Home » SQL & PL/SQL » SQL & PL/SQL » orapki: add crt and key to wallet (Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.12.0.0.0, Redhat Linux 6)
orapki: add crt and key to wallet [message #686129] Wed, 22 June 2022 03:47 Go to next message
fixxxer
Messages: 42
Registered: August 2014
Member
Hi,

I am trying to configure an API call from our Oracle DB to the application server. I have:


1. Opened Firewall from DB Server to application server on the correct ports.
2. Added the application p12 file to an Oracle wallet. The application team give me the p12 file, and I simply renamed it to ewallet.p12, as the documentation says you should be able to do this.
3. Configured ACL settings like below:

EXEC dbms_network_acl_admin.create_acl (acl => 'http.xml', description => 'HTTP Access', principal => 'MYUSERNAME', is_grant => TRUE, privilege => 'connect', start_date => null, end_date => null);

EXEC dbms_network_acl_admin.add_privilege (acl => 'http.xml', principal => 'MYUSERNAME', is_grant => TRUE, privilege => 'resolve', start_date => null, end_date => null);

EXEC dbms_network_acl_admin.assign_acl (acl  => 'http.xml', host => 'appserver.com', lower_port => 8443, upper_port => 8443);
4. Testing connection:

set serveroutput on

DECLARE

  lo_req  UTL_HTTP.req;

  lo_resp UTL_HTTP.resp;

BEGIN

  UTL_HTTP.SET_WALLET ('file:/u01/app/oracle/wallet','password');
  
  lo_req := UTL_HTTP.begin_request('https://appserver.com:8443/test');
  
  lo_resp := UTL_HTTP.get_response(lo_req);
  
  dbms_output.put_line(lo_resp.status_code);
  
  UTL_HTTP.end_response(lo_resp);

END;

/
I am getting error:

Quote:

DECLARE
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-29005: The certificate is invalid.
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1148
ORA-06512: at line 11
If I load the p12 file into Chrome certificates, with the same password, this API call works fine; I am assuming this error is coming due to how I just added the file to the wallet location and renamed it to ewallet.p12.

Is there a step I am missing/doing wrong? I have the raw crt and key files, but I am not 100% sure on how to create a wallet with the crt and key.
Re: orapki: add crt and key to wallet [message #686130 is a reply to message #686129] Wed, 22 June 2022 03:56 Go to previous messageGo to next message
John Watson
Messages: 8781
Registered: January 2010
Location: Global Village
Senior Member
They've probably given you a wallet with the wrong certificate. What you need is the trusted certificate of the certificate issuer. What certificate(s) is in it? You find out like this, for example:
C:\Users\john>cd \tmp

C:\tmp>cd wallet

C:\tmp\wallet>dir
 Volume in drive C is OS
 Volume Serial Number is 4454-E531

 Directory of C:\tmp\wallet

20/06/2022  09:37    <DIR>          .
20/06/2022  09:37    <DIR>          ..
20/06/2022  09:37            28,181 cwallet.sso
20/06/2022  09:37                 0 cwallet.sso.lck
20/06/2022  09:37            28,136 ewallet.p12
20/06/2022  09:37                 0 ewallet.p12.lck
24/05/2022  08:48    <DIR>          tde
               4 File(s)         56,317 bytes
               3 Dir(s)  163,125,022,720 bytes free

C:\tmp\wallet>orapki wallet display -wallet .
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\, Inc.,C=US
Subject:        CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US
Subject:        CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
Subject:        CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
Subject:        CN=DST Root CA X3,O=Digital Signature Trust Co.
Subject:        CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Subject:        CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Subject:        CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
Subject:        CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
Subject:        CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Subject:        CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject:        CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject:        CN=Amazon Root CA 1,O=Amazon,C=US
Subject:        CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Subject:        CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Subject:        CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject:        CN=aop.skillbuilders.com
Subject:        CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Subject:        CN=Symantec Class 3 Secure Server SHA256 SSL CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US
Subject:        CN=DigiCert Global CA G2,O=DigiCert Inc,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

C:\tmp\wallet>
Note that there are no user certs, only various trusted certs.
Re: orapki: add crt and key to wallet [message #686131 is a reply to message #686130] Wed, 22 June 2022 04:06 Go to previous messageGo to next message
fixxxer
Messages: 42
Registered: August 2014
Member
Thanks a lot for the reply. Information below:

$ orapki wallet display -wallet .
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Subject:        CN=########OU=########O=########C=US,ST=########,L=########
Trusted Certificates:
Subject:        CN=TEST ######## Info Delivery Root CA,OU=########,O=########,C=US
Subject:        CN=########,OU=Applied Cryptography,O=########,C=US,EMAIL=########

Re: orapki: add crt and key to wallet [message #686132 is a reply to message #686131] Wed, 22 June 2022 04:13 Go to previous messageGo to next message
John Watson
Messages: 8781
Registered: January 2010
Location: Global Village
Senior Member
Well, the User certificate shouldn't be there. That's for sure. As to whether the trusted certificates include the one you need, I couldn't say. However, you can: browse to the application server's web listener, look at its certificate and see if the root certificate at the top of the certificate path is one of those two. You need the top certificate only, not any intermediate ones, and certainly not the site's own certificate.
Re: orapki: add crt and key to wallet [message #686133 is a reply to message #686132] Wed, 22 June 2022 05:48 Go to previous messageGo to next message
fixxxer
Messages: 42
Registered: August 2014
Member
Thanks, John. If I have the root certificate, and the key, how to I create a wallet from them?
Re: orapki: add crt and key to wallet [message #686134 is a reply to message #686132] Wed, 22 June 2022 07:12 Go to previous messageGo to next message
fixxxer
Messages: 42
Registered: August 2014
Member
What I have done now is:

1. Created a wallet and added root certificate.
orapki wallet create -wallet "${ORACLE_WALLET_LOC}" -compat_v12 -pwd "${ORACLE_WALLET_PWD}"
orapki wallet add -wallet "${ORACLE_WALLET_LOC}" -trusted_cert -cert "${CERT_FILES_LOC}/root.cer" -pwd "${ORACLE_WALLET_PWD}"
2. Extracted the custom cert from the p12 file.
openssl pkcs12 -clcerts -nokeys -in /tmp/app.p12 -out "${CERT_FILES_LOC}/custom.cer" -password pass:########
3. Import the private key using the custom.cer.
orapki wallet import_private_key -wallet "${ORACLE_WALLET_LOC}" -pvtkeyfile "${CERT_FILES_LOC}/app.key"  -cert "${CERT_FILES_LOC}/custom.cer" -pwd "${ORACLE_WALLET_PWD}"
This step is failing with:

Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Enter private key password:
PKI-07014: Unable to import private key. Header not present in private key

[Updated on: Wed, 22 June 2022 07:13]

Report message to a moderator

Re: orapki: add crt and key to wallet [message #686137 is a reply to message #686134] Wed, 22 June 2022 13:33 Go to previous message
John Watson
Messages: 8781
Registered: January 2010
Location: Global Village
Senior Member
Perhaps I don't understand what you are trying to do. But! Your step (1) above should be all that is necessary. It will let the database accept the certificate presented by the web service. What more would you need?

[Updated on: Wed, 22 June 2022 13:33]

Report message to a moderator

Previous Topic: Decode used in conjunction with sign
Next Topic: Display average as part of result
Goto Forum:
  


Current Time: Tue Nov 29 12:48:39 CST 2022