Skip Headers

Oracle® Database Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to previous page
Previous		 Go to next page
Next
View PDF

8
Using Oracle Wallet Manager

Security administrators use Oracle Wallet ManagerOracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Oracle Application Server 10g, and the Oracle Identity Management infrastructure.

This chapter describes Oracle Wallet Manager, and contains the following topics:

Oracle Wallet Manager Overview

Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform basic tasks such as creating wallets, generating certificate requests, and opening wallets to access PKI-based services. In addition, Oracle Wallet Manager can save credentials to hardware security modules by using APIs which comply to the Public-Key Cryptography Standards #11 (PKCS #11) specification. Oracle Wallet Manager can be used to upload wallets to and download them from an LDAP directory. Oracle Wallet Manager can also be used to import third-party PKCS #12-format wallets, and export Oracle wallets to a third-party environment.

Oracle Wallet Manager provides the following features:

Wallet Password Management

Oracle wallets are password protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:

Strong Wallet Encryption

Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption.

Microsoft Windows Registry Wallet Storage

Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows system registry or in a Windows file management system. Storing your wallets in the registry provides the following benefits:

Options Supported:

Backward Compatibility

Oracle Wallet Manager is backward-compatible to Release 8.1.7.

Public-Key Cryptography Standards (PKCS) Support

RSA Laboratories, a division of RSA Security, Inc., has developed, in cooperation with representatives from industry, academia, and government, a family of basic cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards have been developed to establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet.

Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. This makes the Oracle wallet structure interoperable with supported third party PKI applications, and provides wallet portability across operating systems.

Oracle Wallet Manager wallets can be enabled to store credentials on hardware security modules that use APIs that conform to the PKCS #11 specification. When PKCS11 wallet type is chosen at the time of wallet creation, then all keys stored in that wallet are saved to a hardware security module or token, such as smart cards, PCMCIA cards, smart diskettes, or other types of portable hardware devices that store private keys, perform cryptographic operations, or both.

See Also:

Multiple Certificate Support

Oracle Wallet Manager enables you to store multiple certificates for each wallet, supporting the following Oracle PKI certificate usages:

Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usages, but the same certificate cannot be used for all such usages (See Table 8-2 and Table 8-3 for legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates; however, more than one certificate for each certificate request cannot be installed in the same wallet at the same time.

Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension to define Oracle PKI certificate usages (Table 8-1):

Table 8-1 KeyUsage Values
Value Usage

0

digitalSignature

1

nonRepudiation

2

keyEncipherment

3

dataEncipherment

4

keyAgreement

5

keyCertSign

6

cRLSign

7

encipherOnly

8

decipherOnly

When installing a certificate (user certificate or trusted certificate), Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 8-2 and Table 8-3.

Table 8-2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet
KeyUsage Value Critical?Foot 1 Usage

none

na

Certificate is importable for SSL or S/MIME encryption use.

0 alone, or any combination including 0 but excluding 5 and 2

na

Accept certificate for S/MIME signature or code-signing use.

1 alone

Yes

Not importable.

No

Accept certificate for S/MIME signature or code-signing use.

2 alone, or 2 + any combination excluding 5

na

Accept certificate for SSL or S/MIME encryption use.

5 alone, or any combination including 5

na

Accept certificate for CA certificate signing use.

Any settings not listed previously

Yes

Not importable.

No

Certificate is importable for SSL or S/MIME encryption use.
1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.
Table 8-3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet
KeyUsage Value Critical?Foot 1 Usage

none

na

Importable.

Any combination excluding 5

Yes

Not importable.

No

Importable.

5 alone, or any combination including 5

na

Importable.
1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.

You should obtain certificates from the certificate authority with the correct KeyUsage value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table 8-2 and Table 8-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.

For example: For SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.

If you do not have a certificate with SSL usage, then an ORA-28885 error (No certificate with required key usage found) is returned.

LDAP Directory Support

Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. To prevent accidental over-write of functional wallets, only wallets containing an installed certificate can be uploaded.

Directory user entries must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download wallets for a user. If a directory contains Oracle8i (or prior) users, they are automatically upgraded to use the wallet upload and download feature on first use.

Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, password-based authentication is used.

Note:

The directory password and the wallet password are independent, and can be different. Oracle Corporation recommends that these passwords be maintained to be consistently different, where neither one can logically be derived from the other.
See Also:

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

How To Create a Complete Wallet: Process Overview

Wallets provide a necessary repository in which you can securely store your user certificates and the trust points you need to validate the certificates of your peers.

The following steps provide an overview of the complete wallet creation process:

  1. Use Oracle Wallet Manager to create a new wallet:
  2. Generate a certificate request. Note that when you create a new wallet with Oracle Wallet Manager, the tool automatically prompts you to create a certificate request. See "Adding a Certificate Request" for information about creating a certificate request.
  3. Send the certificate request to the CA you want to use. You can copy and paste the certificate request text into an e-mail message, or you can export the certificate request to a file. See "Exporting a User Certificate Request". Note that the certificate request becomes part of your wallet and must remain there until you remove its associated certificate.
  4. When the CA sends your signed user certificate and its associated trusted certificate, then you can import these certificates in the following order. (Note that user certificates and trusted certificates in the PKCS #7 format can be imported at the same time.)
    • First import the CA's trusted certificate into your wallet. See "Importing a Trusted Certificate" Note that this step may be optional if the new user certificate has been issued by one of the CAs whose trusted certificate is already present in Oracle Wallet Manager by default.
    • After you have successfully imported the trusted certificate, then import the user certificate that the CA sent to you into your wallet. See "Importing the User Certificate into the Wallet"
  5. (Optional) Set the auto login feature for your wallet. See "Using Auto Login".

    Typically, this feature, which enables PKI-based access to services without a password, is required for most wallets. It is required for database server and client wallets. It is only optional for products that take the wallet password at the time of startup.

After completing the preceding process, you have a wallet that contains a user certificate and its associated trust points.

Managing Wallets

This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:

Required Guidelines for Creating Wallet Passwords

Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.

Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters.

Caution:

It is strongly recommended that users avoid choosing easily guessed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A." This prevents a potential attacker from using personal information to deduce the users' passwords. It is also a prudent security practice for users to change their passwords periodically, such as once in each month or once in each quarter.

When you change passwords, you must regenerate auto login wallets.
See Also:

Creating a New Wallet

You can use Oracle Wallet Manager to create PKCS #12 wallets (the standard default wallet type) that store credentials in a directory on your file system. It can also be used to create PKCS #11 wallets that store credentials on a hardware security module for servers, or private keys on tokens for clients. The following sections explain how to create both types of wallets by using Oracle Wallet Manager.

Creating a Standard Wallet

Unless you have a hardware security module (a PKCS #11 device), then you should use a standard wallet that stores credentials in a directory on your file system.

To create a standard wallet, perform the following tasks:

  1. Choose Wallet > New from the menu bar. The New Wallet dialog box appears.
  2. Follow the "Required Guidelines for Creating Wallet Passwords" and enter a password in the Wallet Password field. This password protects unauthorized use of your credentials.
  3. Re-enter that password in the Confirm Password field.
  4. Choose Standard from the Wallet Type list.
  5. Click OK to continue. If the entered password does not conform to the required guidelines, then the following message appears: 
    Password must have a minimum length of eight characters, and contain 
alphabetic characters combined with numbers or special characters. Do you 
want to try again?
  6. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. See "Adding a Certificate Request".

    If you choose No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.

  7. Select Wallet > Save In System Default to save the new wallet.

    If you do not have permission to save the wallet in the system default, you can save it to another location. This location must be used in the SSL configuration for clients and servers.

    A message at the bottom of the window confirms that the wallet was successfully saved.

Creating a Wallet to Store Hardware Security Module Credentials

To create a wallet to store PKCS #11 credentials on a hardware security module, perform the following tasks:

  1. Choose Wallet > New from the menu bar; the New Wallet dialog box appears.
  2. Follow the "Required Guidelines for Creating Wallet Passwords" and enter a password in the Wallet Password field.
  3. Re-enter that password in the Confirm Password field.
  4. Choose PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet window appears.
  5. Choose a vendor name from the Select Hardware Vendor list.

    Note:

    In the current release of Oracle Wallet Manager, only nCipher hardware has been certified to interoperate with Oracle wallets.
  1. In the PKCS11 library filename field, enter the path to the directory where the PKCS11 library is stored, or click Browse to find it by searching the file system.
  2. Enter the SmartCard password, and choose OK.

    The smart card password, which is different from the wallet password, is stored in the wallet.

  3. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. See "Adding a Certificate Request".

    If you choose No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created appears in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.

  4. Select Wallet > Save In System Default to save the new wallet.

    If you do not have permission to save the wallet in the system default, you can save it to another location.

    A message at the bottom of the window confirms that the wallet was successfully saved.

    Note:

    If you change the smart card password or move the PKCS #11 library, an error message displays when you try to open the wallet. Then you are prompted to enter the new smart card password or the new path to the library.

Opening an Existing Wallet

Open a wallet that already exists in the file system directory as follows:

  1. Choose Wallet > Open from the menu bar. The Select Directory dialog box appears.
  2. Navigate to the directory location in which the wallet is located, and select the directory.
  3. Choose OK. The Open Wallet dialog box appears.
  4. Enter the wallet password in the Wallet Password field.
  5. Choose OK.

    You are returned to the main window and a message appears at the bottom of the window indicating the wallet was opened successfully. The wallet's certificate and its trusted certificates are displayed in the left window pane.

Closing a Wallet

To close an open wallet in the currently selected directory:

Choose Wallet > Close.

A message appears at the bottom of the window to confirm that the wallet is closed.

Importing Third-Party Wallets

Third-party wallets are those where the certificate requests have been generated without using Oracle Wallet Manager. Oracle Wallet Manager can import and support the following PKCS #12-format wallets, subject to procedures and limitations specific to the program you use:

To import a third-party wallet, perform the following tasks:

  1. Follow the procedures for your particular product to export the wallet.
  2. Save the exported wallet to a file name appropriate for your operating system in a directory expected by Oracle Advanced Security.

    For UNIX and Windows, the appropriate file name is ewallet.p12.

    For other operating systems, see the Oracle documentation for that specific operating system.

    Note:

    Because browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to import trusted certificates.
    See Also:

    "Importing a Trusted Certificate"

Exporting Oracle Wallets to Third-Party Environments

Oracle Wallet Manager can export its own wallets to third party environments.

To export a wallet to third-party environments:

  1. Use Oracle Wallet Manager to save the wallet file.
  2. Follow the procedure specific to your third-party product to import an operating system PKCS #12 wallet file created by Oracle Wallet Manager (called ewallet.p12 on UNIX and Windows platforms).

    Note:
    • Oracle Wallet Manager supports multiple certificates for each wallet, yet current browsers typically support import of single-certificate wallets only. For these browsers, you must export an Oracle wallet containing a single key-pair.
    • Oracle Wallet Manager supports wallet export to only Netscape Communicator 4.7.2 and later, OpenSSL, and Microsoft Internet Explorer 5.0 and later.

Exporting Oracle Wallets to Tools that Do Not Support PKCS #12

You can export a wallet to a text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are formatted according to the standards listed in Table 8-4. Within the wallet, only those certificates with SSL key usage are exported with the wallet.

To export a wallet to text-based PKI format:

  1. Choose Operations > Export Wallet.... The Export Wallet dialog box appears.
  2. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders.
  3. Enter the destination file name for the wallet.
  4. Choose OK to return to the main window.

    Table 8-4 PKI Wallet Encoding Standards
    Component Encoding Standard

    Certificate chains

    X509v3

    Trusted certificates

    X509v3

    Private keys

    PKCS #8

Uploading a Wallet to an LDAP Directory

To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate. Otherwise, it lets you enter the directory password.

To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the upload option unless the target wallet is currently open and contains at least one user certificate.

To upload a wallet:

  1. Choose Wallet > Upload Into The Directory Service.... If the currently open wallet has not been saved, a dialog box appears with the following message:

    Wallet needs to be saved before uploading.

    Choose Yes to proceed.

  2. Wallet certificates are checked for SSL key usage. Depending on whether a certificate with SSL key usage is found in the wallet, one of the following results occur:
    • If at least one certificate has SSL key usage: When prompted, enter the LDAP directory server hostname and port information, then click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using SSL.A message appears indicating whether the wallet was uploaded successfully or it failed.
    • If no certificates have SSL key usage: When prompted, enter the user's distinguished name (DN), the LDAP server hostname and port information, and click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using simple password authentication mode, assuming that the wallet password is the same as the directory password.

      If the connection fails, a dialog box prompts for the directory password of the specified DN. Oracle Wallet Manager attempts connection to the LDAP directory server using this password and displays a warning message if the attempt fails. Otherwise, Oracle Wallet Manager displays a status message at the bottom of the window indicating that the upload was successful.

Downloading a Wallet from an LDAP Directory

When a wallet is downloaded from an LDAP directory, it is resident in working memory. It is not saved to the file system unless you expressly save it using any of the Save options described in the following sections.

See Also:

To download a wallet from an LDAP directory:

  1. Choose Wallet > Download From The Directory Service....
  2. A dialog box prompts for the user's distinguished name (DN), and the LDAP directory password, hostname, and port information. Oracle Wallet Manager uses simple password authentication to connect to the LDAP directory.

    Depending on whether the downloading operation succeeds or not, one of the following results occurs:

    • If the download operation fails: Check to make sure that you have correctly entered the user's DN, and the LDAP server hostname and port information.
    • If the download is successful: Choose OK to open the downloaded wallet. Oracle Wallet Manager attempts to open that wallet using the directory password. If the operation fails after using the directory password, then a dialog box prompts for the wallet password.

      If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully.

Saving Changes

To save your changes to the current open wallet:

Choose Wallet > Save.

A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location.

Saving the Open Wallet to a New Location

To save open wallets to a new location, use the Save As... menu option:

  1. Choose Wallet > Save As.... The Select Directory dialog box appears.
  2. Select a directory location in which to save the wallet.
  3. Choose OK.

    The following message appears if a wallet already exists in the selected location:

    A wallet already exists in the selected path. Do you want to overwrite 
it?

    Choose Yes to overwrite the existing wallet, or No to save the wallet to another location.

    A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.

Saving in System Default

To save wallets in the default directory location, use the Save In System Default menu option:

Choose Wallet > Save In System Default.

A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location as follows for UNIX and Windows platforms:

Deleting the Wallet

To delete the current open wallet:

  1. Choose Wallet > Delete. The Delete Wallet dialog box appears.
  2. Review the displayed wallet location to verify you are deleting the correct wallet.
  3. Enter the wallet password.
  4. Choose OK. A dialog panel appears to inform you that the wallet was successfully deleted.

    Note:

    Any open wallet in application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use does not immediately affect system operation.

Changing the Password

A password change is effective immediately. The wallet is saved to the currently selected directory, with the new encrypted password.

Note:

If you are using a wallet with auto login enabled, you must regenerate the auto login wallet after changing the password. See "Using Auto Login"

To change the password for the current open wallet:

  1. Choose Wallet > Change Password. The Change Wallet Password dialog box appears.
  2. Enter the existing wallet password.
  3. Enter the new password.
  4. Re-enter the new password.
  5. Choose OK.

A message at the bottom of the window confirms that the password was successfully changed.

See Also:

Using Auto Login

The Oracle Wallet Manager auto login feature creates an obfuscated copy of the wallet and enables PKI-based access to services without a password until the auto login feature is disabled for the wallet. File system permissions provide the necessary security for auto login wallets. When auto login is enabled for a wallet, it is only available to the operating system user who created that wallet.

You must enable auto login if you want single sign-on access to multiple Oracle databases, which is disabled by default. Sometimes these are called "SSO wallets" because they provide single sign-on capability.

Enabling Auto Login

To enable auto login:

  1. Choose Wallet from the menu bar.
  2. Check Auto Login. A message at the bottom of the window indicates that auto login is enabled.

Disabling Auto Login

To disable auto login:

  1. Choose Wallet from the menu bar.
  2. Uncheck Auto Login. A message at the bottom of the window indicates that auto login is disabled.

Managing Certificates

Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. All certificates are signed data structures that bind a network identity with a corresponding public key. User certificates are used by end entities, including server applications, to validate an end entity's identity in a public key/private key exchange. In comparison, trusted certificates are any certificates that you trust, such as those provided by CAs to validate the user certificates that they issue.

This section describes how to manage both certificate types, in the following subsections:

Managing User Certificates

User certificates can be used by end users, smart cards, or applications, such as Web servers. Server certificates are a type of user certificate. For example, if a CA issues a certificate for a Web server, placing its distinguished name (DN) in the Subject field, then the Web server is the certificate owner, thus the "user" for this user certificate. User certificates do not validate other user certificates, except when they are used as a trusted certificate in a user-centric trust model.

See Also:

Understanding Public-Key Infrastructure, a third-party publication, listed in the Preface under "Related Documentation", for a discussion of user-centric and other trust models.

Managing user certificates involves the following tasks:

Adding a Certificate Request

You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit.

The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request. Store only a correctly filled out certificate request in a wallet.

To create a PKCS #10 certificate request:

  1. Choose Operations > Add Certificate Request. The Add Certificate Request dialog box appears.
  2. Enter the information specified in Table 8-5.
  3. Choose OK. A message informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.
  4. Choose OK to return to the Oracle Wallet Manager main window. The status of the certificate changes to [Requested].

    See Also:

    "Exporting a User Certificate Request"
    Table 8-5  Certificate Request: Fields and Descriptions
    Field Name Description

    Common Name

    Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format.

    Example: Eileen.Sanger

    Organizational Unit

    Optional. Enter the name of the identity's organizational unit. Example: Finance.

    Organization

    Optional.Enter the name of the identity's organization. Example: XYZ Corp.

    Locality/City

    Optional. Enter the name of the locality or city in which the identity resides.

    State/Province

    Optional. Enter the full name of the state or province in which the identity resides.

    Enter the full state name, because some certificate authorities do not accept two-letter abbreviations.

    Country

    Mandatory. Choose to view a list of country abbreviations. Select the country in which the organization is located.

    Key Size

    Mandatory. Choose to view a list of key sizes to use when creating the public/private key pair. See Table 8-6 to evaluate key size.

    Advanced

    Optional. Choose Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality.

Table 8-6 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys.

Table 8-6 Available Key Sizes
Key Size Relative Security Level

512 or 768

Not regarded as secure.

1024 or 2048

Secure.

3072 or 4096

Very secure.

Importing the User Certificate into the Wallet

The certificate authority sends you an e-mail notification when your certificate request has been fulfilled. Import the certificate into a wallet in either of two ways: copy and paste the certificate from the certificate authority's e-mail, or import the user certificate from a file. Certificate authorities may send your certificate in a PKCS #7 certificate chain file, or as an individual X.509 certificate. Oracle Wallet Manager can import both types. PKCS #7 certificate chains are a collection of certificates, including the user's certificate and all of the supporting CA and subCA certificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain.

To copy and paste the text only (BASE64) user certificate from the certificate authority's e-mail:
  1. Copy the certificate text from the e-mail message or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate.
  2. Choose Operations > Import User Certificate.... The Import Certificate dialog box appears.
  3. Choose Paste the certificate, and then click OK. Another Import Certificate dialog box appears with the following message: 
    Please provide a base64 format certificate and paste it below.
  4. Paste the certificate into the dialog box, and choose OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready].

    Keyboard shortcuts for copying and pasting certificates:

    Use Ctrl+c to copy, and use Ctrl+v to paste.
To import a file that contains the user certificate:

The file containing the user certificate should have been saved in either text (BASE64) or binary (der) format.

  1. Choose Operations > Import User Certificate.... The Import Certificate dialog box appears.
  2. Choose Select a file that contains the certificate, and click OK. Another Import Certificate dialog box appears.
  3. Enter the path or folder name of the certificate file location.
  4. Select the name of the certificate file (for example, cert.txt).
  5. Choose OK. A message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready].

Removing a User Certificate from a Wallet

To remove a user certificate from a wallet:

  1. In the left panel subtree, select the certificate that you want to remove.
  2. Choose Operations > Remove User Certificate.... A dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet.
  3. Choose Yes to return to the Oracle Wallet Manager main panel. The certificate displays a status of [Requested].

Removing a Certificate Request

You must remove a certificate before removing its associated request.

To remove a certificate request:

  1. In the left panel subtree, select the certificate request that you want to remove.
  2. Choose Operations > Remove Certificate Request....
  3. Click Yes. The certificate displays a status of [Empty].

Exporting a User Certificate

To save the certificate in a file system directory, export the certificate by using the following steps:

  1. In the left panel subtree, select the certificate that you want to export.
  2. Choose Operations > Export User Certificate... from the menu bar. The Export Certificate dialog box appears.
  3. Enter the file system directory location where you want to save your certificate, or navigate to the directory structure under Folders.
  4. Enter a file name for your certificate in the Enter File Name field.
  5. Choose OK. A message at the bottom of the window confirms that the certificate was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

Exporting a User Certificate Request

To save the certificate request in a file system directory, export the certificate request by using the following steps:

  1. In the left panel subtree, select the certificate request that you want to export.
  2. Choose Operations > Export Certificate Request.... The Export Certificate Request dialog box appears.
  3. Enter the file system directory location where you want to save your certificate request, or navigate to the directory structure under Folders.
  4. Enter a file name for your certificate request, in the Enter File Name field.
  5. Choose OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

Managing Trusted Certificates

Managing trusted certificates includes the following tasks:

Importing a Trusted Certificate

You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.

Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.

To copy and paste the text only (BASE64) trusted certificate:
  1. Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the lines Begin Certificate and End Certificate.
  2. Choose Operations > Import Trusted Certificate... from the menu bar. The Import Trusted Certificate dialog panel appears.
  3. Choose Paste the Certificate, and click OK. Another Import Trusted Certificate dialog panel appears with the following message: 
    Please provide a base64 format certificate and paste it below.
  4. Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.
  5. Choose OK. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

    Keyboard shortcuts for copying and pasting certificates:

    Use Ctrl+c to copy, and use Ctrl+v to paste.
To import a file that contains the trusted certificate:

The file containing the trusted certificate should have been saved in either text (BASE64) or binary (der) format.

  1. Choose Operations > Import Trusted Certificate.... The Import Trusted Certificate dialog panel appears.
  2. Enter the path or folder name of the trusted certificate location.
  3. Select the name of the trusted certificate file (for example, cert.txt).
  4. Choose OK. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet.
  5. Choose OK to exit the dialog panel. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate appears at the bottom of the Trusted Certificates tree.

Removing a Trusted Certificate

You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the certificates it has signed. Also, you cannot verify a certificate after its trusted certificate has been removed from your wallet.

To remove a trusted certificate from a wallet:

  1. Select the trusted certificate listed in the Trusted Certificates tree.
  2. Choose Operations > Remove Trusted Certificate... from the menu bar.

    A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.

  3. Choose Yes. The selected trusted certificate is removed from the Trusted Certificates tree.

Exporting a Trusted Certificate

To export a trusted certificate to another file system location:

  1. In the left panel subtree, select the trusted certificate that you want to export.
  2. Select Operations > Export Trusted Certificate.... The Export Trusted Certificate dialog box appears.
  3. Enter a file system directory in which you want to save your trusted certificate, or navigate to the directory structure under Folders.
  4. Enter a file name to save your trusted certificate.
  5. Choose OK. You are returned to the Oracle Wallet Manager main window.

Exporting All Trusted Certificates

To export all of your trusted certificates to another file system location:

  1. Choose Operations > Export All Trusted Certificates.... The Export Trusted Certificate dialog box appears.
  2. Enter a file system directory location where you want to save your trusted certificates, or navigate to the directory structure under Folders.
  3. Enter a file name to save your trusted certificates.
  4. Choose OK. You are returned to the Oracle Wallet Manager main window.
Go to previous page
Previous		 Go to next page
Next
Oracle
Copyright © 1996, 2003 Oracle Corporation
All Rights Reserved.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback