Creating Oracle Wallet from existing PKCS#12 keystore

StackOverflow https://stackoverflow.com/questions/23411603

Question

I have an .p12 keystore file issued by the provider of a webservice that I'd like to communicate with (SOAP) through a PL/SQL procedure from an Oracle 11g2 database.

A wallet was created with:

$ orapki wallet create –wallet [walletdirectory] -pwd [password] -auto_login

And the resulting 'ewallet.p12'-file was subsequently replaced with the (renamed to 'ewallet.p12') keystore file.

However, the SOAP-requests cannot be authorised. The log of the service provider shows (full log not available to me):

Error log Apache httpd 
[<timestamp>] [error] [client <IP>] access to <URL> failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)

ACL-settings have been thoroughly audited. I am now exploring the possibility that the Oracle Wallet has not been set up properly (because perhaps simply replacing the keystore files is not possible). I cannot extract the private key from the supplied .p12 to add to the newly generated 'ewallet.p12'.

Thus I would like to use the Oracle Wallet Manager to create the Wallet. Some problems I've encountered.

  • I can not open the supplied .p12 file as a wallet in OWM
  • Renaming the supplied keystore to 'ewallet.p12' allows me to open the wallet in OWM, but upon entering the keystore password, displays "incorrect password"

Condensed question is: How do I create an Oracle Wallet from an already existing PKCS#12 file? Either as a complete product or by generating the required .SSO-file? Any other advice as to what might be the cause of this problem?

Note: using SOAPUI, I'am able to successfully communicate with the webservice using the supplied keystore.

Was it helpful?

Solution

The webservice was unable to be authorized because the cwallet.sso file was not correct in the Oracle Wallet. The complete procedure to generate a correct Oracle Wallet from an existing PKCS#12 Keystore is:

$ orapki wallet create -wallet /path/to/wallet -auto_login

Where the [path/to/wallet] targets an existing directory that already includes the PKCS#12 Keystore. This generates the correct cwallet.sso file. The certificates included in the keystore can now be shown with:

$ orapki wallet display -wallet /path/to/wallet

And the Oracle Wallet can now be associated with an ACL:

SQLPlus: EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('[acl_file.xml]','file:/path/to/wallet');

However, for reasons unknown to me, an Oracle Wallet created in this fashion cannot be opened using the Oracle Wallet Manager tool.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top