Creating Oracle Wallet from existing PKCS#12 keystore

Question

I have an .p12 keystore file issued by the provider of a webservice that I'd like to communicate with (SOAP) through a PL/SQL procedure from an Oracle 11g2 database.

A wallet was created with:

$ orapki wallet create –wallet [walletdirectory] -pwd [password] -auto_login

And the resulting 'ewallet.p12'-file was subsequently replaced with the (renamed to 'ewallet.p12') keystore file.

However, the SOAP-requests cannot be authorised. The log of the service provider shows (full log not available to me):

Error log Apache httpd 
[<timestamp>] [error] [client <IP>] access to <URL> failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)

ACL-settings have been thoroughly audited. I am now exploring the possibility that the Oracle Wallet has not been set up properly (because perhaps simply replacing the keystore files is not possible). I cannot extract the private key from the supplied .p12 to add to the newly generated 'ewallet.p12'.

Thus I would like to use the Oracle Wallet Manager to create the Wallet. Some problems I've encountered.

• I can not open the supplied .p12 file as a wallet in OWM
• Renaming the supplied keystore to 'ewallet.p12' allows me to open the wallet in OWM, but upon entering the keystore password, displays "incorrect password"

Condensed question is: How do I create an Oracle Wallet from an already existing PKCS#12 file? Either as a complete product or by generating the required .SSO-file? Any other advice as to what might be the cause of this problem?

Note: using SOAPUI, I'am able to successfully communicate with the webservice using the supplied keystore.

Answer 1

The webservice was unable to be authorized because the cwallet.sso file was not correct in the Oracle Wallet. The complete procedure to generate a correct Oracle Wallet from an existing PKCS#12 Keystore is:

$ orapki wallet create -wallet /path/to/wallet -auto_login

Where the [path/to/wallet] targets an existing directory that already includes the PKCS#12 Keystore. This generates the correct cwallet.sso file. The certificates included in the keystore can now be shown with:

$ orapki wallet display -wallet /path/to/wallet

And the Oracle Wallet can now be associated with an ACL:

SQLPlus: EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('[acl_file.xml]','file:/path/to/wallet');

However, for reasons unknown to me, an Oracle Wallet created in this fashion cannot be opened using the Oracle Wallet Manager tool.