Skip Headers

Oracle® Database Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master  ;Index		 Go to Feedback page
Feedback
Go to previous page
Previous		 Go to next page
Next
View PDF

8
Using Oracle Wallet Manager

Security administrators use Oracle Wallet ManagerOracle Wallet Manage r to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Ora cle Application Server 10g, and the Oracle Identity Management infrastructure.

This chapter describes Oracle Wallet Manager, and contains the following topics:

Oracle Wallet Manager Overview

Oracle Wallet Manager is an application that wallet owners use to manag e and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authent ication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wal let Manager to perform basic tasks such as creating wallets, generating certificate requests, and opening wallets to access PKI-based services. In addition, Oracle Wallet Manager can save credentials to hardware security modules by using APIs which comply to the Pub lic-Key Cryptography Standards #11 (PKCS #11) specification. Oracle Wal let Manager can be used to upload wallets to and download them from an LDAP directory. Oracle Wallet Manager can also be used to impo rt third-party PKCS #12-format wallets, and export Oracle wallets to a third-party environment.

Oracle Wallet Manager provides the following features:

Wallet Password Management

Oracle wallets are password protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:

  • Minimum password length (8 characters)
  • Maximum password length unlimited
  • Alphanumeric character m ix required

Strong Wallet Encryption

Oracle Wallet Manager stores priva te keys associated with X.509 certificates and uses Triple-DES encryption.

Microsoft Windows Registry Wallet Storage

Options Supported:

  • Open wallet from the registry
  • Save wallet to the registry
  • Save As to a different registry location
  • Delete wallet from the registry
  • Open wallet from the file system and save it to the registry
  • Open wallet from the registry and save it to the file system

Backward Compatibility

Oracle Wallet Manager is backward-compatible to Release 8.1.7.

Public-Key Cryptography Standards (PKCS) Support

RSA Laboratories, a division of RSA Security, Inc., has developed, in coope ration with representatives from industry, academia, and government, a family of basic cryptography standards called Public-Key Crypt ography Standards, or PKCS for short. These standards have been developed to establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet.

Oracle Wallet M anager stores X.509 certificates and private keys in PKCS #12 format, a nd generates certificate requests according to the PKCS #10 specification. This makes the Oracle wallet structure interoperable with supported third party PKI applications, and provides wallet portability across operating systems.

Oracle Wallet Manager wallets can be enabled to store credentials on hardware security modules that use APIs that conform to th e PKCS #11 specification. When PKCS11 wallet type is chosen at the time of wallet creation, then all keys stored in that wallet are saved to a hardware security module or token, such as smart cards, PCMCI A cards, smart diskettes, or other types of portable hardware devices that store private keys, perform cryptographic ope rations, or both.

See Also:< /font>

Multiple Certificate Support

Oracle Wallet Manage r enables you to store multiple certificates for each wallet, supportin g the following Oracle PKI certificate usages:

  • SSL
  • S/MIME signature
  • S/MIME encryption
  • Code-Signing
  • CA Certificate Signing

Oracle Wa llet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI c ertificate usages, but the same certificate cannot be used for all such usages (See Table 8-2 and Table 8-3 for legal usage combinations). There must be a one-to-one mapping between cert ificate requests and certificates. The same certificate request can be used to obtain multiple certificates; however, more than one c ertificate for each certificate request cannot be installed in the same wallet at the same time.

Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension to define Oracle PKI certificate usages (Table 8-1):

Table 8-1 KeyUsage Values
Value Usage

0

digitalSignature

1

nonRepudiation

2

keyEncipherment

3

dataEncipherment
< a name="1006383">

4

keyAgreement

5

keyCertSign

6

cRLSign

7

encipherOnly

8

decipherOnly

When installing a certificate (user certificate or trusted certificate), Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 8-2 and Table 8- 3.

Table 8-2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet
KeyU sage Value Critical?Foot 1 Usage

none

na

Certificate is importable for SSL or S/MIME encryption use.

0 alone, or any combination including 0 but excluding 5 and 2

na

Accep t certificate for S/MIME signature or code-signing use.

1 alone

Yes

Not importable.

No

 < p class="TB">Accept certificate for S/MIME signature or code-signing use.

2 alone, or 2 + any combination excluding 5

 < a name="1008134">

na

Accept certificate for SSL o r S/MIME encryption use.

5 alone, or any combination including 5

na

Accept certificate for CA certificate signing use.

Any settings not list ed previously

Yes

Not importable.
< /a>

No

Certificate is importable for SSL or S/MIME en cryption use.
1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.
Table 8-3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet
KeyUsage Value Critical?Foot 1 Usage

none

na

Importable.

Any combination excluding 5

Yes

Not importable.

No

Importable.

5 alone, or any combination including 5

na

Importable.
1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.

You should obtain certificates from the certificate authority with the correct KeyUsage value fo r the required Oracle PKI certificate usage. A single wallet can contain multiple ke y pairs for the same usage. Each certificate can support multiple Oracle PKI certificate u sages, as indicated by Table 8-2 and Table 8-3. Oracl e PKI applications use the first certificate containing the required PKI certificate usage.

For example: For SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is us ed.

If you do not have a certificate with SSL usage, then an ORA-28885 error (< code>No certificate with required key usage found) is returned.

LDAP Directory Support

Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. To prevent accidental over-write of f unctional wallets, only wallets containing an installed certificate can be uploaded.

Directo ry user entries must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download w allets for a user. If a directory contains Oracle8i (or prior) users, they are automatically upgraded to use the wallet upload and download feature on first use.

Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, password-bas ed authentication is used.

Note:

The directory password and the wallet password are independent, and can be different. Orac le Corporation recommends that these passwords be maintained to be consistently different, where neither one can logically be derived from the other.

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

  • (Windows) Select Start > Programs > Oracle-HOME_NAME > Network Ad ministration > Wallet Manager
  • (UNIX) At the command line, enter owm.

< font face="Arial, Helvetica, sans-serif" color="#330099">How To Create a Complete Wallet: Process Overview

Wallets provide a necessary repository in which you can securely store your user certificates a nd the trust points you need to validate the certificates of your peers.

The following steps provide an overview of the complete wall et creation process:

  1. Use Oracle Wallet Manager to create a new wallet:
  2. Generate a certificate request. Note that whe n you create a new wallet with Oracle Wallet Manager, the tool automatically prompts you to create a certificate request. See "Adding a Certificate Request" for information about creating a certif icate request.
  3. Send the certificate request to the CA you want to use. You can copy and paste the certificate request text into an e-mail message, or you can export the certificate request to a file. See "Exporting a User Certificate Request". Note that the certifica te request becomes part of your wallet and must remain there until you remove its associated certificate.
  4. When the CA sends your signed user certificate and its associated trusted certificate, then you can import these certificates in the following order. (Note that user cer tificates and trusted certificates in the PKCS #7 format can be imported at the same time.)
    • First import the CA's trusted certificate into your wallet. See "Importing a Trusted Certificate" Note that this step may be optional if the new user certificate has been issued by one of the CAs whose trusted certificate is already present in Oracle Wallet Manager by default.
    • After you have successfully imported the trusted certificate, then import the user certificate that the CA sent to you into your wallet. See "Importing the User Certificate into the Wallet"
  5. (Optional) Set the auto login featu re for your wallet. See "Using Auto Login".

    Typically, this feature, which enables PKI-based access to services without a password, is required for mos t wallets. It is required for database server and client wallets. It is only optional for products that take the wallet password at t he time of startup.

After completing the preceding process, you have a wallet th at contains a user certificate and its associated trust points.

Managing Wallets

This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate r equests, exporting certificate requests, and importing certificates into wallets, in the following subsections:

Required Guidelines for Creating Wallet Passwords

Because an Oracle wal let contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.

Passwords must contain at least eight characters that consist of alphabetic charact ers combined with numbers or special characters.

Caution:

It is strongly recommended that users avoid choosing easily guess ed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A." This prevents a potential attacker from using personal information to deduce the users' passwords. It is also a prudent security pra ctice for users to change their passwords periodically, such as once in each month or once in each quarter.

When you change passwords, you must regenerate auto login wallets.
See Also:

Creating a New Wallet

You can use Oracle Wallet Manager to create PKCS #12 wallets (the standard default wallet type) that store creden tials in a directory on your file system. It can also be used to create PKCS #11 wallets that store credentials on a hardware securit y module for servers, or private keys on tokens for clients. The following sections explain how to create both types of wallets by us ing Oracle Wallet Manager.

Creating a Standard Wallet

Unless you have a hardwa re security module (a PKCS #11 device), then you should use a standard wallet that stores credentials in a directory on your file sys tem.

To create a standard wallet, perform the following tasks:

  1. Choose Wallet > New from the menu bar. The New Wallet dialog box appears.
  2. Follow the "Required Guidelines for Creating Wallet Passwords"< /a> and enter a password in the Wallet Password field. This password protects unauthorized use of your credentials.
  3. Re-enter that password in the Confirm Password field.
  4. Choose Standard from the Wallet Type list.
  5. Click OK to continue. If the entered password does not conform to the required guidelines, then the following messag e appears: 
    Password must have a minimum length of eight characters, and contain 
alphabetic c
haracters combined with numbers or special characters. Do you 
want to try again?
  6. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. See "Adding a Certificate Request".

    If you choose No, you ar e returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.

  7. Select Wallet > Save In System Default to save the new wallet.

    If you do not have permission to save the walle t in the system default, you can save it to another location. This location must be used in the SSL configuration for clients and ser vers.

    A message at the bottom of the window confirms that the wallet was successfully saved .

Creating a Wallet to Store Hardware Security Module Credentials

To create a wallet to store PKCS #11 credentials on a hardware security module, perform the following tasks:

  1. Choose Wallet > New from the menu bar; the New Wallet dialog box appears.
  2. Follow the "Required Guidelines for Creating Wallet Passwords" and enter a password in the Wallet Password field.
  3. Re-enter that password in the Confirm Password field.
  4. Choose PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet window appears.
  5. Choose a vendor name from the Select Hardware Vendor list.

    Note:

    In the current release of Oracle Wallet Manager, only nCipher hardware has been certified to interoperate with Oracle wallets.
  1. In the PKCS11 library filename field, enter the path to the directory where the PKCS11 lib rary is stored, or click Browse to find it by searching the file system.
  2. Enter the SmartCard password, and choose OK.

    The smart card password, which is different from the wallet password, is stored in t he wallet.

  3. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. See "Adding a Certificate Request".

    If you choose No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trus ted certificates.

  4. Select Wallet > Save In System Default to save the new wallet.

    If you do not have permission to save the wallet in the system default, you can save it to another location.

    A message at the bottom of the window confirms that the wallet was successfully saved.

    Note:

    If you change the smar t card password or move the PKCS #11 library, an error message displays when you try to open the wallet. Then you are prompted to ent er the new smart card password or the new path to the library.

Opening an Existing Wallet

Open a wallet that already exists in the file system directory as follows:

  1. Choose Wallet > Open from the menu bar. The Select Directory dialog box appears.
  2. Navigate to the directory location in which the wallet is located, and select the directory.
  3. Choose OK. The Open Wallet dialog box appea rs.
  4. Enter the wallet password in the Wallet Passwo rd field.
  5. Choose OK.

    You are returned to the main window and a message appears at the bottom of the window indicating th e wallet was opened successfully. The wallet's certificate and its trusted certificates are displayed in the left window pane.

Clo sing a Wallet

To close an open wallet in the currently selected direc tory:

Choose Wallet > Clo se.

A message appears at the bottom of the window to confirm that the wallet is clo sed.

Impo rting Third-Party Wallets

Third-party wallets are those where the cer tificate requests have been generated without using Oracle Wallet Manager. Oracle Wallet Manager can import and support the following PKCS #12-format wallets, subject to procedures and limitations specific to the program you use:

  • Netscape Communicator 4.x
  • Microsoft Interne t Explorer 5.x and later
  • OpenSSL

To import a third-party wallet, perform the following tasks:

  1. Follow the procedures for your particular product to export the wallet.
  2. Save the exported wallet to a file name appropriate for your operating system in a directory expected by Oracle Ad vanced Security.

    For UNIX and Windows, the appropriate file name is ewallet.p12.

    For other operating systems, see the Oracle documentation for that specific operating system.

    Note:

    Because browsers typically do not export trusted certificat es under PKCS #12 (other than the signer's own certificate), you may need to add trust poi nts to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to import trusted certificates.

Exporting Oracle Wallets to Third-Party Environments

< a name="1008384">

Oracle Wallet Manager can export its own wallets to third party environments.

To export a wallet to third-party environments:

  1. Use Oracle Wallet Manager to save the wallet file.
  2. Follow the procedure specific to your third-party product to import an operating system PKCS #12 wallet file created by Oracle Wa llet Manager (called ewallet.p12 on UNIX and Windows platforms).

    Note:
    • Oracle Wallet Manager supports multiple certificates for each wallet, yet current browsers typically support import of single-certificate wallets only. For these browsers, you must export an Oracle wallet containing a single ke y-pair.
    • Oracle Wallet Manager supports wallet export to only Netscape Communica tor 4.7.2 and later, OpenSSL, and Microsoft Internet Explorer 5.0 and later.
< a name="1010323">

Exporting Orac le Wallets to Tools that Do Not Support PKCS #12

You can export a wal let to a text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are form atted according to the standards listed in Table 8-4. Within the wallet, only those certifica tes with SSL key usage are exported with the wallet.

To export a wallet to text-based PKI fo rmat:

  1. Choose Operations > Export Wallet.... The Export Wallet dialog box appears.
  2. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders.
  3. Enter the destination file name for the wallet.
  4. Choose OK to return to th e main window.

    Table 8-4 PKI Wallet Encoding Standards
    En coding Standard
    Component

    Certificate chains

    X509v3

    Trusted certificates

    X509v3

    Private keys

    PK CS #8

Uploading a Wallet to an LDAP Directory

To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate . Otherwise, it lets you enter the directory password.

To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the upload option unless the target wallet is currently open and co ntains at least one user certificate.

To upload a wallet:

  1. Choose Wallet > Upload Into The Directory Service.... If the currently open wallet has not been saved, a dialog box appears with the foll owing message:

    Wallet needs to be saved before uploading.

    Choose Yes to proceed.

  2. W allet certificates are checked for SSL key usage. Depending on whether a certificate with SSL key usage is found in the wallet, one of the following results occur:
    • If at least one certificate has SSL key usage: When prompted, enter the LDAP directory server hostname and port information, then click OK. Oracle Wallet Manager attempts connection to the LDAP directory server usin g SSL.A message appears indicating whether the wallet was uploaded successfully or it failed.
    • If no certificates have SSL key usage: When prompted, enter the user's distinguished name (DN), the LDAP server hostname and port information, and click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using simple password authenticat ion mode, assuming that the wallet password is the same as the directory password.

      If th e connection fails, a dialog box prompts for the directory password of the specified DN. Oracle Wallet Manager attempts connection to the LDAP directory server using this password and displays a warning message if the attempt fails. Otherwise, Oracle Wallet Manager displays a status message at the bottom of the window indicating that the upload was successful.

Downloading a Wallet from an LDAP Directory

When a wallet is downloaded from an LDAP direc tory, it is resident in working memory. It is not saved to the file system unless you expressly save it using any of the Save options described in the following sections.

See Also: < /td>

To download a wallet from an LDAP directory:

  1. Choose Wallet > Download From The Directory Service....
  2. A dialog box prompts for the user's distinguished name (DN), and the LDAP directory password, hostname, and port information. Oracle Wallet Ma nager uses simple password authentication to connect to the LDAP directory.

    Depending on whether the downloading operation succeeds or not, one of the following results occurs:

    • If the download operation fails: Check to make sure that you have correctly entered the user's DN, and the LDAP server hostname and port information.
    • If the download is successful: Choose OK to open the downloaded wallet. Oracl e Wallet Manager attempts to open that wallet using the directory password. If the operation fails after using the directory password , then a dialog box prompts for the wallet password.

      If Oracle Wallet Manager cannot ope n the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully.

< /a>

Saving Changes

To save your changes to the current open wallet:

Choose Wallet > Save.

A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selecte d directory location.

Saving the Open Wallet to a New Location

To save open wa llets to a new location, use the Save As... menu option:

  1. Choose Wallet > Save As.... The Select Directory dialog box appears.
  2. Select a directory location in which to save the wallet.
  3. C hoose OK.

    The following message appears if a wallet alread y exists in the selected location:

    A wallet already exists in the selected path. Do you w
ant to overwrite 
it?

    Choose Yes to overwrite the existing wallet, or No to save the wallet to another location.

    A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory loca tion.

Saving in System Default

To save wallets in the defau lt directory location, use the Save In System Default menu option:

Choose Wallet > Save In System Default.

A message at the bottom of the window confirms that the wallet was successfully saved in the system defa ult wallet location as follows for UNIX and Windows platforms:

  • (UNIX) ORACLE_HOME/admin/ORACLE_SID
  • (Windows) ORACLE_BASE\ORACLE_HOME\rdbms\admin < p>

    Note: < /a>
    • SSL uses the wallet that is saved in the system default director y location.
    • Some Oracle applications are not able to use the wallet if it is no t in the system default location. Check the Oracle documentation for your specific application to determine whether wallets must be p laced in the default wallet directory location.

Deleting the Wallet

To delete the current open wallet:

  1. Choose Wallet > Delete. The Delete Wallet dialog box appears.
  2. Revie w the displayed wallet location to verify you are deleting the correct wallet.
  3. Enter the wallet password.
  4. Choose OK. A dialog panel appears to inform you that the wallet was successfully deleted.

    Note:

    Any open wallet in application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use does not immediately affect system operation.

Changing the Password

A password change is effective immediately. The wallet is saved to the currently selected directory, with the ne w encrypted password.

Note:

If you are using a wallet with auto login enabled, you must regenerate the auto login wallet af ter changing the password. See "Using Auto Login"

To change the password for the current open wallet:

  1. Choose Wallet > Change Password. The Change Wallet Password dialog box appears.
  2. Enter the existing wallet password.
  3. Enter the new password.
  4. Re-enter the new password.
    5. < li class="LN2" type="1" value="5">Choose OK.

A message at the bottom of the window confirms that the password was successfully changed.

See Also:

Using Auto Login

The Oracle Wallet Manager auto login feature creates an obfuscated copy of the wallet and enables PKI-based access to services without a password until the auto login fea ture is disabled for the wallet. File system permissions provide the necessary security for auto login wallets. When auto login is en abled for a wallet, it is only available to the operating system user who created that wallet.

You must enable auto login if you want single sign-on access to multiple Oracle databases, which is disabled by default. Sometimes these are called "SSO wallets" because they provide single sign-on capability.

Enabling Auto Login

To enable auto login:

  1. Choose Wallet from the menu bar.
  2. < a name="1006883">Check Auto Login. A message at the bottom of the window indicates that auto login is enabled.

Disabling Auto Login

To disable auto login:

  1. Choose Wallet from the menu bar.
  2. Uncheck Auto Login. A message at the bottom of the window in dicates that auto login is disabled.

Managing Certificates

Oracl e Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. All certificates are signed data structu res that bind a network identity with a corresponding public key. User certificates are used by end entities, including server applic ations, to validate an end entity's identity in a public key/private key exchange. In comparison, trusted certificates are any certif icates that you trust, such as those provided by CAs to validate the us er certificates that they issue.

This section describes how to manage both certificate types , in the following subsections:

  • Managing User Certificates
  • Managing Truste d Certificates

    Note:

    You must first install a trusted certificate from the certificate authority before you can inst all a user certificate issued by that authority. Several trusted certificates are installed by default when you create a new wallet.< /p>

Managing User Certificates

User ce rtificates can be used by end users, smart cards, or applications, such as Web servers. Server certificates are a type of user certif icate. For example, if a CA issues a certificate for a Web server, placing its disti nguished name (DN) in the Subject field, then the Web server is the certificate owner, thus the "user" for this user cer tificate. User certificates do not validate other user certificates, except when they are used as a trusted certificate in a user-centric trust model.

See Also:

Understanding Public-Key Infrastructure, a third-party publication, listed in the Preface under "Related Documentation", for a discussion of user-centric and other trust models.

Managing user certificates involves the following tasks:

Adding a Certificate Request

You ca n add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically po pulates each subsequent request dialog box with the content of the initial request that you can then edit.

The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certi ficate. However, you cannot edit an existing certificate request. Store only a correctly filled out certificate request in a wallet.< /p>

To create a PKCS #10 certificate request:

  1. Choose Operations > Add Certificate Request. The Add Certificate Request dialog box appears.
  2. Enter the information specified in Table 8-5.
  3. Choose OK. A message informs you that a certificate req uest was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.
  4. Choose OK to return to the Oracle Wallet Manager main window. The s tatus of the certificate changes to [Requested].

    Table 8-5 &nb sp;Certificate Request: Fields and Descriptions
    < /tbody>
    Field Name Description

    Common Name

    Mandatory. Enter the name of the user's or servic e's identity. Enter a user's name in first name /last name format.

    Example: Eileen.Sanger

    Organizational Un it

    Optional. Enter the name of the identity's organizational unit. Example: Finance.

    Organization

    Optional.Enter the name of the identity's organizat ion. Example: XYZ Corp.

    Locality/City

    Optional. Enter the name of the locality or city in which the identity resides.

    State/Province

    Optional. Enter the full name o f the state or province in which the identity resides.

    Enter the full state name, because so me certificate authorities do not accept two-letter abbreviations.

    Country

    Mandato ry. Choose to view a list of country abbreviations. Select the country in which the organization is located.

    Key Size

    		 < a name="1006986">

    Mandatory. Choose to view a list of key sizes to use when creating the public/private key pair. S ee Table 8-6 to evaluate key size.

    Advanced

    Optional. Choose Advanced to view the Advanced Certificate Request dialog panel. Use this field to ed it or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality.

Table 8-6 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048. When certificate owne rs wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys.

Table 8-6 Available Key Sizes
Key Size < /a> Relative Security Level

512 or 768

Not regarded as secure.

1024 or 2048

Secure.

3072 or 4096

Very secure.
< !--TOC=h3-"1007038"-->

Importing the User Certificate into t he Wallet

The certificate authority sends you an e-mail notification when your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the cert ificate from the certificate authority's e-mail, or import the user certificate from a file. Certificate authorities may send your ce rtificate in a PKCS #7 certificate chain file, or as an individual X.509 certificate. Oracle Wallet Manager can import both types. PK CS #7 certificate chains are a collection of certificates, including the user's certificate and all of the supporting CA and subCA ce rtificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain.

< dl class="A1">
To copy and paste the text only (BASE64) user certificate from the certificate authority's e-mail:
  1. Copy the certificate text from the e-mail message or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.
  2. Choose Operations > Import User Certificate.... The Import Certificate dialog box appears.
  3. Ch oose Paste the certificate, and then click OK. Another Import Certificate dialog box appears with the following message: 
    Please provide a base64 format certificate an
d paste it below.
  4. Paste the certificate i nto the dialog box, and choose OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in th e left panel subtree changes to [Ready].

    Keyboard shortcuts for copying and pasting certificates:

    Use Ctrl+c to copy, and use Ctrl+v to paste.
To import a file that contains the user certificate:

The file containing the us er certificate should have been saved in either text (BASE64) or binary (der) format.

  1. Choose Operations < code>> Import User Certificate.... The Import Certificate dialog box appears.
  2. Choose Select a file that contains the certificate, and click OK. Another Import Certificate dialog box appears.
  3. Enter the path or folder name of the certificate file location.
  4. Select the name of the certificate file (for example, cert.txt).
  5. Choose OK. A message at the bottom of the window confirms that the certificate was succ essfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left p anel subtree changes to [Ready].

Removing a User Certificate from a Wallet

To remove a user certificate from a wallet:

  1. In the left panel subtree, select the certificate that you want to remove.
  2. Choose Operations >< /code> Remove User Certificate.... A dialog panel appears and prompts you to verify that you want to re move the user certificate from the wallet.
  3. Choose Yes to return to the Oracle Wallet Manager main panel. The certificate displays a status of [Requested] .

Removing a Certificate Request

You must remove a cert ificate before removing its associated request.

To remove a certificate request:

  1. In the left panel subtree, select the certificate request that you want to remove.
  2. Choose Operations > Remove Certificate Request....
  3. Click Yes. The certificate displays a status of [Empty].

Exporting a User Certificate

To save t he certificate in a file system directory, export the certificate by using the following steps:

  • In the left panel subtree, select the certificate th at you want to export.
  • Choose Operations > Export User Certificate... from the menu bar. The Export Certificate dialog box appea rs.
  • Enter the file system directory location where you want to save you r certificate, or navigate to the directory structure under Folders.
  • Enter a file name for your certificate in the Enter File Name field.
  • Choose OK. A message at the bottom of the wind ow confirms that the certificate was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

    • Exporting a User Certificate Request

    To save the certificate reque st in a file system directory, export the certificate request by using the following steps:

    1. In the left panel subtree, select the certificate reques t that you want to export.
    2. Choose Operations > Export Certificate Request.... The Export Certificate Request dialog box appears.
    3. Enter the file system directory location where you want to save your c ertificate request, or navigate to the directory structure under Folders.
    4. Enter a file name for your certificate request, in the Enter File Name field.
    5. Choose OK. A message at the botto m of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Ma nager main window.

    Managing Trusted Certificates

    Managing truste d certificates includes the following tasks:

    Importing a Trusted Certificate

    You can import a tru sted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certific ate authority, or import the trusted certificate from a file.

    Oracle Wallet Manager automati cally installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.

    To copy and paste the text only (BA SE64) trusted certificate:
    1. Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the li nes Begin Certificate and End Certificate.
    2. Ch oose Operations > Import Trusted Certificate... from the menu bar. The Import Trusted Certificate dialog panel appears.
    3. Choose < strong class="Bold">Paste the Certificate, and click OK. Another Import Trusted Certificate di alog panel appears with the following message: 
      Please provide a base64 format certificate and
 paste it below.
    4. Paste the certificate in to the window, and click OK. A message at the bottom of the window informs you that the trusted certifi cate was successfully installed.
    5. Choose OK. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certifi cates tree.

      < td class="Note">
      Keyboard shortcuts for copyi ng and pasting certificates:

      Use Ctrl+c to copy, and use Ctrl+v to paste.

    To import a file that contains the trusted certificate:

    The file containing the trusted certificate should have been saved in either text ( BASE64) or binary (der) format.

    1. Choose Operations > Import Trusted C ertificate.... The Import Trusted Certificate dialog panel appears.
    2. Enter the path or folder name of the trusted certificate location.
    3. Select the name of the trusted certificate file (for example, cert.txt).
    4. Choose OK. A message at the bottom of the window informs you that the trusted certific ate was successfully imported into the wallet.
    5. Choose OK to exit the dialog panel. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate appea rs at the bottom of the Trusted Certificates tree.

    Removing a Trusted Certificate

    < /a>

    You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the certificates it has signed. Also, you cannot verify a certificate aft er its trusted certificate has been removed from your wallet.

    To remove a trusted certificat e from a wallet:

    1. Select the trusted certificate listed in the Trusted Certificates tree.
    2. < /a>Choose Operations > Remove Trusted Certificate... from the menu bar.

      A dialog panel warns you that your user certificate will no longer be ver ifiable by its recipients if you remove the trusted certificate that was used to sign it.

    3. Choose Yes. The selected trusted certificate is removed from the Trusted Certif icates tree.

    Exporting a Trusted Certificate

    To export a trusted certificate to another file system location:

    1. In the left panel subtree, select the trusted certificate that you want to export.
    2. Select Operations > Exp ort Trusted Certificate.... The Export Trusted Certificate dialog box appears.
    3. Enter a file system directory in which you want to save your trusted certificate, or navigate to the directory struc ture under Folders.
    4. Enter a file name to save your trusted certificate.
    5. Choose OK. You are returned to the Oracle Wallet Manager main window.

    Exporting All Trusted Certificates

    To export all of your trusted certificates to another file system location:

    1. Choose Operations > Export All Trusted Certificates.... The E xport Trusted Certificate dialog box appears.
    2. Enter a file system direc tory location where you want to save your trusted certificates, or navigate to the directory structure under Fol ders.
    3. Enter a file name to save your trusted certificates.
    4. Choose OK. You are returned to the Oracle Wa llet Manager main window.
    Go to previous page
    Previous
    Next
    		Oracle
    Copyright © 1996, 2003 Oracle Corporation
    All Rights Reserved.
    Go to Documentation Home
    Home
    Book List    		 Go to Table of Contents
    Contents    		 Go to Index
    Index    		 Go to Master Index
    Master Index    		 Go to Feedback page
    Feedback