Making Oracle SSL wallets from scratch

Some hard won knowledge:

Here’s what I did:

I used openssl on my Linux workstation to create a new private key and a CSR. Then I bought a signed cert from DigiCert using that CSR. I rolled those into a JKS using keytool – no trouble. But then I learned that if I want to use those with Oracle HTTP Server (OHS), I’d need them in an SSL wallet.

Took a long time to learn these things:

  1. a “wallet” is a directory containing a file named ewallet.p12
  2. ewallet.p12 must contain the private key, the signed cert for it and the certs of all the CAs in the chain that signed the cert.
  3. cwallet.sso is the one that OHS actually uses – it has no password
  4. unlike ewallet.p12, cwallet.sso is tailored to the machine it’s generated on. You can’t use it on other machines.
  5. The “orapki.bat” that you get when you install OHS is broken. I had to edit the file and wrap %JAVA_HOME% in quotes on all three lines on which it appears: 19, 20 and 90

Here are the commands for building this beast from scratch. I’m copying in the text file I wrote for myself earlier and adding to it:

# In this demo, I'm naming the files "self.*" just to keep them
# short and to indicate we're working with a self-signed cert.
# In real life, you'd name your files something meaningful to
# your use.  Like, I might use "oiam-external-ssl.*"

# Start by making a brand new private key.
# Put the keylength you want as the number of bits at the end of
# the command line.  I use 2048 - a good balance of strength
# versus speed of operations
#
# I don't put a passphrase on this key
#
openssl genrsa -out self.key 2048

# From here down, I break commands into lines to make them easier
# to read and understand.  You could paste these as they are
# because I've put Bash line continuation charaters at the end of
# each line.  However, you may want to join them up again.  If
# you do, keep the pieces in order because some of that order is
# important.  Mostly the first two or three lines.

# Make the CSR.  Your subjectAltNames are in the openssl.cnf
# named in the -config option.
#
openssl req -new \
  -config openssl.cnf \
  -key    self.key \
  -out    self.csr

# If you buy a cert, you skip this step
#
# In the test, sign the CSR (public key) with your own private
# key.  Because we're using the same key to sign that we used to
# make the CSR, we're producing a "self-signed" certificate.
#
#
openssl x509 -req \
  -days    1450 \
  -in      self.csr \
  -signkey self.key \
  -out     self.crt

# To make the next step a bit easy, cat the private key and and signed
# public key files together into one.  They're BASE64 encoded
# blocks, commonly called PEM encoded, so they won't get mixed
# up.
#
# If you bought a signed cert, make sure it's in PEM format first!

cat self.key self.crt > self.pem

# If you bought a signed cert, add in the CA certs.  They should
# have come with the cert.  Look for something called a chain.
#
cat ca-cert-1.crt ca-cert-2.crt ca-cert-3.crt >> self.pem
#
# You should have *real* CA cert filenames there, not these!

# Create the PKCS12 file
#
# Notes:
#   use the -name option to make the "alias" that marks the item
#   in the keystore.  You'll look for this name/alias in many
#   place in the future - choose a meaningful name/alias here.
#
#   Export Password: don't leave it blank.
#
#   To let the -chain option work, and you need it to work, you
#   must have put the various CA certs in the default CA store on
#   your computer so openssl can find them and add them to the
#   pkcs12 file it's making for you.  In debian based systems,
#   like Ubuntu and Mint, use man update-ca-certificates to learn
#   how to do that.
#
openssl pkcs12 -export \
  -in   self.pem \
  -out  self.p12 \
  -name self-test \
  -chain

# At this point, you have made the wallet file.  Copy the self.p12 and name
# that copy "ewallet.p12."  Put it in a directory named for your wallet.
# For example, I did this:
mkdir oif-wallet
cp self.p12 oif-wallet/ewallet.p12

# Then you copy the whole directory to the server you want to have
# use it.

In my environment, MIDDLEWARE_HOME is C:\Oracle\Middleware. So, first, I copy the directory where I want it to live. Then I get a DOS window and CD to the parent of the wallet directory. Then I use orapki to create the cwallet.sso which OHS will actually use when it starts so it can access it’s private key and it’s cert. In my case, it looked like this:

cd C:\Oracle\Middleware\oiam-ssl
\Oracle\Middleware\oracle_common\bin\orapki wallet create -wallet oif-wallet -auto_login

It asked me for the password I’d set earlier and then exited silently. But when I looked in oif-wallet, I found a shiny new file: “cwallet.sso.” And OHS started up and is listening on the ports I configured in ssl.conf.

Leave a Reply

You must be logged in to post a comment.