_output.put_line(sqlerrm);
  END;

  I tried this using plsql ...
  declare
  SOAP_URL constant varchar2(1000) := 'http://125.21.166.27/cordys/com.eibus.web.soap.Gateway.wcp?organization=o=WIPRO,cn=cordys,o=itgi.co.in';
  request      UTL_HTTP.req;
  begin
  dbms_output.put_line('Begin Request');
  request := UTL_HTTP.begin_request(SOAP_URL,'POST',UTL_HTTP.HTTP_VERSION_1_1);
  dbms_output.put_line('After Request');
  exception
  when others then
     dbms_output.put_line('Error : '||sqlerrm);
  end;The output was ...
  Begin Request
  Error : ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1029
  ORA-12535: TNS:operation timed outIt seems to be an issue with the webservice, plz check if its available & allowing requests.

• Issues with utl_https, Oracle Wallet and firewall

  Hello Everyone,
  We are experimenting with Oracle wallet and utl_http and are attempting to do an https transfer, but we are facing some problems. I will appreciate your help greatly if you can advise on what could be wrong. We are on db version 10.2.0.1 and Unix HP-UX and are operating from within a firewall. The intention is to ping an https url and get a simple 200 response. Future development would include get/post XML documents from that url and other interesting stuff. I understand that utl_http with Oracle wallet can be used for this purpose.
  The wallet has been created and the ewallet.p12 exists. We downloaded the SSL certificate from the url's website and uploaded into the wallet. Everything works if I put in a url with plain http but then things don't work with an HTTP*S* url. Is something called HTTPS TUNNELLING required because we have a firewall? I have no idea what this is or how it can be done.
  I tried https with an internal urls within the firewall. But again, no luck. - So probably not just a firewall issue.
  With HTTPS when I run the below code I get the following error with internal or external https sites. Again, greatly appreciate your time and help because this is the first time we are using Oracle wallet manager and do not know where to go from here.
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1029
  ORA-29268: HTTP client error
  declare
  url varchar2(225);
  req utl_http.req;
  resp utl_http.resp;
  my_proxy BOOLEAN;
  name varchar2(2000);
  value varchar2(2000);
  V_proxy VARCHAR2(2000);
  v_n_proxy varchar2(2000);
  v_msg varchar2(100);
  v_len PLS_INTEGER := 1000;
  BEGIN
  -- Turn off checking of status code.
  utl_http.set_response_error_check(FALSE);
  --Set proxy server
  utl_http.set_proxy('my-proxy');
  utl_http.set_wallet('file:<full Unix path to the wallet on DB server>','wallet998');
  req := utl_http.begin_request('https://service.ariba.com/service/transaction/cxml.asp');
  --Set proxy authentication
  utl_http.set_authentication(req, 'myproxyid', 'myproxypswd','Basic',TRUE); -- Use HTTP Basic
  resp := utl_http.get_response(req);
  FOR i IN 1..utl_http.get_header_count(resp) LOOP
  utl_http.get_header(resp, i, name, value);
  dbms_output.put_line(name || ': ' || value);
  END LOOP;
  utl_http.end_response(resp);
  exception
  when others then
  dbms_output.put_line(sqlerrm);
  END;

  user11992646 wrote:
  Here we have something like "firewall rules". When we want internet users to access an external website without entering web proxy userid/pswd(the same I used for set_authentication), our web team establishes a rule or an exception like ...such and such website can be accessed without entering proxy userid/pswd information. A firewall does not use user authentication - in other words, when a web browser traffic goes via a firewall, the firewall will not ask the web browser for credentials and the web browser will not popup a username & password box.
  A firewall does not work at application protocol level. It works at physical wire level. IP addresses, subnets, ports, packet type and header content, and so on.
  A web proxy works at application protocol level. The web browser sends the http request to the web proxy. The web proxy may expect authentication - and request the web browser to supply it. In which case the web browser will popup the authentication box for you to enter a username and password.
  Thus if you are going via a plain firewall, it does not need any kind of username/password identification. It uses your IP address and other data about the packets your machine is sending, to determine what rules to apply.
  The remote web site can also expect authentication (and if the web proxy does too, you have 2 sets of credentials to supply). A firewall cannot supply these credentials (as it works on a network protocol level). A web proxy (working on application protocol level) can.
  When your network traffic (e.g. from UTL_HTTP) goes via a firewall, there is nothing special or specific you need to do. UTL_HTTP is an application protocol. The firewall deals with the lower level wire protocol.
  Otoh, if your http/https traffic goes via a proxy, you need to do specific steps in UTL_HTTP (like setting the proxy and supplying credentials if needed).
  So I'm not sure what you are saying above.. a firewall cannot supply web authentication details for web server access.
  Then I commented out set_proxy, set_authentication. I was still able to establish SSL handshake with https://ihavefirewallrule.com and retrieve data. Seems like "firewall rule" took care of proxy authentication also.
  Proxy authentication only applies when the proxy expects authentication. And as I mentioned, a firewall does use username authentication, and nor can supply authentication as an application protocol proxy.
  Now it gets even weirder. I even commented out the set_wallet part. It still worked! I was able to establish a SSL handshake with https://ihavefirewallrule.com e.g. https://verisign.com.
  In the same Oracle session? You'll need to check how wallet access is handled. I think that once opened in a session it stays open - thus subsequent code does not need to explicitly open the wallet again.
  In our test instance both Apache web server and DB server are on the same machine.
  Is somehow utl_http using our Apache server's SSL certificates to connect to https://ihavefirewallrule.com?
  Not possible. Oracle does not know anything of such an Apache installation at a s/w level. Nor will it borrow and use anything from such installed s/w.
  Would opening up 443/tcp port to firewall + proxy_authentication in the code resolve these issues? I think your comment in previous e-mail regarding port 80 and 443 hints at this.That depends on the s/w layers you have between UTL_HTPP and the remote web server - and I'm not clear whether you are using just a firewall, just a proxy, both, or a single piece of s/w that attempts to be both a wire protocol firewall and an application protocol proxy..
  The best would be to talk to the network administrator on your side. As you are accessing that remote site from an Oracle server using UTL_HTTP for production purposes, it means that "trusted" server access can be configured. In such a case, opening tcp ports 443 and 80 for the server's IP on the firewall should be considered. No web proxy used. The routing table of the Oracle server setup to ensure that traffic to external sites be routed via the firewall.
  Not an Oracle issue.. but simply one of network connectivity between the server platform running Oracle and the remote web sites that need to be accessed.

• Oracle Wallet Manager Issue

  Hi,
  We are having a problem in importing user certificate using oracle wallet manager.
  While adding a new certificate request, we gave the domain name as abacus.ofda.gov to generate the key but we are doing this on a different machine laharguard.ofda.gov.
  Can we do this? If so how can I achieve this?
  Thanks

  Hi,
  For the error you are getting, please check below points -
  1. CA (Certificate Signer) certificate is there under trusted certificate list. If it is not, then first import the CA cert (with complete chain, if any) and then try to import the user cert.
  2. User cert should be imported in the same wallet where CSR (Certificate Signing Request) is saved.
  3. Certificate is valid in terms of it's date of expiry.
  Remember, process of getting a server cert is below -
  1. Generate a CSR and save it in a wallet.
  2. Export the CSR from the wallet and send it to CA for signing.
  3. Import the signed user cert in the same wallet after importing it's CA cert in this wallet (CA cert should be imported as Trusted Cert)
  It is recommended to generate CSR at the same server where it will be used. In case server machine changes, please get a new cert for that otherwise it may cause problems during authentication.
  Regards,
  Anuj

• What is the use of Oracle Wallet Manager

  Hello All,
  I have notives that there is a tool called "Oracle Wallet Manager" that is loaded on to my machine.
  After reading the on-line help I figure that It can keep some certificates for me.My question ;
  What is this tool used for?
  Why do we have this tool?
  Does anybody have any whitepapers/ recpies/ examples/ demos
  on this stuff.
  any help will be appreciated.
  regards
  Sanjiv

  Sanjiv.
  Oracle Wallet Manager is a tool to manage internet certificates for clients and servers (databases can have certificates) issued by Certificate Authorities (e.g. Verisign). It can be used in conjunction with Oracle Net/SSL.
  Details on it can be found at the following link:
  http://download-east.oracle.com/otndoc/oracle9i/901_doc/network.901/a90150/asowalet.htm#1006830
  Harold

• Using a SHA2 certificate with 12.1.1 (Oracle Wallet Manager 10.1.0.5)

  Hi folks,
  I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem.
  I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
  We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck.
  Anybody been there done that?
  Thanks very much,
  -Adam vonNieda

  I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem. What kind of problems?
  I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
  We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck. I am not sure if SHA2 is certified with EBS R12 so you might need to ask this question to Oracle Support. According to the following docs, SHA1 can be used with no issues.
  Enabling SSL in Oracle E-Business Suite Release 12 [ID 376700.1]     To BottomTo Bottom     
  SSL Primer: Enabling SSL in Oracle E-Business Suite Release 12 (Trial Certificate Example) [ID 1425103.1]
  Thanks,
  Hussein

• Interconnect DB adapter Error when connecting to DB Using Oracle Wallet

  Hi all,
  I have installed multiple DB adapters on a unix m/c and when i am starting the DB adapter( name ex: B) i am getting the following error.
  when i Hash (#)the passwd in adapter.ini without using oracle wallet my DB adapter gets connected if the same is removed i am getting the following Error.
  "java.sql.SQLException: invalid arguments in call"
  Oracle Wallet password have been set correctly and works fine with one of the DB adapter( name ex: A) and the same setting of A has been used in B.
  Would be glad if someone could help to give solution to track oracle wallet and database connectivity.
  Oailog.txt
  ~~~~~~~~~~
  Initializing the Bridge oracle.oai.agent.adapter.database.DBBridge..
  Initializing connection to the Repository...
  Connected to the Repository.
  B could not connect to the database
  regards
  yenyes

  The issue was solved.The workaround involved synchronising the security folders the one below the /interconnect and one below /adapters.

• Use Oracle Wallet to store repository (Registry/SS/EAS) credentials?

  I'm running EPM 11.1.2.2 on AIX, Oracle repository, already installed and configured.
  The security team would prefer to have the repository credentials stored in an Oracle wallet as a matter of policy.  I believe, from my limited research, that a JDBC driver can (theoretically) use wallet.  But has anyone done it in the context of the EPM services (i.e. Foundation, EAS)?
  Obviously, the password is encrypted already, so I'm not sure that this really provides much of a real security benefit - except that I think that the Oracle password could be changed by updating the wallet without having to re-run the EPM configuration utility.
  Any input gratefully received.  Thanks!

  Nothing like wanting to add another layer of complexity to an already complex world , if security is the issue then SSL should be looked at but the passwords will still be stored in the database.
  I have never heard of it being done with EPM but would be interested to know if it is actually supported.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• SSIS and Oracle Wallet

  I am trying to connect SQL Server Integration Services to an Oracle database using Oracle Wallet. I have tested the wallet in both 32 and 64 bit modes on the machine and it works fine. I cannot get SSIS to connect though. I probably just need the syntax for and OleDB or .NET driver connection string but have not been able to find either on-line. Any help would be appreciated.
  Thanks,
  Brian.

  I have resolved the issue. For others that may run into this, here are the steps I took.
  1.     Use the driver “.Net Providers\OracleClient Data Provider”
  2.     Go to the “All” tab.
  3.     Data Source=”DATA_SOURCE”
  4.     Integrated Security=True
  5.     Press “Test Connection” and it should succeed.

• Oracle wallet manager disappears

  I have this root certificate (Issuer - InfoNotary.......) :
  -----BEGIN CERTIFICATE-----
  MIIFzDCCBYqgAwIBAgIIEGYkjAmMcrgwCwYHKoZIzjgEAwUAMIG7MYG4MAkGA1UE
  BgwCQkcwFQYDVQQKDA5JbmZvTm90YXJ5IFBMQzAdBgoJkiaJk/IsZAEZFg9yb290
  LWNhLXQyMDA2MDMwHwYJKoZIhvcNAQkBFhJjc3BAaW5mb25vdGFyeS5jb20wKQYD
  VQQDDCJJbmZvTm90YXJ5IENTUCBSb290IC0gVGVzdCAyMDA2IDAzMCkGA1UECwwi
  SW5mb05vdGFyeSBDU1AgUm9vdCAtIFRlc3QgMjAwNiAwMzAiGA8yMDA2MDMyMDA4
  NTc0MloYDzIwMjYwMzIwMDg1NzQyWjCBuzGBuDAJBgNVBAYMAkJHMBUGA1UECgwO
  SW5mb05vdGFyeSBQTEMwHQYKCZImiZPyLGQBGRYPcm9vdC1jYS10MjAwNjAzMB8G
  CSqGSIb3DQEJARYSY3NwQGluZm9ub3RhcnkuY29tMCkGA1UEAwwiSW5mb05vdGFy
  eSBDU1AgUm9vdCAtIFRlc3QgMjAwNiAwMzApBgNVBAsMIkluZm9Ob3RhcnkgQ1NQ
  IFJvb3QgLSBUZXN0IDIwMDYgMDMwggG3MIIBKwYHKoZIzjgEATCCAR4CgYEA/JlZ
  KRdvS7nj83xB9wulqFERWRJe9uv5Tr9if1k+BW4vAD+/NWfBueMGYrVvOOV5i3Jo
  G6QvhyIRluIRIprGvRRUBGmJZMpLmVfzGTjVMuG7c6ZBEX2pgue+r00hJVuNOYwN
  kub6oIRFyUNNIYLqBKascjZr1RcrvoyRMo7dAEsCFQDR/7tVobcOcRzXTOPvVxKi
  omFJ3QKBgAtykO++a9L255z6yymAv9qimurPAdSYjS2mffwA60f/Xr5AUVYheIWT
  HHTL176pOZ0qPhJItEvwCFtP3QXDBD50fdIDaLd2S0Z8YRvCuwqsJS2M39Dm125o
  Cntm6B9rjP1V+L+xdCQ9wEXG6OYFcQz/h2PlZeQ5xQCraInGdOY1A4GFAAKBgQDI
  PR62zK05/n2gRx6lC6QYNElCkyZqztKQX0n5rF2ALPnf6iZWMJH3lPLNIJCwB3Ia
  zNQ9+u4Z8yEFQznN/mHimtgnubwHH5CJRPhG5yXqlfOJOWNE70G0LVVG/rtnDb5x
  Ve4bS+nQE75Ohe79pMkOKbeEjV81o1cuq+KzGhWm56OCAg8wggILMA4GA1UdDwEB
  /wQEAwIBBjBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9kZXYu
  aW5mb25vdGFyeS5jb20vcmVzcG9uZGVyLmNnaTBdBggrBgEFBQcBCwRRME8wTQYI
  KwYBBQUHMAWGQWxkYXA6Ly9kZXYuaW5mb25vdGFyeS5jb20vZGM9cm9vdC1jYS10
  MjAwNjAzLGRjPWluZm9ub3RhcnksZGM9Y29tMIGjBgNVHSAEgZswgZgwaAYJKwYB
  BAGBrQABMFswMwYIKwYBBQUHAgEWJ2h0dHA6Ly9kZXYuaW5mb25vdGFyeS5jb20v
  Y3BzL3FjcHMuaHRtbDAkBggrBgEFBQcCAjAYGhZJbmZvTm90YXJ5IENTUCBSb290
  IENBMCwGCSsGAQQBga0AADAfMB0GCCsGAQUFBwIBFhFodHRwOi8vd3d3LmNyYy5i
  ZzAPBgNVHRMBAf8EBTADAQH/MH8GA1UdEQR4MHakdDByMXAwCwYDVQQRDAQxMDAw
  MAwGA1UEBwwFU29maWEwEwYDVQQUDAwrMzU5Mjk4NzU3MTcwGwYGVQQKZAEBDBEx
  MzEyNzY4Mjc6QlVMU1RBVDAhBgkqhkiG9w0BCQgMFDE2IEl2YW4gVmFzb3YgU3Ry
  ZWV0MB0GA1UdDgQWBBQ0XhZZBwUsyqPC+fbh3k3iWCf+lTALBgcqhkjOOAQDBQAD
  LwAwLAIUJA/m85TNfJy25x4V0eh4g/7LnEkCFC79NCyfrDje2YSeKRd+jKKsuuOb
  -----END CERTIFICATE-----
  If I try to import this trusted certificat, oracle wallet manager disappears.
  Can anybody advise me!

  Hi
  Have you tried verifying this certificate in any other way maybe its been copied incorrectly to the server you are installing it to.
  Assuming you are trying to do this on a server, do you have a wallet manager on your desktop to see if it is failing there as well. If you are ftping it to a server make sure you use binary as ascii will almost certainly corrupt it.
  Can you add it with command line tools, assuming this is being done with a gui tool.
  Without any other error to go by, its a bit hard to give an answer.

• Oracle Wallet manager error

  Hi all,
  Inorder to test SSL, i created a certificate request in OWM.Then i got a trial certificate from verisign for this request.What should i do now ? I tried to import that certificate in Oracle Wallet manager but getting this error.
  "Trusted Certificate Installation Failed.
  Input was not a valid certificate".
  Please guide me
  Srini

  belw is the note
  PURPOSE
  To list the steps needed to configure Oracle HTTP Server (OHS) to use the Secure
  Sockets Layer (SSL) when installed with Oracle9i Application Server (9iAS)
  Release 2 (9.0.2). The below instructions show, step by step, instructions for
  obtaining a trial certificate from a Certificate Authority, such as Verisign or
  Thawte. Please refer to the Oracle 9iAS Documentation for further details.
  SCOPE AND APPLICATION
  Oracle9i Application Server (9iAS) Release 2 (9.0.2 and above)
  Configuring SSL with Oracle HTTP Server in 9iAS Release 2
  There are two major steps needed to configure SSL in 9iAS:
  I. Create an Oracle Wallet which contains an SSL Certificate
  II. Configure httpd.conf directives to enable SSL with OHS
  NOTE:
  Only standard server certificates are supported. These are sometimes referred
  to as "40-bit Certificates", but will allow 128-bit encryption provided the
  browser supports 128-bit encryption. 9iAS Release 2 does not support Global
  Server Certificates, called "128-bit Certificates", that allow 56-bit export
  browsers to step up to 128-bit.
  STEP I: Configuring Oracle Wallet Manager (OWM)
  1. Start Oracle Wallet Manager from the 9iAS $ORACLE_HOME.
  Note: If you wish to use AutoLogin features you must start OWM as the user
  who owns the httpd parent process.
  To start Oracle Wallet Manager:
  On Windows: select Start > Programs > Oracle - ORACLE_HOME >
  Integrated Management Tools > Wallet Manager
  On UNIX: enter owm at the command line.
  2. Create an Oracle Wallet which contains an SSL Certificate:
  - Select Wallet -> New
  - Enter a password for the wallet e.g Welcome1
  - Create a Certificate Request.
  - Enter the details for the request. For example:
       Common Name:          <hostname.domainname>
  Organizational Unit:      Support
  Organization:      Oracle
       Location:          Reading
       State:               Berkshire
       Country:          United Kingdom
       Key Size:          1024bits
  * Common Name has to match the hostname.domainname that the webserver is
  known as. This is the Servername parameter in the httpd.conf file, and
  is the hostname.domainname that users will enter in the browser URL.
  - Click OK.
  - Click 'Certificate:[Requested]' and select from the Menu 'Operations' and
  'Export Certificate Request'
  - Save to a file e.g server.csr
  - Open the file in a text editor and copy the contents of the certificate
  signing request, to be pasted in a Certificate Authority (Verisign) form.
  An example is shown below:
  -----BEGIN NEW CERTIFICATE REQUEST-----
  MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCWJlcmtzaGlyZTEQMA4GA1UEBxMH
  cmVhZGluZzEPMA0GA1UEChQGb3JhY2xlMRAwDgYDVQQLFAdzdXBwb3J0MR8wHQYDVQQDFBZ1a2Ro
  MTkzNC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYkFMb9x4ehsG3
  yQ2ub319GxPW+/TC3NSIYRLzEa49EziqBUr08R3Ssn9+6nolVjj1eb3rzwCfjiOSzsp1lSa/B9Vo
  63pwP6xLbCgF8J86YfcZvavgLzY0Yc1fPfRxpZkb/jjt+F1zkaI6Lilm5YU3bRNYMb36TAWxUYL1
  m6wZOwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEACKXTmPHaSe3Lx3onnKJk/qI8SzpKyQC/B29v
  JGg1+7Lb7gl052Y9WKxbKHzOQOYr8yYxMXNBCUwW6kBAFoxTWSpIxIQOpJXcsu1RlHKaLfAnw053
  LiwpRB6do7MBrVgMRiv3AyTkJkgRzSxABWAgNpBPbhH+L6PZj5tSjOPErKA=
  -----END NEW CERTIFICATE REQUEST-----
  3. Request a Certificate from a Certificate Authority:
  - Load a web browser and go a Certificate Authority website of your choice.
  The examples below are from www.thawte.com:
  - Click on 'request your free trial'.
  - Fill in the necessary name and address details etc. and 'Submit'.
  - Paste in the certificate request into the box under the
  'Certificate Signing Request' Section.
  - Select "Test X509v3 SSL Cert" and hit "Generate Test Certificate"
  - Once submitted the Trial Certificate will appear on screen similar to below:
  -----BEGIN CERTIFICATE-----
  MIICnDCCAgWgAwIBAgIDD9m+MA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
  QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
  VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
  GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAxMTAyNDE0MDIxOVoXDTAx
  MTExNDE0MDIxOVowdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
  MA4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChQGT3JhY2xlMRAwDgYDVQQLFAdTdXBw
  b3J0MR8wHQYDVQQDFBZ1a3AxNTkxOC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3
  DQEBAQUAA4GNADCBiQKBgQDiQbg8KHjQ8hazvFe+OFhQa6ka+i5oShUty1MhlH+/
  /xXP+j82h4VlyPG6IGKeQdXLhnKXgLuxTZ8/VDtLZyucmpIB95o2A3Betjp7UdIm
  C572rKrQTA+1mCt/KLWcNE+fQuCmhloaERh3jsWTng0TKsDpJeAJdW2F4tCy/E/E
  MwIDAQABoyUwIzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0G
  CSqGSIb3DQEBBAUAA4GBACffzyC3qvAlvNWc6mBPMjFu6XWUGZBuNawFCz8qGw5/
  ce3rWFNI4zOjc1OncoJg7FjDJgAWqiJFHgdV4gwQm/8lTJX6wD1FhMtrJDXf29ei
  1DAe8kBOBWiFMio8Qjp24TdxoI6/53/32ydl91CPtTKAix3SaC2bBS5lG73AbKRr
  -----END CERTIFICATE-----
  - Copy the certificate to a file called server.crt
  - Get the Trusted CA Root certificate by accessing:
  https://www.thawte.com/roots/index.html
  - Copy the certificate that appears on the screen to a file called
  servertest.crt
  - Ftp or move the files to a directory on your server
  - In Wallet Manager select Operations -> Import User Certificate.
  - It will then ask you if you want to Paste the certificate or load
  from a file. Choose 'Select a file that contains a certificate'.
  - Select the file server.crt and hit OK.
  - At this point, the Wallet Manager may complain that the Trusted CA Root
  Certificate does not exist in the wallet. It will ask if you want to
  import it now. Select Yes. See Below
  - Select 'Select a file that contains a certificate' and select the
  servertest.crt file.
  - If this completes successfully you should see Certificate:[Ready] and the
  Thawte Test CA Root will appear in the list of trusted certificates.
  - If you desire Oracle HTTP Server to AutoLogin to the Wallet, then select
  AutoLogin. (Wallet Manager must have been started as the owner of the
  httpd parent process for this to work).
  - From the menu, File -> Save
  Save the Wallet in a directory where the 9iAS user has permission to access
  * If you generated your test certificate via www.verisign.com there is an additional
  step required if OWM is not accepting the Trusted CA Root Certificate. The step is
  as follows:
  In OWM, at the point of message "User certificate import has failed because the
  CA certificate does not exist". You are expected to import the CA certificate.
  For Verisign, that would be the 'Test CA Root' for the Trial version. Verisign's
  email has instructions on how to download the Test CA Root. One problem with the
  Test CA Root is that it is saved as DER encoding, but OWM expects BASE64 encoding.
  Please do following, using Internet Explorer 5.X as example.
  1. Following Verisign instructions and install Test CA Root
  certification into IE.
  2. Export 'Test CA Root' from IE in BASE64 format
  Tools -> Internet Options -> Contents -> Certificates
  -> Trusted Root Certificate Authorities
  Select CA issued by Versign with following Description in 'Issued to' column
  "For Versign authorized testing only ....."
  Export -> Next -> select Base-64 encoded X.509(.cer)
  The file saved must me accessible to OWM
  3. When prompted to load 'CA certificate ', provide the Base64 encoded file.
  Then, continue where you left off when OWM did not accept your Trusted CA
  Root Certificate.
  STEP II: Configuring Oracle HTTP Server (OHS)
  Please review the default directives in the httpd.conf file that relate to SSL by
  opening the file in a text editor and search on "SSL". If you have not already
  done so, please make a back up of this file. Do NOT hand edit this file without reading
  the precautions in the 9iAS Documentation. You should use the Enterprise Manager (EM)
  Website to modify this file. For SSL to work, the SSL 'listen' port must match the
  "VirtualHost _default_" directive within the file. All other SSL parameters are
  set to the default, and you can modify at a later time, depending on your needs.
  ## SSL Support
  Listen 80
  Listen 443
  #443 is the SSL port number.
  ##Further down in file:
  <VirtualHost default:443>
  For the purposes of a basic SSL configuration, you should only need to
  change the following directives:
  SSLWallet
  SSLWalletPassword
  - Change the SSLWallet directive to the path where you saved your wallet, i.e:
  SSLWallet file:/tmp/wallets
  - If you get an error, ADMN-906025 with exception 806212, when starting OHS
  after modifying httpd.conf, it is because you need to supply this password.
  You may also see errors such as the following:
  Error Failed to restart HTTP Server.
  Timeout has been reached. Timeout has been reached.
  If you did not select AutoLogin, then you need to change the SSLWalletPassword
  to your clear text Wallet password by adding the following into your httpd.conf
  SSLWalletPassword <yourPassword>
  - If you wish to encrypt the SSLWalletPassword refer to the following:
  [NOTE:184677.1]
  How to Use IASOBF to Encrpyt a Wallet Password Within 9iAS Release 2
  - Save the configuration, and restart Oracle HTTP Server
  - Test a URL to Oracle HTTP Server in SSL mode:
  https://<hostname.domainname>:<port>

• Self Generated Certification into Oracle Wallet Manager ?

  Hello,
  I have an written a function in PL/SQL to communicate with web services
  this server accessed with HTTPS, it uses self generated certification!
  how I can:
  export this certification (using web browser)
  Import it to Oracle Wallet Manager
  is it going to work?
  cheers

  Hi Tejo,
  I think you posted your question into the wrong forum. This is Hyperion Query and Reporting forum that discusses issues related to Hyperion Financial Reporting Studio, Interactive Reporting, Web Analysis, etc. I would do a search for Oracle Wallet Manager on google, find the best Oracle Forum and post the question there.
  Cheers,
  Mehmet

• How to load the ssl certificate to oracle wallet

  I have oracle 10.2.0.3 on Unix.
  I have a oracle wallet created. I need to load ssl certificate to the oracle wallet. I have CA certificate and server related certificate. In owm interface, there is Certificate:(Empty) and Trusted Certificates. Does anybody know where my certificate should go, Certification:(Empty) or Tryusted Certificates? By the way my certificate is from Verisign.
  Thanks a lot!

  Hi
  Thanks. I have added my LDAP certificate to Oracle wallet.
  Now my doubt is :
  Before adding this cert to my wallet , i have tried to connect my application through SSL , am able to connect it.
  I have used DBMS_LDAP.open_SSL function for conencting.
  Before adding the new cert my wallet conatins :
  ewallet.p12
  cwallet.sso
  GeoTrust.cer
  Equifaxb64.cer
  After adding the new cert also i am able to conenct through ssl my concern is , how we can figure out whether the ldap package checking my cert or not?
  How DBMS_LDAP.open_SSL works?
  Could anyone help me out to solve the issue?
  Thanks,
  San

• Problem in importing a SHA256 X509 certificate in Oracle Wallet Manager 10g

  Dear All,
  As a certification authority, we stops issuing SHA1 X509 certificates and now we deliver only SHA256 Certificates. Some of our customers encounter problems when importing these new certificates in Oracle Wallet Manager 10g.
  Is there any Oracle Security Updates able to solve this problem?
  Thank you in advance
  Nizar BN
  Tunisia

  Hi, I am having the same issue with the certificate. Can anyone tell me how to fix this?
  Thank You!
  Kathie

• Unable to import the user certificate into the Oracle Wallet Manager

  Hi,
  I am configuring the External Authentication plugin using the password filters.
  i am using the version 10.1.0.5.0 version of Oracle Wallet manager
  inorder to do that i am enabling the SSL mode.
  to enable the SSL mode i followed the some steps in OWM and OCA admin and user console.
  when i approved a certificate as admin and importing to the Oracle Wallet Manager, i got an error that
  User Certificate Installation failed.
  Possible errors:
  - Input was not a valid certificate
  - No matching certificate request found
  - CA certificate needed for certificate chain not found.
  Please install it first
  can anyone help me how to resolve this problem.

  hi,
  thanks for your reply pramod
  I tried to import the two certificate files(rootca.crt and server.crt). but i am got the same error.
  what may be the problem.