I have an .p12 keystore file issued by the provider of a webservice that I'd like to communicate with (SOAP) through a PL/SQL procedure from an Oracle 11g2 database.
A wallet was created with:
$ orapki wallet create –wallet [walletdirectory] -pwd [password] -auto_login
And the resulting 'ewallet.p12'-file was subsequently replaced with the (renamed to 'ewallet.p12') keystore file.
However, the SOAP-requests cannot be authorised. The log of the service provider shows (full log not available to me):
Error log Apache httpd
[<timestamp>] [error] [client <IP>] access to <URL> failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
ACL-settings have been thoroughly audited. I am now exploring the possibility that the Oracle Wallet has not been set up properly (because perhaps simply replacing the keystore files is not possible). I cannot extract the private key from the supplied .p12 to add to the newly generated 'ewallet.p12'.
Thus I would like to use the Oracle Wallet Manager to create the Wallet. Some problems I've encountered.
I can not open the supplied .p12 file as a wallet in OWM
Renaming the supplied keystore to 'ewallet.p12' allows me to open the wallet in OWM, but upon entering the keystore password, displays "incorrect password"
Condensed question is: How do I create an Oracle Wallet from an already existing PKCS#12 file? Either as a complete product or by generating the required .SSO-file? Any other advice as to what might be the cause of this problem?
Note: using SOAPUI, I'am able to successfully communicate with the webservice using the supplied keystore.
The webservice was unable to be authorized because the cwallet.sso file was not correct in the Oracle Wallet. The complete procedure to generate a correct Oracle Wallet from an existing PKCS#12 Keystore is:
$ orapki wallet create -wallet /path/to/wallet -auto_login
Where the [path/to/wallet] targets an existing directory that already includes the PKCS#12 Keystore. This generates the correct cwallet.sso file. The certificates included in the keystore can now be shown with:
$ orapki wallet display -wallet /path/to/wallet
And the Oracle Wallet can now be associated with an ACL:
SQLPlus: EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('[acl_file.xml]','file:/path/to/wallet');
However, for reasons unknown to me, an Oracle Wallet created in this fashion cannot be opened using the Oracle Wallet Manager tool.
Related
I'm using Oracle 12c and when I try to create an auto-login keystore with this command :
ADMINISTER KEY MANAGEMENT
CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
'home/BetaCrasher/app/BetaCrasher/admin/orcl/wallet'
IDENTIFIED BY hello;
I get this error:
ORA-46632: password-based keystore does not exist
I check the path and the file for the keystore is there.
I also tried using this path and it still doesn't work
'home/BetaCrasher/app/BetaCrasher/admin/orcl/wallet/ewallet.p12'
I think you might be missing a leading slash in your path, since it appears to be a full path to the wallet folder.
Also, don't forget to grant access to the path to your Oracle's OS user.
I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
I have a private key that was created from an OpenSSL certificate signing request. The CA has accepted the CSR and given my the cert. When I try importing into my Oracle Wallet using orapki I get the error "No matching private key in the wallet". When I try importing the private key just as I would any user cert I get "Invalid Certificate". I've already added all the trusted certificates.
Here are the commands used:
orapki wallet add -wallet ewallet.p12 -user_cert -cert public.p12
orapki wallet add -wallet ewallet.p12 -user_cert -cert private.txt
I'm assuming there's a way to add the private key to the wallet?
you cannot import a KEY.
The Key is part of the wallet already, you need to create the certificate request with ORAPKI, as the key will be part of the request.
You cannot create a certificate using a request from other wallet, and then try to install everything into a new wallet that already has a Key.
You can create an orapki wallet from an openssl keystore as another method to bring in the private key.
orapki wallet create -wallet /path/to/wallet/wallet.p12 -auto_login [-pwd <password>
You can try the following syntax
orapki wallet import_pkcs12
–wallet wallet_location [-pwd wallet_password]
-pkcs12file pkcs12_file_location [-pkcs12pwd pkcs12_file_password]
A certificate is required to connect my SonarQube server. I have installed the SonarLint plugin, but it does not have any option to add certificates to connect my SonarQube server. It has only URL, username , password options. Is there any way to set certificates ?
SonarLint does not permit the configuration of certificates, but you can add certificate to JRE or JDK.
https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
Copied text from the Oracle documentation:
Import the Certificate as a Trusted Certificate
Before you can grant the signed code permission to read a specified file, you need to import Susan's certificate as a trusted certificate in your keystore.
Suppose that you have received from Susan
the signed JAR file sCount.jar, which contains the Count.class file, and
the file Example.cer, which contains the public key certificate for the public key corresponding to the private key used to sign the JAR file.
Even though you created these files and they haven't actually been transported anywhere, you can simulate being someone other than the creater and sender, Susan. Pretend that you are now Ray. Acting as Ray, you will create a keystore named exampleraystore and will use it to import the certificate into an entry with an alias of susan.
A keystore is created whenever you use a keytool command specifying a keystore that doesn't yet exist. Thus we can create the exampleraystore and import the certificate via a single keytool command. Do the following in your command window.
Go to the directory containing the public key certificate file Example.cer. (You should actually already be there, since this lesson assumes that you stay in a single directory throughout.)
Type the following command on one line: keytool -import -alias susan -file Example.cer -keystore exampleraystore
Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want.
The keytool command will print out the certificate information and ask you to verify it, for example, by comparing the displayed certificate fingerprints with those obtained from another (trusted) source of information. (Each fingerprint is a relatively short number that uniquely and reliably identifies the certificate.) For example, in the real world you might call up Susan and ask her what the fingerprints should be. She can get the fingerprints of the Example.cer file she created by executing the command
keytool -printcert -file Example.cer
If the fingerprints she sees are the same as the ones reported to you by keytool, the certificate has not been modified in transit. In that case you let keytool proceed with placing a trusted certificate entry in the keystore. The entry contains the public key certificate data from the file Example.cer and is assigned the alias susan.
I am a beginner is TIBCO.I want to send email using tibco mail activity.Following are my configuration of send mail activity
host: smtp.gmail.com:587
selected the authenticate check box
then in username field entered my gmail username and in password entered my gmail password.
and in the input tab provided the valid to address,subject and body.When I run then I get the following error
BW-MAIL-100019 Job-10000 Error in [Sender.process/Send Mail]
Error sending mail message. Cause: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.0 Must issue a STARTTLS command first. nx12sm74930440pab.6 - gsmtp
I have also checked by changing the host like this smtp.gmail.com:25 but still the same error.Can any body please tell me what wrong am I doing?
Follow these instructions to use the Send Mail activity over TLS (port 587):
First, retrieve the full certificate chain of the SMTP server. To do so, download an OpenSSL client (e.g. GnuWin32's implementation if you are on Windows), then type:
openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
A list of PEM-formatted certs should show up. Copy each of them in a separate file (or all of them in a single file) with extension .cert and add those files to any folder in your BW project. Please note that the root CA certificate is missing from the chain; you can download it here and add it to the certs folder. You can also use an external folder if you want the certs to be managed outside your project by using the BW_GLOBAL_TRUSTED_CA_STORE global variable (see BW documentation).
On the Send Mail activity, set the Host field to smtp.gmail.com:587.
If using BW 5.8 or below, add the following Java properties to the TRA of your application:
java.property.mail.smtp.starttls.enable=true
java.property.mail.smtp.starttls.required=true
If using BW 5.10 or above, check the SSL box and make the Trusted Certificates Folder point to your certs folder.
Check the Authenticate box and set the User Name (xxxx#gmail.com) and Password fields with your Google credentials.