Creating and Exchanging Self-signed Certificate at Client and Server Side
On Oracle 19c database server, a wallet can be created at any directory location. However, Oracle recommends to create a wallet in the ORACLE_HOME database environment. Ensure that you have the required read permission for the wallet directory on which Oracle service is running. A wallet can be created using SUDO user on Unix platform or Administrative user on Windows platform.
Perform the following steps to create two wallets, a server wallet and a client wallet, with self-signed certificates.
1. Create a directory to store all the wallets. This wallet directory can be created anywhere. Oracle recommends to create the wallet in:
> mkdir wallets
> cd wallets
For example, %ORACLE_HOME%\wallets
2. Create an empty wallet with auto-login enabled for the Oracle server:
> orapki wallet create -wallet ./server_wallet -auto_login -pwd server01
For example,
orapki wallet create -wallet %ORACLE_HOME%\wallets\server_wallet
-auto_login -pwd server01
Two files are created under the server_wallet directory:
server_wallet/cwallet.sso
server_wallet/ewallet.p12
3. Add a self-signed certificate in the wallet. You will find a new pair of private or public keys is created:
> orapki wallet add -wallet ./server_wallet -dn “CN=server”
-keysize 1024 -self_signed -validity 365 -pwd server01
a. View the server_wallet directory:
> orapki wallet display -wallet ./server_wallet
...
Requested Certificates:
Subject: CN=server
...
b. Export the server certificate:
> orapki wallet export –wallet ./server_wallet -dn “CN=server”
-cert ./server_wallet/cert.txt
Copy the cert.txt file on the Windchill client side.
4. Import server certificate to client keystore. For the client, use Java Keystore to store the server certificate:
> keytool -importcert -alias <ALIAS-NAME> -keystore <PATH-TO-KEYSTORE>
-file <FILE-PATH-TO-SERVER-CERTIFICATE>
For example,
keytool -importcert -alias oraclessl
-keystore JAVA_HOME\jre\lib\security\cacerts
-file JAVA_HOME\bin\cert.txt
The parameters used are:
<ALIAS-NAME> - Alias name used to store the server certificate file in keystore.
<PATH-TO-KEYSTORE> - Keystore location to import the server certificate. If you want to use the default Java Keystore of Windchill, it can be located at {wt.jdk}/jre/lib/security location with name as cacerts. The wt.jdkvalue can be found in the WT_HOME/codebase/wt.properties file.
<FILE-PATH-TO-SERVER-CERTIFICATE> - Directory location where the server certificate is stored. In this example, it is cert.txt file.
5. Create a self-signed client certificate in the client keystore:
keytool -genkeypair -alias "<ALIAS-OF-YOUR-CLIENT-SSL-CERT>" -keyalg RSA
-validity 365 -keysize 2048 -keystore <PATH-TO-KEYSTORE>
For example,
keytool -genkeypair -alias ClientCerts -keyalg RSA -validity 365
-keysize 2048 -keystore JAVA_HOME\jre\lib\security\cacerts
The system will ask you to enter the keystore password. The default keystore password is:changeit.
The parameters used are:
<ALIAS-OF-YOUR-CLIENT-SSL-CERT>- Alias of certificate with which you want to create a self-signed certificate.
<PATH-TO-KEYSTORE> - Keystore location to import the server certificate.
6. Export the client certificate to the file which can be imported from the server_wallet directory:
keytool -export -alias <ALIAS-OF-YOUR-CLIENT-SSL-CERT>
-keystore <PATH-TO-KEYSTORE> -rfc -file <PATH-TO-OUTPUT-FILE>
For example,
keytool -export -alias CLientCerts
-keystore JAVA_HOME\jre\lib\security\cacerts
-rfc -file JAVA_HOME\bin\ClientCertificate.txt
Copy ClientCertificate.txt file on the Oracle DB server.
The parameters used are:
<ALIAS-OF-YOUR-CLIENT-SSL-CERT> - Alias of certificate which you want to export to the file and can be used to import from the server wallet to authenticate client identity.
<PATH-TO-KEYSTORE> - Keystore location to import the server certificate.
<PATH-TO-OUTPUT-FILE> - File location for exporting the client key.
7. Import the client certificate into the server wallet:
> orapki wallet add –wallet ./server_wallet -trusted_cert
-cert ./client_wallet/cert.txt -pwd server01
For example,
orapki wallet add -wallet Oracle_Home\wallets\server_wallet
-trusted_cert -cert Oracle_Home\wallets\client_wallet\ClientCertificate.txt
-pwd server01
The command client_wallet/cert.txt refers to the exported client certificate.
* 
If you need client authentication, you must import the client certificate on the server wallet. If you only need encryption and server authentication, this step can be skipped.
8. View the results for server wallet and client keystore. Ensure that you have an entry for the client key on the server wallet and also an entry for the server key on the client keystore:
Under User Certificates:
Subject: CN=server
Under Trusted Certificates:
Subject: CN=sam,OU=ptc,O=isg,L=pune,ST=mh,C=in
Under Client Keystore Output:
Owner: CN=server
Issuer: CN=server
Under Certificate[1]:
Owner: CN=sam, OU=ptc, O=isg, L=pune, ST=mh, C=in
Issuer: CN=sam, OU=ptc, O=isg, L=pune, ST=mh, C=in
Server Wallet Output -

> orapki wallet display -wallet .
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject: CN=server
Trusted Certificates:
Subject: CN=client
Subject: CN=VAGRANT
Subject: CN=VAGRANT_CLIENT
Subject: CN=server
Subject: CN=sam,OU=ptc,O=isg,L=pune,ST=mh,C=in

Client Keystore Output –
> keytool -list -v -keystore selfsigned3.jks

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries
.
.
.
*******************************************
*******************************************
Alias name: stepde-cert
Creation date: 24 Aug, 2017
Entry type: trustedCertEntry

Owner: CN=server

Issuer: CN=server
Serial number: 0
Valid from: Wed Jun 28 15:17:33 IST 2017 until: Thu Jun 28 15:17:33 IST 2018
Certificate fingerprints:
MD5: F3:46:9C:70:74:93:75:EA:08:F6:35:D9:EC:A5:20:F0
SHA1: 5D:43:23:4F:FA:C8:5B:48:C5:61:A5:CB:02:66:E7:CD:F4:47:4E:95
SHA256: BE:26:3F:88:E8:DD:F2:57:F3:D4:5F:4C:70:4A:0F:D2:99:10:D5:
27:18:BA:29:E5:00:AD:00:41:78:1E:CE:92
Signature algorithm name: MD5withRSA
Version: 1


*******************************************
*******************************************


Alias name: smandaokar2l_selfsigned3
Creation date: 24 Aug, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=sam, OU=ptc, O=isg, L=pune, ST=mh, C=in
Issuer: CN=sam, OU=ptc, O=isg, L=pune, ST=mh, C=in
Serial number: dccd23b
Valid from: Thu Aug 24 18:49:15 IST 2017 until: Fri Aug 24 18:49:15 IST 2018
Certificate fingerprints:
MD5: 5A:39:55:EA:29:0C:46:C7:86:92:DF:98:4B:C9:E5:93
SHA1: 9D:75:AE:C8:F0:EE:B9:E1:9B:E5:98:10:47:7F:3D:CE:C9:D9:47:18
SHA256: F0:78:81:AA:C4:AC:17:1C:3B:10:87:9B:A7:DF:CE:0F:BE:A0:B6:42:08:90:D9:
BC:59:23:91:BA:03:02:44:1D
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D3 CF 0B 8B 41 B6 63 13 B8 D3 59 57 DB E2 75 7F ....A.c...YW..u.
0010: C5 50 DE 88 .P..
]
]

*******************************************
*******************************************
Was this helpful?