©2015 - 2022 Chad’s Technoworks. Disclaimer and Terms of Use

Information Technology

Oracle Advanced Security - page 4

Copy both the CA root trusted cert (ca.rt) and the signed server cert (i.e. db_cert_request.crt, client_cert_request.crt) onto the wallet directory.

Example:

pacific:oradb> pwd

/dsk0/orabin/11gR2/product/11.2.0.4/db/owm/wallets/oradb

pacific:oradb> scp oradb@pacificnfs:/usr/local/ssl.ca-0.1/db_cert_request.crt .

oradb@pacificnfs's password:

db_cert_request.crt  100% |*****************************|  3226       00:00    

pacific:oradb> ls

db_cert_request.crt   db_cert_request.csr   ewallet.p12

pacific:oradb> scp oradb@pacificnfs:/usr/local/ssl.ca-0.1/ca.crt .

oradb@pacificnfs's password:

ca.crt               100% |*****************************|  1107       00:00    

pacific:oradb>

Change the permissions:

pacific:oradb> ls -ltr

total 42

-rw-------   1 oradb    orainst      657 Nov 14 12:04 db_cert_request.csr

-rw-r--r--   1 oradb    orainst     3226 Nov 14 13:34 db_cert_request.crt

-rw-r--r--   1 oradb    orainst     1107 Nov 14 13:35 ca.crt

-rw-------   1 oradb    orainst     6520 Nov 14 15:07 ewallet.p12

-rw-------   1 oradb    orainst     6597 Nov 14 15:07 cwallet.sso

pacific:oradb> chmod g-r,o-r ca.crt db_cert_request.crt

pacific:oradb> ls -l

total 42

-rw-------   1 oradb    orainst     1107 Nov 14 13:35 ca.crt

-rw-------   1 oradb    orainst     6597 Nov 17 19:06 cwallet.sso

-rw-------   1 oradb    orainst     3226 Nov 14 13:34 db_cert_request.crt

-rw-------   1 oradb    orainst      657 Nov 14 12:04 db_cert_request.csr

-rw-------   1 oradb    orainst     6520 Nov 14 15:07 ewallet.p12

pacific:oradb>

V. IMPORT TRUSTED ROOT CERT INTO THE WALLET

NOTE: You do this to both the Server and the Client

Operations -> Import Trusted Certificate -> Select A File That Contains A Certificate

Prev< 1 2 3 4 5 >Next

Set the path and enter the file ca.crt and click OK.

You will then see “My Root CA” as one of the trusted certs.

VI. IMPORT SIGNED CERTIFICATE INTO THE WALLET

At the Database Server,

Operations -> Import User Certificate -> Select A File That Contains A Certificate

Set the path and enter the file db_cert_request.crt

Your wallet certificate for the database server is now flagged as [Ready].

At the Client application host,

Do the same steps used to import user certificate of the database server but use the file - client_cert_request.crt

VII. IMPORT SIGNED USER CERT AS TRUSTED CERTIFICATE

In order to authenticate and be able to decrypt data between the database and its clients, we need to import the signed certificate as trusted cert into all involved hosts. Thus, the database server will have the signed cert of our client application, and vice-versa, the client application will have the signed cert of the database server.

pacific:oradb> scp oradb@pacificnfs:/disk0/orabin/11gR2/product/11.2.0.3/db/owm/wallets/oradb/client_cert_request.crt .

oradb@pacificnfs's password:

client_cert_request. 100% |*****************************|  3240       00:00    

pacific:oradb>

At the server (pacific), import as trusted certificate the client signed cert - client_cert_request.crt

At the client (pacificnfs), import as trusted certificate the database signed cert - db_cert_request.crt