Oracle Internet Directory Administrator's Guide Release 9.0.2 Part Number A95192-01 |
|
Security administrators use Oracle Wallet Manager to manage public-key security credentials on Oracle clients and servers. The wallets it creates are opened by using either the Oracle Enterprise Login Assistant or the Oracle Wallet Manager.
This chapter describes the Oracle Wallet Manager, in the following sections:
Traditional private-key or symmetric-key cryptography requires that entities desiring to establish secure communications possess a single secret key known only to them. Harriet and Dick, for example, could agree to shift each letter in their private messages by two character positions (A becomes C, B becomes E, and so on) to encrypt the message text. Using this method, a HELLO message from Harriet to Dick would read JGNNP. The actual encryption methods in current use are much more complex and significantly more secure, but an underlying problem remains--sending messages encrypted with a single key requires prior, secure distribution of the key to each participating party. Otherwise, a malicious third party might obtain the key, intercept communications, and compromise security. Public-key cryptography addresses this problem, by providing a secure method for key distribution.
Public-key cryptography requires a party to possess a public/private key pair. The private key is kept secret and is known only to that party. The public key, as the name implies, is freely available. To send a secret message to this party requires that a third party sender encrypt the message with the public key. Such a message can only be decrypted by a party holding the associated private key.
For example, when Dick wants to send a secure message to Harriet, he first asks Harriet for her public key (or obtains it from another, public source). Harriet gives Dick the public key, but Tom, a malicious eavesdropper, also obtains the public key. Nevertheless, when Dick sends Harriet a message encrypted with her public key, Tom cannot decrypt it; the message can only be decrypted with Harriet's private key.
Public-key algorithms thus guarantee the secrecy of a message, but they don't guarantee secure communications because they don't verify the identities of the communicating parties. In order to establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its public key for a legitimate key.
If Tom, for example, is able to substitute his public key for Harriet's public key and send it to Dick, Dick might then send a message to Harriet encrypted with Tom's public key--believing he was using Harriet's public key. Tom could then decrypt a subsequent intercepted message from Dick using his private key, re-encrypt it with Harriet's public key and re-transmit it to Harriet. Harriet could then decrypt the incoming message using her private key, and never know that it had been intercepted by Tom.
In order to avoid such a man-in-the-middle attack, it is necessary to verify the owner of the public key, a process called authentication. This authentication can be accomplished through a certificate authority (CA).
A CA is a third party that is trusted by both of the parties attempting secure communication. The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).
The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known, and does not have to be authenticated each time it is accessed. Such CA public keys are stored in a wallet.
Oracle Wallet Manager is a stand-alone Java application that wallet owners use to manage and edit the security credentials in their Oracle wallets. These tasks include the following:
This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:
To start Oracle Wallet Manager:
Enter owm
at the command line.
Press Start > ORACLE_HOME > Network Administration > Wallet Manager
Create a new wallet as follows:
Wallet > New
from the menu bar; the New Wallet dialog box appears.
Because an Oracle wallet contains a user's credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong password for the wallet. A malicious user who guesses the password to a user's wallet can access all the databases that the user can access.
Oracle Corporation recommends that you choose a password that is not too short, not easily guessed, and is reasonably complex. A reasonably complex password has at least six characters, and contains at least one symbol or number--so that it will not be found in a dictionary.
Example: gol8fer
It is also a prudent security practice for users to change their passwords periodically, such as once a month, or once a quarter.
OK
to continue.
If you choose Cancel, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of Empty
, and the wallet displays its default trusted certificates.
Wallet > Save In System Default
to save the new wallet.
If you do not have permission to save the wallet in the system default, you can save it to another location.
A message at the bottom of the window informs you that the wallet was successfully saved.
Open a wallet that already exists in the file system directory as follows:
Wallet > Open
from the menu bar; the Select Directory dialog box appears.
OK
.
Wallet opened successfully
appears at the bottom of the window, and you are returned to the Oracle Wallet Manager main window. The wallet's certificate and its trusted certificates are displayed in the left window pane.
To close an open wallet in the currently selected directory:
Wallet > Close
.
Wallet closed successfully
appears at the bottom of the window, to confirm that the wallet is closed.
To save your changes to the current open wallet:
Wallet > Sav
e.
Use the Save As
option to save the current open wallet to a new directory location:
Wallet > Save As
. The select directory dialog box appears.
OK
.
The following message appears if a wallet already exists in the selected directory:
A wallet already exists in the selected path. Do you want to overwrite it?.
Choose Yes
to overwrite the existing wallet, or No
to save the wallet to another directory.
A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.
Use the Save in System Default
menu option to save the current open wallet to the system default directory location. This makes the current open wallet the wallet that is used by SSL:
Wallet > Save in System Default
.
To delete the current open wallet:
Wallet > Delete
; the Delete Wallet
dialog box appears.
OK
; a dialog panel appears to inform you that the wallet was successfully deleted.
A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.To change the password for the current open wallet:
Wallet > Change Password;
the Change Wallet Password
dialog box appears.
OK
.
A message at the bottom of the window confirms that the password was successfully changed.
The Oracle Wallet Manager Auto Login feature opens a copy of the wallet and enables PKI-based access to secure services--as long as the wallet in the specified directory remains open in memory.
You must enable Auto Login if you want single sign-on access to multiple Oracle databases.
To enable Auto Login:
Wallet
from the menu bar.
Autologin enabled
.
To disable Auto Login:
Wallet
from the menu bar.
Autologin disabled
.
When using the Oracle Application Server (OAS), you must install the Oracle Wallet Manager on a primary node and on each remote node in a multi-node configuration. After you install the product on each node you must then copy the wallet from the primary node to each of the remote nodes.
Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. This section describes how to manage both certificate types, in the following subsections:
Managing user certificates involves the following tasks:
The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request; store only a correctly filled out certificate request in a wallet.
To create a PKCS #10 certificate request:
Operations > Create Certificate Request
; the Create Certificate Request
dialog box appears.
Table D-1 Certificate Request: Fields and Descriptions
OK
. An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.
OK
. You are returned to the Oracle Wallet Manager main window; the status of the certificate is changed to Requested
.
Save the certificate request in a file system directory when you elect to export a certificate request:
Operations > Export Certificate Request
from the menu bar; the Export Certificate Request dialog box appears.
OK
. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.
You will receive an e-mail notification from the certificate authority informing you that your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the e-mail you receive from the certificate authority, or import the user certificate from a file.
To paste the certificate:
Begin Certificate
and End Certificate.
Operations > Import User Certificate
from the menu bar; the Import Certificate dialog box appears.
Paste the Certificate
button, and choose OK
; an Import Certificate dialog box appears with the following message:
Please provide a base64 format certificate and paste it below.
OK
. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status changes to Ready
.
To select the file:
Operations > Import User Certificate
from the menu bar.
Select a file...
certificate button, and choose OK
; the Import Certificate dialog box appears.
cert.txt
).
OK
. A message at the bottom of the window appears, to inform you that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the wallet status is changes to Ready
.
Operations > Remove User Certificate
; a dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.
Yes
; you are returned to the Oracle Wallet Manager main panel, and the certificate displays a status of Requested
.
Managing trusted certificates includes the following tasks:
You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.
Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust Entrust when you create a new wallet.
To paste the trusted certificate:
Operations > Import Trusted Certificate
from the menu bar; the Import Trusted Certificate dialog panel appears.
Paste the Certificate
button, and choose OK
. An Import
Trusted Certificate dialog panel appears with the following message:
Please provide a base64 format certificate and paste it below.
Begin Certificate
and End Certificate.
OK
. A message at the bottom of the window informs you that the trusted certificate was successfully installed.
OK
; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.
To select the file:
Operations > Import Trusted Certificate
from the menu bar. The Import Trusted Certificate dialog panel appears.
cert.txt)
.
OK
. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet.
OK
to exit the dialog panel; you are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.
To remove a trusted certificate from a wallet:
Operations > Remove Trusted Certificate
from the menu bar.
A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.
Yes
; the selected trusted certificate is removed from the Trusted Certificates tree.
To export a trusted certificate to another file system location:
Operations > Export Trusted Certificate
; the Export Trusted Certificate dialog box appears.
Browse
to display the directory structure.
OK
; you are returned to the Oracle Wallet Manager main window.
To export all of your trusted certificates to another file system location:
Operations > Export All Trusted Certificates
. The Export Trusted Certificate dialog box appears.
Browse
to display the directory structure.
OK
; you are returned to the Oracle Wallet Manager main window.
You can export a wallet to text-based PKI formats. Individual components are formatted according to the following standards (Table D-2):
Component | Encoding Standard |
---|---|
Certificate chains |
X509v3 |
Trusted certificates |
X509v3 |
Private keys |
PKCS5 |
|
Copyright © 1999, 2002 Oracle Corporation. All Rights Reserved. |
|