| My Oracle & Java Blog

Tuesday, April 3, 2007

Opening Oracle's Wallet

...and I wish I was referring to the one holding the cash. Instead, I mean the one 10gAS uses to store certificates. Oracle's wallet uses the PKCS12 format, which I believe is a standard. However, Oracle's wallets don't seem to be compatible with "normal" sun pkcs12 format wallets. This is because Oracle uses a different encryption method than the typical Sun JSSE implementation does. So in order to open their wallet files, you must use Oracle's PKI Security Provider. In order to use a security provider in java, it has to be "registered" with the JVM. Unfortunately, Oracle hasn't registered their PKI Provider by default, so you have to do it yourself. There are two methods for registering a Security Provider in java:

  1. "Statically", by editing the $ORACLE_HOME/jdk/jre/lib/security/java.security file and adding an additional entry, similar to this:

    security.provider.X=oracle.security.pki.OraclePKIProvider

    Where X is order you want this entry to be in (by default, there are 5 entries already in that file, so this can be 6).

  2. Or you can specify the provider in your code at runtime. Be sure to do it only once as an initialization step, as I think it issues an exception if its already registered:

    Security.addProvider(new OraclePKIProvider());



In Oracle wallet manager, you can select the option to enable Auto-Login for a wallet. What this does is create the cwallet.sso file in your wallet directory. This is a copy of your wallet, but in an encrypted/proprietary format. The cwallet.sso file does not require a password to open, and you can open it using the Oracle PKI Provider in java. You can also open the ewallet.p12 file using the PKI provider, but that file does require a password to open. Using the cwallet.sso file means you won't have to store the wallet password in cleartext anywhere, so it's more portable. The following is an example of opening the wallet using either method:
  1. Open the cwallet.sso file:
    KeyStore keyStore = KeyStore.getInstance("SSO","OraclePKI");
    FileInputStream walletFile = new FileInputStream("/path_to_wallet/cwallet.sso");
    keyStore.load(walletFile,"");


  2. Open the ewallet.p12 file:
    KeyStore keyStore = KeyStore.getInstance("PKCS12","OraclePKI");
    FileInputStream walletFile = new FileInputStream("/path_to_wallet/ewallet.p12");
    keyStore.load(walletFile,"mypassword");



From there you can access the certificates in the wallet using the standard java keystore api.
The OraclePKIProvider class can be found in the $ORACLE_HOME/jlib/oraclepki.jar & $ORACLE_HOME/jlib/oraclepki103.jar files. Im not sure the difference, both seemed to work ok for me.

5 comments:

Dani said...

Thanks for the article.
I am trying to open an Oracle Wallet used as Secure External Password Store (stores user and password instead of certificates) in Oracle 10g (10.2).

Can I use KeyStore class for reading the user & password?
Do you know another class to read user & password from a wallet?

The documentation for using wallets for database passwords is very poor!

Anonymous said...

Hi Mike,

Thanks for the article! Very informative.

Do you know how I could use the Oracle PKI providers to create a suitable store?

When trying to do this using the KeyStore.setEntry() I get:

Not Implemented
oracle.security.pki.OracleKeyStoreSpi.engineSetKeyEntry(OracleKeyStoreSpi)

Appreciate any thoughts that you may have.

Thanks.

Nat said...

I've been trying to use the Oracle PKI providers to create a store as well with no success.

This was after trying for ages with BouncyCastle-based GUI tools Portecle and Keytool IUI, then using keytool with OraclePKI as the provider.

I finally found that OpenSSL (not Java unfortunately) will do the trick. I was only trying to create a single CA certificate store here, so your mileage may differ:

openssl pkcs12 -in cert.pem -out ewallet.p12 -export -nokeys -cacerts -descert -nomaciter -noiter

There are other posts out there about how to create Oracle wallets with OpenSSL.

Praveena said...

Hi Mike,

I am trying to open a wallet file.

My code:

Security.addProvider(new oracle.security.pki.OraclePKIProvider());Security.insertProviderAt(
new racle.security.pki.OraclePKIProvider(),2);
OracleWallet oraclewallet = new OracleWallet();
oraclewallet.open(walLoc, null);

But it is throwing in the above line.It is workign fine if I deploy this code in Windows system but in Unix it is not working, the path of the file is correct. I did all teh steps you explained in this blog. updated java.security file. No clue.

could anybody tell me if I am missign anything?

Thanks
Praveena

Praveena said...

I am getting the exception:

"java.io.IOException: Could not open wallet. java.io.IOException: Could not open wallet. Check password".

I didn't post it in me previous query.

Thanks
Praveena