5
Using Oracle Wallet Manager

Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle9i Application Server and other Oracle clients and servers. It can be used to request, store, and manage certificates. The wallets it creates can be opened with Oracle Wallet Manager.

This chapter describes the Oracle Wallet Manager, in the following sections:

• About Public Key Infrastructure (PKI)

• PKCS #12 Support

• Multiple Certificate Support

• LDAP Directory Support

• Managing Wallets

• Managing Certificates

About Public Key Infrastructure (PKI)

Traditional private-key or symmetric-key cryptography requires a single, secret key that is shared by two or more parties to a secure communication. This key is used to both encrypt and decrypt secure messages sent between the parties, requiring prior, secure distribution of the key to each party. The problem with this method is that it is difficult to securely transmit and store the key.

Public-key cryptography provides a solution to this problem, by employing public/private key pairs and a secure method for key distribution. The freely available public key is used to encrypt messages that can only be decrypted by the holder of the associated private key. The private key is securely stored, together with other security credentials, in an encrypted container--called a wallet.

Public-key algorithms can guarantee the secrecy of a message, but they don't necessarily guarantee secure communications because they don't verify the identities of the communicating parties. In order to establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its own public key for a legitimate key (the man-in-the-middle attack).

In order to avoid such an attack, it is necessary to verify the owner of the public key, a process called authentication. Authentication can be accomplished through a certificate authority (CA)--a third party that is trusted by both of the communicating parties.

The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).

The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known, and does not have to be authenticated each time it is accessed. Such CA public keys are stored in an Oracle wallet.

Wallet Password Management

Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:

• Minimum password length (8 characters)

• Maximum password length unlimited

• Alphanumeric character mix required

Strong Wallet Encryption

Oracle Wallet Manager stores private keys associated with X.509 certificates, requiring strong encryption. Accordingly, 3-key Triple-DES, which is a substantially stronger encryption algorithm is supported.

Microsoft Windows Registry

Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows System Registry (for Windows 95/98/ME/NT 4.0/2000), or in a Windows file management system. Storing your wallets in the registry provides the following benefits:

• Better Access Control. Wallets stored in the user profile area of the registry are only accessible by the associated user. User access controls for the system thus become, by extension, access controls for the wallets. In addition, when a user logs out of a system, access to that user's wallets is effectively precluded.

• Easier Administration. Since wallets are associated with specific user profiles, no permissions need to be managed, and the wallets stored in the profile are automatically deleted when the user profile is deleted. Oracle Wallet Manager can be used to create and manage the wallets in the registry.

• Improved Security. Because the wallets are imbedded in the registry, the wallets associated with a particular user profile are transparent to all other users. Viewed in combination with better access control and easier administration, this amounts to an additional security layer for Oracle wallets.

Options Supported:

• Open wallet from the Registry

• Save wallet to the Registry

• Save As to a different Registry location

• Delete wallet from the Registry

• Open wallet from the file system and save it to the Registry

• Open wallet from the Registry and save it to the file system

  See Also: Oracle9i Administrator's Guide for Windows in the Oracle Database Documentation Library Oracle9i Network, Directory and Security Guide for Windows in the Oracle Database Documentation Library

Oracle Wallet Functions

Oracle Wallet Manager is a stand-alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:

• Generating a public/private key pair and creating a certificate request for submission to a CA.

• Installing a certificate for the entity.

• Configuring trusted certificates for the entity.

• Opening a wallet to enable access to PKI-based services.

• Creating a wallet that can be accessed by Oracle Wallet Manager.

• Uploading a wallet to an LDAP directory such as Oracle Internet Directory.

• Downloading a wallet from an LDAP directory such as Oracle Internet Directory.

• Importing wallets.

• Exporting wallets.

  See Also: Oracle Directory Service Integration and Deployment Guide in the Oracle9iAS Documentation Library, if you need to synchronize your existing LDAP directory with Oracle Internet Directory.

Backward Compatibility

Oracle Wallet Manager is backward-compatible to Oracle Data Server, Release 8.1.5.

PKCS #12 Support

Oracle Wallet Manager stores X.509 certificates and private keys in industry-standard, PKCS #12 format. This makes the Oracle wallet structure interoperable with supported third party PKI applications, and provides wallet portability across operating systems.

Note: Although Oracle Advanced Security and Oracle Wallet Manager fully comply with PKCS #12, there may be some compatibility issues using third-party products--such as Netscape Communicator and Microsoft Internet Explorer.

Importing Third-Party Wallets

Oracle Wallet Manager can import and support the following PKCS #12-format wallets, subject to product-specific procedures and limitations:

• Netscape Communicator 4.x

• Microsoft Internet Explorer 5.x

• OpenSSL

To import a third-party wallet:

1. Follow the product-specific procedure to export the wallet.

2. Save the exported wallet to a platform-specific file name in a directory expected by your application.

   For UNIX and Windows NT, the file name is ewallet.p12.

   For other platforms, see the platform-specific documentation.

3. Open the wallet by specifying the directory that contains the wallet in the Open dialog box.

   See Also: Importing a Trusted Certificate.

   Notes: You must copy the third-party PKCS #12 wallet file name to a directory expected by Oracle Wallet Manager and change the name; the UNIX/NT wallet file name is ewallet.p12. Since browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to do this.

Exporting Oracle Wallets

Oracle Wallet Manager can export its own wallets to third party environments. To export a wallet:

1. Use Oracle Wallet Manager to save the wallet file.

2. Follow the third-party product-specific import procedure to import a platform-specific PKCS #12 wallet file created by Oracle Wallet Manager (called ewallet.p12 on UNIX and NT platforms).

   Note: Current browsers typically support import of only one user certificate per wallet. Accordingly, you must export an Oracle single key-pair wallet, even though Oracle Wallet Manager supports multiple user certificates per wallet.

Multiple Certificate Support

Oracle wallet tools support multiple certificates for each wallet, supporting the following Oracle PKI certificate usages:

• SSL

• S/MIME signature

• S/MIME encryption

• Code-Signing

• CA Certificate Signing

Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usages--but the same certificate cannot be used for all such usages (See: Tables 5-2 and 5-3 for legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request cannot be used to obtain multiple certificates, installed in the same wallet.

Oracle Wallet Manager uses X.509 V3 extension KeyUsage to define Oracle PKI certificate usages (Table 5-1):

Table 5-1 KeyUsage Values  

Value	Usage
0	digitalSignature
1	nonRepudiation
2	keyEncipherment
3	dataEncipherment
4	keyAgreement
5	keyCertSign
6	cRLSign
7	encipherOnly
8	decipherOnly

When installing a certificate (user certificate, trusted certificate), Oracle Wallet Manager uses Tables 5-2 and 5-3 to map the KeyUsage extension values to Oracle PKI certificate usages:

Table 5-2 OWM Import of User Certificate to an Oracle Wallet  

KeyUsage Value	Critical?Foot 1	Usage
none	na	Certificate is importable for SSL or S/MIME encryption use.
0 alone, or any combination including 0 but excluding 5 and 2	na	Accept certificate for S/MIME signature or code-signing use.
1 alone	Yes	Not importable.
	No	Accept certificate for S/MIME signature or code-signing use.
2 alone, or 2 + any combination excluding 5	na	Accept certificate for SSL or S/MIME encryption use.
5 alone, or any combination including 5	na	Accept certificate for CA certificate signing use.
Any settings not listed above	Yes	Not importable.
	No	Certificate is importable for SSL or S/MIME encryption use.

1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.

Table 5-3 OWM Import of Trusted Certificates to an Oracle Wallet  

KeyUsage Value	Critical?Foot 1	Usage
none	na	Importable.
Any combination excluding 5	Yes	Not importable.
	No	Importable.
5 alone, or any combination including 5	na	Importable.

1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.

You should obtain certificates from the certificate authority with the correct KeyUsage value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Tables 5-2 and 5-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.

For example: For SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.

Note: SSL Oracle PKI Certificate Usage is the only usage supported by Oracle PKI applications.

LDAP Directory Support

Oracle Wallet Manager can upload wallets to--and retrieve them from--an LDAP-compliant directory, such as Oracle Internet Directory.

Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication--while providing centralized wallet management throughout the wallet life cycle. To prevent accidental over-write of functional wallets, only wallets containing a functional certificate can be uploaded.

Oracle Wallet Manager requires that enterprise users are already defined and configured in the LDAP directory, to be able to upload or download wallets. If a directory contains Oracle8i (or prior) users, they are automatically upgraded to use the wallet upload/download feature--upon first use.

See Also: Oracle Advanced Security Administrator's Guide in the Oracle Database Documentation Library for information about creating enterprise users.

Oracle Wallet Manager downloads a user wallet using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage.

See Also: Multiple Certificate Support, for more information about Oracle PKI certificate user.

If an SSL certificate is not present in the wallet, password-based authentication is used.

Note: The directory password and the wallet password are independent, and can be different. Oracle recommends that these passwords are maintained to be consistently different, where neither one can logically be derived from the other.

Managing Wallets

This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:

• Starting Oracle Wallet Manager

• Creating a New Wallet

• Opening an Existing Wallet

• Closing a Wallet

• Saving Changes

• Saving the Open Wallet to a New Location

• Saving in System Default

• Deleting the Wallet

• Changing the Password

• Using Auto Login

• LDAP Directory Support

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

• Microsoft NT:

  Select Start-->Programs-->Oracle-ORACLE_HOME-->Network Administration-->Wallet Manager

• UNIX: Enter owm at the command line.

Creating a New Wallet

Create a new wallet as follows:

1. Choose Wallet > New from the menu bar; the New Wallet dialog box appears.

2. Follow the required guidelines for creating a password and enter a password in the Wallet Password field.

   Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.

   Caution: It is strongly recommended that users avoid choosing easily guessed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A." This prevents a potential attacker from using personal information to deduce the users' passwords. It is also a prudent security practice for users to change their passwords periodically, such as once per month or once per quarter.

   See Also: Wallet Password Management.

3. Re-enter that password in the Confirm Password field.

4. Choose OK to continue.

5. An Alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to create a certificate request.

   See also: Adding a Certificate Request

   If you choose Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of Empty, and the wallet displays its default trusted certificates.

6. Select Wallet > Save In System Default to save the new wallet.

   If you do not have permission to save the wallet in the system default, you can save it to another location.

   A message at the bottom of the window informs you that the wallet was successfully saved.

Opening an Existing Wallet

Open a wallet that already exists in the file system directory as follows:

1. Choose Wallet > Open from the menu bar; the Select Directory dialog box appears.

2. Navigate to the directory location in which the wallet is located, and select the directory.

3. Choose OK; the Open Wallet dialog box appears.

4. Enter the wallet password in the Wallet Password field.

5. Choose OK.

6. The message Wallet opened successfully appears at the bottom of the window, and you are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left window pane.

Closing a Wallet

To close an open wallet in the currently selected directory:

• Choose Wallet > Close.

• The message Wallet closed successfully appears at the bottom of the window, to confirm that the wallet is closed.

Saving Changes

To save your changes to the current open wallet:

• Choose Wallet > Save.

• A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.

Saving the Open Wallet to a New Location

Use the Save As option to save the current open wallet to a new directory location:

1. Choose Wallet > Save As; the select directory dialog box appears.

2. Select a directory location to save the wallet.

3. Choose OK.

   The following message appears if a wallet already exists in the selected directory:

   A wallet already exists in the selected path. Do you want to overwrite it?.

   Choose Yes to overwrite the existing wallet, or No to save the wallet to another directory.

   A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.

Saving in System Default

Use the Save in System Default menu option to save the current open wallet to the system default directory location. This makes the current open wallet the wallet that is used by SSL:

• Choose Wallet > Save in System Default.

• A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location.

Deleting the Wallet

To delete the current open wallet:

1. Choose Wallet > Delete; the Delete Wallet dialog box appears.

2. Review the displayed wallet location to verify you are deleting the correct wallet.

3. Enter the wallet password.

4. Choose OK; a dialog panel appears to inform you that the wallet was successfully deleted.

   Note: Any open wallet in application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use does not immediately affect system operation.

Changing the Password

A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.To change the password for the current open wallet:

1. Choose Wallet > Change Password; the Change Wallet Password dialog box appears.

2. Enter the existing wallet password.

3. Enter the new password.

   See Also: Wallet Password Management, for password policy restrictions.

4. Re-enter the new password.

5. Choose OK.

A message at the bottom of the window confirms that the password was successfully changed.

Using Auto Login

The Oracle Wallet Manager Auto Login feature creates an obfuscated copy of the wallet and enables PKI-based access to services without a password until the Auto Login feature is disabled for the wallet. When Auto Login is enabled for a wallet, it is only available to the operating system user who created that wallet.

You must enable Auto Login if you want single sign-on access to multiple Oracle databases (disabled by default).

Enabling Auto Login

To enable Auto Login:

1. Choose Wallet from the menu bar.

2. Choose the check box next to the Auto Login menu item; a message at the bottom of the window displays Autologin enabled.

Disabling Auto Login

To disable Auto Login:

1. Choose Wallet from the menu bar.

2. Choose the check box next to the Auto Login menu item; a message at the bottom of the window displays Autologin disabled.

Managing Certificates

Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section describes how to manage both certificate types, in the following subsections:

• Managing User Certificates

• Managing Trusted Certificates

  Note: You must first install a trusted certificate from the certificate authority before you can install a user certificate issued by that authority. Several trusted certificates are installed by default when you create a new wallet.

Managing User Certificates

Managing user certificates involves the following tasks:

• Adding a Certificate Request

• Importing the User Certificate into the Wallet

• Removing a User Certificate from a Wallet

• Removing a Certificate Request

• Exporting a User Certificate

• Exporting a User Certificate Request

Adding a Certificate Request

You can use this task to add multiple certificate requests. Note that when creating multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request--which you can then edit.

The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request; store only a correctly filled out certificate request in a wallet.

To create a PKCS #10 certificate request:

1. Choose Operations > Create Certificate Request; the Create Certificate Request dialog box appears.

2. Enter the following information (Table 5-4):

   Table 5-4 Certificate Request: Fields and Descriptions  

   Field Name	Description
   Common Name	Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format.
   Organizational Unit	Optional. Enter the name of the identity's organizational unit. Example: Finance.
   Organization	Optional.Enter the name of the identity's organization. Example: XYZ Corp.
   Locality/City	Optional. Enter the name of the locality or city in which the identity resides.
   State/Province	Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two-letter abbreviations.
   Country	Mandatory. Choose the drop-down list to view a list of country abbreviations. Select the country in which the organization is located.
   Key Size	Mandatory. Choose the drop-down box to view a list of key sizes to use when creating the public/private key pair.
   Advanced	Optional. Choose Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality.

3. Choose OK. An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.

4. Choose OK. You are returned to the Oracle Wallet Manager main window; the status of the certificate is changed to Requested.

Importing the User Certificate into the Wallet

You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.

Pasting the Certificate

To paste the certificate:

1. Copy the certificate text from the e-mail message or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.

2. Choose Operations > Import User Certificate from the menu bar; the Import Certificate dialog box appears.

3. Choose the Paste the Certificate button, and choose OK; an Import Certificate dialog box appears with the following message:

   Please provide a base64 format certificate and paste it below.

4. Paste the certificate into the dialog box, and choose OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status changes to Ready.

Selecting a File that Contains the Certificate

To select the file:

1. Choose Operations > Import User Certificate from the menu bar.

2. Choose the Select a file... certificate button, and choose OK; the Import Certificate dialog box appears.

3. Enter the path or folder name of the certificate location.

4. Select the name of the certificate file (for example, cert.txt).

5. Choose OK. A message at the bottom of the window appears, to inform you that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status is changes to Ready.

Removing a User Certificate from a Wallet

1. Choose Operations > Remove User Certificate; a dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.

2. Choose Yes; you are returned to the Oracle Wallet Manager main panel, and the certificate displays a status of Requested.

Removing a Certificate Request

To remove a certificate request:

1. Choose Certificate Request.

2. Select menu item Remove Certificate Request.

   Note: You must remove a certificate before removing its associated request.

Exporting a User Certificate

Save the certificate in a file system directory when you elect to export a certificate:

1. Choose Operations > Export User Certificate from the menu bar; the Export Certificate dialog box appears.

2. Enter the file system directory to save your certificate in, or navigate to the directory structure under Folders.

3. Enter a file name to save your certificate, in the Enter File Name field.

4. Choose OK. A message at the bottom of the window confirms that the certificate was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

Exporting a User Certificate Request

Save the certificate request in a file system directory when you elect to export a certificate request:

1. Choose Operations > Export Certificate Request from the menu bar; the Export Certificate Request dialog box appears.

2. Enter the file system directory in which you want o save your certificate request, or navigate to the directory structure under Folders.

3. Enter a file name to save your certificate request, in the Enter File Name field.

4. Choose OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

Managing Trusted Certificates

Managing trusted certificates includes the following tasks:

• Importing a Trusted Certificate

• Removing a Trusted Certificate

• Exporting a Trusted Certificate

• Exporting All Trusted Certificates

• Exporting a Wallet

Importing a Trusted Certificate

You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.

Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.

Pasting the Trusted Certificate

To paste the trusted certificate:

1. Choose Operations > Import Trusted Certificate from the menu bar; the Import Trusted Certificate dialog panel appears.

2. Choose the Paste the Certificate button, and choose OK. An Import Trusted Certificate dialog panel appears with the following message:

   Please provide a base64 format certificate and paste it below.

3. Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the lines Begin Certificate and End Certificate.

4. Paste the certificate into the window, and Choose OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.

5. Choose OK; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

Selecting a File that Contains the Trusted Certificate

To select the file:

1. Choose Operations > Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears.

2. Enter the path or folder name of the trusted certificate location.

3. Select the name of the trusted certificate file (for example, cert.txt).

4. Choose OK. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet.

5. Choose OK to exit the dialog panel; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

Removing a Trusted Certificate

To remove a trusted certificate from a wallet:

1. Select the trusted certificate listed in the Trusted Certificates tree.

2. Choose Operations > Remove Trusted Certificate from the menu bar.

   A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.

3. Choose Yes; the selected trusted certificate is removed from the Trusted Certificates tree.

   Note: A certificate that is signed by a trusted certificate is no longer verifiable when you remove it from your wallet. Also, you cannot remove a trusted certificate if it has been used to sign a user certificate that is still present in the wallet. To remove such a trusted certificate, you must first remove the certificates that it has signed.

Exporting a Trusted Certificate

To export a trusted certificate to another file system location:

1. Select Operations > Export Trusted Certificate; the Export Trusted Certificate dialog box appears.

2. Select a file system directory to save your trusted certificate, or choose Browse to display the directory structure.

3. Enter a file name to save your trusted certificate.

4. Choose OK; you are returned to the Oracle Wallet Manager main window.

Exporting All Trusted Certificates

To export all of your trusted certificates to another file system location:

1. Choose Operations > Export All Trusted Certificates. The Export Trusted Certificate dialog box appears.

2. Select the file system directory to save your trusted certificates, or choose Browse to display the directory structure.

3. Enter a file name to save your trusted certificates.

4. Choose OK; you are returned to the Oracle Wallet Manager main window.

Exporting a Wallet

You can export a wallet to text-based PKI formats. Individual components are formatted according to the following standards (Table 5-5):

Table 5-5 PKI Wallet Encoding Standards  

Component	Encoding Standard
Certificate chains	X509v3
Trusted certificates	X509v3
Private keys	PKCS #8